1,435 Domains in 30 Days: How Fraud Actors Weaponized the 2026 Oil Shock

A Shock, Then a Surge

On February 28, 2026, U.S.–Israeli strikes on Iran triggered the closure of the Strait of Hormuz — cutting approximately 20% of global oil supply and producing the largest supply disruption in the history of the global oil market. Within days, governments worldwide began deploying emergency fuel subsidies, energy relief programs, strategic petroleum reserve releases, and rationing measures.

Within weeks, threat actors had turned every one of those programs into a lure.

Using continuous domain intelligence collection — daily ICANN CZDS zone file ingestion across 1,151+ gTLDs and real-time Certificate Transparency log monitoring — we identified 1,435 crisis-themed domains registered in the weeks following the outbreak of hostilities. These domains span energy crisis lures, government program impersonation, oil investment fraud, and Strait of Hormuz domain squatting. Infrastructure analysis reveals 143 shared IP addresses hosting multiple crisis-themed domains, 33 coordinated clusters of 3 or more co-hosted domains, and a clear temporal correlation between registration surges and specific crisis escalation events.

The pattern is predictable, detectable, and — with the right instrumentation — catchable within days of a triggering event, well before victims encounter the fraudulent sites.

The Crisis Timeline

To contextualize the domain registration data, the key milestones of the oil shock unfolded as follows:

Date	Event	Impact
Feb 28	U.S.–Israeli strikes on Iran begin	War outbreak
Mar 1–5	Iran closes Strait of Hormuz	~20% of global oil supply disrupted
Mar 12	IEA announces 400M barrel strategic reserve release; NZ petroleum release	Government relief actions begin
Mar 23	Trump postponement statement; FT reports major short positions	Financial market volatility
Mar 24	Philippines declares energy emergency	Regional crisis escalation
Mar 27	New Zealand fuel alert system announced	Consumer-facing crisis infrastructure
Late Mar	European travel advisories, airline shutdowns	Broader economic disruption

What makes this timeline significant to fraud analysis is what happens between the lines — the activation lag between government announcements and the domain registration spikes that follow them.

The Signal in the Noise

We queried a graph database of 74M+ domain nodes using index-backed prefix searches across 12 keyword categories covering oil, energy, fuel, Hormuz, subsidies, commodities, and related crisis terms. Each discovered domain was then enriched through DNS resolution, RDAP registration data, ASN/hosting attribution, and HTTP content fingerprinting.

Category	Keywords	Domains
Oil crisis / investment	`oil-*`	300
Energy crisis	`energy-*`	300
Fuel crisis	`fuel-*`	292
Strait of Hormuz	`hormuz`	189
Strategic reserves	`strategic-*`	100
SPR references	`spr-*`	100
Subsidy exploitation	`-subsidy`	49
Commodity scams	`commodity-*`	44
Crude trading	`crude-*`	30
Petrol crisis	`petrol-*`	29
Gas relief / credit	`gas-relief/subsid/credit/rebate`	4
Total (deduplicated)		1,435

Registration Surges Track Crisis Events

Domain registrations show a clear acceleration pattern correlated with the crisis timeline. The data tells a story about when fraud actors activate — and what triggers them.

Domain Registration Timeline

%%{init: {'theme': 'dark', 'themeVariables': {'xyChart': {'backgroundColor': '#111114', 'titleColor': '#e4e4e7', 'xAxisLabelColor': '#a1a1aa', 'yAxisLabelColor': '#a1a1aa', 'plotColorPalette': '#c0272d'}}}}%%
xychart-beta
    title "Crisis-Themed Domain Registrations by Week"
    x-axis ["W12 (Mar 16-22)", "W13 (Mar 23-29)", "W14 (Mar 30-Apr 5)", "W15 (Apr 6-9)"]
    y-axis "Domains Registered" 0 --> 900
    bar [93, 302, 846, 194]

March 29 was the single largest day with 300 domain registrations — immediately following the NZ fuel alert system announcement (Mar 27) and the Philippines energy emergency declaration (Mar 24). This 48–72 hour lag between government announcement and domain registration surge is consistent with threat actor operational tempo observed in previous crisis events.

Key Finding

Zero crisis-themed domains were registered in the first days after the Feb 28 war start, the Mar 1–5 Hormuz closure, or the Mar 12 IEA reserve release. Fraud actors were not responsive to military or geopolitical events — they activated once governments began announcing consumer-facing relief programs. The trigger is the subsidy, not the bomb.

33 Clusters: Coordinated Campaign Infrastructure

Of the 845 domains with DNS resolution data, infrastructure analysis revealed significant coordination. 143 IP addresses hosted 2 or more crisis-themed domains, and 33 distinct clusters of 3 or more co-hosted domains emerged from the data.

Cluster	Domains	IPs	Notable Domains
1	25	2	`energy-abundance.us`, `fuel-bar.com`, `hormuzsentinel.com`
2	23	2	`fuel-adverting.in`, `hormuzfoods.com`, `strategic-momentum.com`
3	22	2	`hormuzbypass.com`, `hormuzglobal.com`, `straitofhormuz.ai`
4	14	4	`commodity-ledger.com`, `hormuzaccess.com`, `strategic-thought.com`
5	14	1	`hormuz.it` (14 subdomains on 91.195.240.135)
6	13	3	`energy-revolution.tv`, `fuel-efficient-cars.co.uk`

The largest clusters (25 and 23 domains) resolve to paired IPs — a pattern consistent with DNS load balancing on dedicated hosting, suggesting centralized operators managing domain portfolios rather than independent opportunists.

Infrastructure Cluster Map

flowchart TB
    subgraph C1["Cluster 1 — 25 domains"]
        C1D1["energy-abundance.us"]
        C1D2["fuel-bar.com"]
        C1D3["hormuzsentinel.com"]
        C1D4["+ 22 more"]
    end
    subgraph C2["Cluster 2 — 23 domains"]
        C2D1["fuel-adverting.in"]
        C2D2["hormuzfoods.com"]
        C2D3["strategic-momentum.com"]
        C2D4["+ 20 more"]
    end
    subgraph C3["Cluster 3 — 22 domains"]
        C3D1["hormuzbypass.com"]
        C3D2["straitofhormuz.ai"]
        C3D3["hormuzglobal.com"]
        C3D4["+ 19 more"]
    end
    subgraph HOSTING["Shared Hosting Infrastructure"]
        IP1["AWS Global Accelerator
3.33.x.x / 13.248.x.x"]
        IP2["Squarespace
198.185.159.x"]
        IP3["Wix
185.230.63.x"]
        IP4["Suspicious
185.53.179.128"]
    end
    C1 --> IP1
    C2 --> IP1
    C3 --> IP2
    IP4 -->|"also hosts"| SMISHING["Smishing Triad
Infrastructure"]
    style C1 fill:#dc3545,color:#fff
    style C2 fill:#dc3545,color:#fff
    style C3 fill:#dc3545,color:#fff
    style HOSTING fill:#18181b,color:#e4e4e7
    style SMISHING fill:#fd7e14,color:#000,stroke:#fd7e14

Five Flavors of Fraud

The 1,435 domains fall into five distinct campaign typologies, each exploiting a different facet of the crisis.

Government Program Impersonation

The most immediately dangerous category — domains designed to intercept citizens seeking legitimate government relief:

petrol-subsidyapp.pk — Pakistan petrol subsidy application impersonation
gov.dwp-subsidy.shop — UK Department for Work and Pensions subsidy scam (confirmed on phishing lists)
usa-subsidy.org — US federal subsidy impersonation
energy-assistance-fr-en-4152298.world — French energy assistance scam (numbered variant suggests automated generation)
home-energy-assistance-2025.shop — US LIHEAP program impersonation
Cluster of 4 .click domains: low-income-energy-assistance-hub.click, low-incomehomeenergy-assistance-program.click, etc.

The geographic spread of government impersonation — Pakistan, UK, France, US, Brazil — indicates that these are not regional campaigns but globally coordinated operations tracking crisis response announcements across multiple government channels simultaneously.

Investment Fraud & Commodity Scams

Domains exploiting oil price volatility to lure retail investors into fake trading platforms:

oil-invest.work, oil-investing-*.click (numbered variants: 15917, 32905)
commodity-trading-app.pages.dev (hosted on Cloudflare Pages)
crude-profits.com, energy-trading-api.re100.io
nxt-energy-trading-platform.pages.dev

Crisis News & Domain Squatting

Opportunistic registration of crisis-related domain names for SEO exploitation, ad fraud, or future resale:

straitofhormuz.com, straitofhormuz.ai — geographic keyword squatting
hormuzsentinel.com, hormuz24.com — fake news/media portals
fuel-shortage.com — scarcity anxiety exploitation
petrol-shortage-uk-today-latest-news.pages.dev — clickbait SEO scam

Critical Infrastructure Targeting

Domains positioned to intercept energy sector communications through broker and strategic reserve impersonation:

energy-brokers.com, oil-brokerage.com — commodity broker impersonation
strategic-reserve.xyz, strategic-reserves.xyz — SPR impersonation

Sanctions Evasion Indicators

The most geopolitically charged category — domains potentially facilitating gray-market oil transactions to circumvent the Hormuz blockade:

hormuzbypass.com — explicitly references circumventing the blockade
transithormuz.com, transhormuz.com — transit/shipping themed
shiphormuz.com — shipping/logistics themed

Where They Live

Hosting infrastructure patterns reveal both the expected and the surprising.

TLD	Count	%	Assessment
.com	388	45.9%	Mainstream, higher registration cost
.dev	62	7.3%	Cloudflare Pages (`pages.dev` subdomains)
.net	56	6.6%	Standard
.ru	34	4.0%	Russian-registered
.de	29	3.4%	German
.uk	22	2.6%	UK-related crisis targeting
.org	21	2.5%	Trust-signal exploitation

Several hosting patterns stand out:

AWS Global Accelerator IPs (3.33.x.x, 13.248.x.x, 15.197.x.x, 76.223.x.x) host the largest clusters — likely GoDaddy/Route53 parked or redirect domains
Squarespace IPs (198.185.159.x, 198.49.23.x) host a 14-domain cluster
Wix IPs (185.230.63.x) host a 13-domain cluster
185.53.179.128 hosts both Hormuz-themed and energy-casino domains — infrastructure overlap across different fraud verticals

Platform Abuse

Cloudflare Pages (pages.dev) accounts for 7.3% of all crisis domains — the second-largest TLD category. Free hosting, instant deployment, and a trusted domain suffix make it ideal for crisis-exploitation campaigns that need to be operational within hours of a triggering event.

Crossover: Smishing Triad Infrastructure

One finding warrants particular attention. IP 185.53.179.128 appears in both the oil shock dataset (hosting Hormuz-themed and energy-casino domains) and in previous Smishing Triad research — shared between Darcula and Lighthouse phishing kits. This suggests that crisis-exploitation actors may share hosting infrastructure with established PhaaS (Phishing-as-a-Service) operations.

Whether this is a shared bulletproof hosting provider, direct operational overlap, or coincidence remains an open question. But the infrastructure fingerprint is there — and it connects this crisis-exploitation dataset to our earlier research on the Lighthouse smishing syndicate.

FLAME Taxonomy Mapping

The discovered campaigns map to multiple existing threat paths in the FLAME (Fraud Lifecycle Analysis and Mitigation Exchange) taxonomy:

FLAME Threat Path	Applicable Campaigns
TP-0067: AiTM Phishing Kit Infrastructure	Government impersonation phishing sites
TP-0084: Government Impersonation App Fraud	Subsidy app impersonation (`petrol-subsidyapp.pk`)
TP-0083: Investment Club Scam	Oil/commodity investment fraud
TP-0076: Affiliate Network Fraud	SEO/clickbait crisis news sites

A new crisis-exploitation threat path could be proposed for FLAME to specifically model the pattern of crisis-triggered domain registration → government program impersonation → credential/payment harvesting.

Detection Recommendations

For Domain Registrars

Monitor for bulk registration of crisis-themed keywords within 72 hours of major government program announcements
Flag registrations combining government agency names with crisis keywords (e.g., gov-*-subsidy, dwp-*-relief)

For Enterprise Security Teams

Block NRDs (Newly Registered Domains) for the first 30 days — this would have intercepted 100% of the crisis-exploitation domains in this dataset
Add domain intelligence IOC feeds to DNS/proxy blocklists
Monitor for employee interactions with domains matching *-subsidy*, *-relief*, *fuel-crisis* patterns

For Threat Intelligence Teams

Deploy keyword-based domain monitoring for crisis-relevant terms within 48 hours of major geopolitical events
Use infrastructure clustering (shared IP/registrar/NS analysis) to escalate individual suspicious domains to campaign-level investigations
Cross-reference new crisis domains against known BPH/PhaaS infrastructure to identify threat actor reuse

Indicators of Compromise

High-Confidence Fraud Domains (confirmed or phishing-listed)

UK Gov Impersonation	gov.dwp-subsidy.shop
Pakistan Subsidy	petrol-subsidyapp.pk
US Subsidy	usa-subsidy.org
French Energy Scam	energy-assistance-fr-en-4152298.world
Oil Crisis Phishing	oil-crisis.beta-mail.com
US LIHEAP	home-energy-assistance-2025.shop
UK Fuel Clickbait	petrol-shortage-uk-today-latest-news.pages.dev
Subsidy Checker	youth-subsidy-checker.pages.dev
Brazil Subsidy	brazil-subsidy.trafinium-connect.com
Crisis Anxiety	fuel-shortage.com

Suspicious Investment / Commodity Domains

Investment Fraud	oil-invest.work
Trading Scam	commodity-trading-app.pages.dev
Numbered Scam	oil-investing-32905.click
Trading Platform	nxt-energy-trading-platform.pages.dev
Trading Assistant	energy-trade-assistant.com

Hormuz Domain Squatting (selected)

Geographic Squat	straitofhormuz.ai
Blockade Theme	hormuzblock.com
News Portal	hormuz24.com
News Portal	hormuzsentinel.com
Sanctions Evasion	hormuzbypass.com

What This Means

The 2026 Iran War oil shock provides a clean case study of crisis-exploitation fraud infrastructure. The patterns are clear and repeatable:

48–72 hour activation lag — fraud actors respond not to the crisis itself, but to government relief announcements. The trigger is the subsidy program, not the geopolitical event.
Automated generation at scale — numbered domain suffixes and keyword combinations indicate tooling, not manual registration.
Infrastructure reuse — crisis domains share hosting with established fraud operations, including Smishing Triad PhaaS infrastructure.
Geographic targeting — country-specific subsidy impersonation campaigns (Pakistan, UK, Brazil, France, US) activated within days of local government announcements.
Platform abuse — Cloudflare Pages (pages.dev) used for rapid, free hosting of scam content, accounting for 7.3% of all crisis domains.

Continuous domain intelligence monitoring identified these campaigns within days of the triggering events — demonstrating that the window between "crisis announced" and "fraud domains live" is narrow but not zero. Organizations monitoring NRDs against crisis-relevant keywords would have been able to block these domains before they reached end users.

The FLAME fraud taxonomy used in this research is available open-source on GitHub.

References

ICANN Centralized Zone Data Service (CZDS) — zone file data across 1,151+ gTLDs.
Certificate Transparency Logs — real-time monitoring via CertStream.
OpenPhish, PhishingDB, URLhaus — public phishing feed cross-reference validation.
FLAME (Fraud Lifecycle Analysis and Mitigation Exchange) — fraud taxonomy framework. GitHub: crimsonvector/flame.
IEA Strategic Reserve Release Announcement — March 12, 2026.
Philippines Energy Emergency Declaration — March 24, 2026.
New Zealand Fuel Alert System — March 27, 2026.
CrimsonVector, "From Lighthouse to Landfall" — Smishing Triad infrastructure cross-reference.