Tariff exploitation scams: Executive summary
In the wake of the U.S. President Donald Trump’s tariff threats and subsequent announcements since taking office, economists have scrambled to analyze and assess the impact across industries. Meanwhile, cybercriminals have launched a wave of scam and hate campaigns leveraging the ripple effects of tariff interest and coverage. A significant surge totaling 301 domain registrations was seen in the first three months of 2025. Surprisingly, only one typosquat, ‘tarrif’, was identified, indicating the cybercriminals’ preference in taking a more direct approach to support the scams. In this report, we will cover several tactics used by malicious actors to take advantage of the confusion and uncertainty surrounding the tariff announcements.
Tariff-themed cybercrime: Domain analysis
PreCrime Labs, BforeAI’s threat research team, identified several domains covering a mix of pro-trade, anti-tariff, and other politically-charged narratives. Several domains aligning themselves with the current U.S. administration’s political discourse, include references to “Trump” and “USA tariffs”. Common registrars include Namecheap, GoDaddy, Dynadot, and Squarespace Domains LLC. A subset of domains suggests possible misinformation or influence operations, particularly those with emotionally charged language engineered to elicit a response resulting in a click.
Domain registrations originating in countries such as China, Iceland, the Netherlands, Italy, Thailand, Canada, and Japan suggest a possible wave of mutual retaliation, potentially impacting both European and Asian nations.
A sudden spike of registrations was seen between February 2 and March 8, 2025 across multiple registrars. The usage of multiple registrars suggests an effort to diversify risk and avoid easy takedowns.
Remarkably, one website originally registered in 2003, was recently updated to reflect the growing attention surrounding this news.
Registrar distribution
| Registrar | Number of Domains |
|---|---|
| GoDaddy | 76 |
| Namecheap | 52 |
| Dynadot | 19 |
| Squarespace Domains LLC | 15 |
| Cloudflare, Porkbun, Tucows, and other smaller registrars | Varied presence |
Trends in domain registrations
Financial returns and refunds
Several domains found in the set pose a risk of misleading businesses into financial scams, particularly those within industries recently impacted by tariff changes.
Malicious redirects to irrelevant content
Certain domains could be leveraged for malicious redirects, malware distribution, or SEO poisoning. One specific example presented as a domain that redirects to a gaming platform while containing tariff-related page metadata.
Tariff trackers
A variety of websites claiming to track tariff updates have been launched, however their relevance remains unverified.
Anti-tariff trolls
There were some instances of domains containing anti-tariff content, potentially indicating activist or protest-oriented efforts. Beyond this, these websites could possibly be attempting to spread false political messaging or misinformation by providing “clickbait” topics.
Tariffs on different items
Websites using the word “tariff” as a prefix with random items that could be affected by the tariffs (e.g., “wine”, “guitar”, “health”, “e-commerce”) were registered, likely to spread misinformation.
Notable examples
Tariff and crypto coins
Cryptocurrency coins, leveraging tariff-related terms and the ‘Doge’ meme coin, have been launched on the Solana exchange, with their own X and Telegram channels. These websites feature AI-generated humorous content, designed to attract investor attention.
Online payments for US Customs and Tariffs
The PreCrime Labs team discovered a newly registered phishing domain titled “US Customs and Tariffs”, for the purpose of leading visitors to believe they are required to make payments to a legitimate governmental entity. Such payment requests are likely to be spread using email or messaging campaigns with a theme of urgent, pending payments, directing victims to the fraudulent site where their actions will result in financial losses.
Hate speech
In March 2025, a surge of trolling websites appeared, mocking the tariff decision. One specific site (see Figure 3, below), purported to support a petition drive and used online entertainment to garner attention for its “movement.”
Observations and mitigations
Numerous websites, though not yet active, displayed indicators of malicious intent, allowing for preemptive phishing predictions before harm could occur. For instance, the recently registered ‘US Customs”-themed website is recently registered with a hoster that has a history of hosting malicious domains in the past, which is an indicator of future attack (IoFA). Coupled with poor website presentation, inconsistent branding, and use of plain backgrounds, these indicators strongly suggest that a website is untrustworthy and likely designed for malicious purposes.
The use of harsh language to spread trolling messages and hatred against the government has a potential to influence voter sentiment and create hostility, hindering cooperation with governing bodies. Attackers can exploit this by using the clickbait to mass-spam users, potentially compromising accounts and stealing personally identifiable information (PII), regardless of the user’s initial interest.
Following on the domain registration trends outlined above, PreCrime Labs analysis projects additional increases in domain registrations as the fallout from these political actions gains momentum. This presents various avenues for exploitation, such as the rise of fraudulent businesses providing tariff-related services or educational resources on the new legislation. Therefore, it is strongly recommended that users thoroughly inspect newly formed consultancies, agencies, and cryptocurrency coins before engaging with them, as they may be designed to harvest personal information, further trapping users in financial scams.
