Hackers hijack .arpa domain for phishing scams — hosting malicious websites and domains where no one can spot them

Attackers exploit IPv6 and hidden .arpa addresses to deliver phishing links

News By Efosa Udinmwen published 2 March 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter

Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Hackers are abusing .arpa domains to effectively hide phishing attacks
• Phishing emails mimic trusted brands to trick users into revealing credentials
• IPv6 address ranges give attackers control over malicious .arpa subdomains

A new type of phishing attack has been seen exploiting the .arpa domain, a part of the internet normally used for essential network functions rather than websites.

Unlike more familiar domains such as .com or .net, .arpa helps computers match IP addresses to domain names, a process called reverse DNS.

But new research from Infoblox Threat Intel claims attackers now use this space to host phishing pages while avoiding standard security checks.

Why abusing .arpa is a serious threat

“When we see attackers abusing .arpa, they’re weaponizing the very core of the internet,” said Dr. Renée Burton, VP of Infoblox Threat Intel.

She explained .arpa was never meant to host websites, so many security systems do not monitor it closely, and by using it to deliver malicious pages, attackers can bypass defenses that rely on known domain names or typical URL patterns.

The attack works with IPv6, the newest type of internet address. Cybercriminals gain control of a range of addresses and then configure them to point to servers hosting phishing pages.

In some cases, these addresses are managed through services such as Cloudflare, which hide the true location of the malicious content.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors