Access your complimentary Gartner® report

Emerging Tech: Top Solution Capabilities in Preemptive Cybersecurity

Access your complimentary Gartner® report: Emerging Tech: Top Use Cases in Preemptive Cyber Defense

BforeAI PreCrime Logo in White
Login
Book a demo
BforeAI PreCrime Logo in White
  • Report

Romance Scams Proliferate Domain Registrations Ahead of Valentine’s Day

Threat Report Romance Scams Proliferate Domain Registrations Ahead of Valentine’s Day

Table of Contents

Your move →
Share with your peers!

LinkedIn
Twitter

Executive Summary: Romance Scams Proliferate Domain Registrations Ahead of Valentine’s Day

Date: February 2026
Source: PreCrime™ Labs

PreCrime™ Labs, the threat research division of BforeAI, has been analyzing a set of recent suspicious domain registrations around the theme of love and romance, in anticipation of the Valentine’s Day holiday. The surge of malicious campaigns spans across phishing, gifting, dating apps, chat platforms, crypto, and potential pig butchering activities that could lead to loss of financial and personal information. This report analyzes over 3280 suspicious domains containing strings such as “love”, “valentine”, “dating”, “tinder”, and “matchmaking”, registered primarily between December 2025 and February 2026, and highlights patterns in top level domain (TLD) usage, registrar choice, and geographic lures, indicating both opportunistic fraud and coordinated campaign-style abuse.

Interestingly, a cluster of 280 domains registered under a single IP using Domain Generation Algorithm (DGA) was actively operational and hosting random content to engage users to lure them to interact before moving to the main campaign operation.

Figure 1 - A surge of gifting in romance scams was observed by researchers at BforeAI in the wake of upcoming Valentine’s week
Figure 1 - A surge of gifting in romance scams was observed by researchers at BforeAI in the wake of upcoming Valentine’s week
Emerging Tech Top Use Cases in Preemptive Cyber Defense

PreCrime™: The Original Preemptive Cybersecurity

Get complimentary access to the Gartner report, Emerging Tech: Top Use Cases in Preemptive Cyber Defense

Get access to the report

Campaign focus and vulnerable targets

The keyword consistency used in the domains indicates that the infrastructure is purpose-built for the initial social engineering phase of romance scam operations, rather than standalone phishing or credential harvesting activity in the wake of the upcoming Valentine’s week.

The primary victim persona includes users of online dating and social media platforms seeking romantic connections or companionship. Secondary targeting likely extends to high net-worth individuals, expatriates, and socially isolated users, demographics historically overrepresented in long-con romance-investment scams due to increased financial capacity and prolonged engagement susceptibility.

Domain registration trends at a glance

The campaign exhibits a mixed strategy, balancing the need for credibility with cost-efficiency and theme relevance:

  • Credibility dominance: The “.com” TLD is overwhelmingly preferred, accounting for 1,762 domains. This reflects the attacker’s intent to establish a high degree of perceived legitimacy, as “.com” remains the most trusted and recognized TLD globally.
  • Theme and app lures: The second most popular TLD is “.app” (237 domains), which is strategically used to lend the domains a modern, mobile application feel, directly targeting users who may be looking for dating apps.
  • Cost and generic TLDs: TLDs like “.shop” (171 domains), “.biz” (170), and “.online” (87) are highly utilized, often indicating cost-saving measures and the bulk deployment of “burner” infrastructure designed to be disposable.
  • Direct Theme Targeting: The use of “.dating” (83 domains) is a clear indicator that the campaign is purpose-built for the romance scam pretext.
Top TLD assessment
Top TLD assessment

Top 10 registrar assessment

The top five registrars observed in the dataset are: GoDaddy, Spaceship, Namecheap, Tucows Domains Inc., and Cloudflare. Credibility-focused registrars such as GoDaddy and Tucows used for “.com” registrations for the attacker to establish a higher level of perceived legitimacy and trust with the victim. GoDaddy, Spaceship, and Namecheap saw their largest registration spike in January 2026 (1533 domains).

Following these, cost efficient and burner-focused registrars such as Spaceship and Namecheap are often prioritized for generic or lower-cost TLDs like “.biz”, “.top”, “.lol”, and “.site”. The attacker uses these providers for high-volume, disposable infrastructure where a low cost per domain is a priority. This infrastructure is likely intended for short-lived use or as part of a rapid, large-scale deployment that will be quickly burned/takedown-flagged.

Top 10 registrar assessment
Top 10 registrar assessment
Registrar
Total Domains
Primary Bulk Registration Spike
TLD Preference
GoDaddy.com, LLC
513
2026-01 (243)
Heavily “.com”. Use of “.app” for perceived credibility.
Spaceship, Inc.
265
2026-01 (221)
Strongly favors “.biz” and “.top”, both generic and lower-cost TLDs.
Namecheap, Inc.
476
2026-01 (238)
Balanced mix of “.com” and niche/theme-specific TLDs like “.app” and “.dating”.
Tucows Domains Inc.
227
2025-01 (56)
Overwhelmingly favors “.com”. Low use of other TLDs.
Cloudflare
133
2026-01 (68)
Heavily favors highly reliable TLDs “.com”, “.app”, “.work”

Descriptions:

  • GoDaddy.com, LLC: Used for high-volume, brand-impersonating infrastructure, leaning on the credibility of “.com” and GoDaddy’s sheer scale to blend in.

  • Spaceship, Inc.: Used for low-cost, high-volume “burner” infrastructure. The heavy spike indicates a single, targeted mass-registration event.

  • Namecheap, Inc.: A strategic registrar choice, balancing the trust of “.com” with theme-relevance (“.dating”) for specialized, large-scale dating fraud.

  • Tucows Domains Inc.: Exhibits a relatively older operational profile with a more uniform spike in January 2025. Used for infrastructure intended for longer-term, sustained campaigns.

  • Cloudflare: Cloudflare is primarily utilized for its free name server services. The high preference for “.com” and “.app” suggests the domains are intended to host phishing pages that require a high degree of perceived legitimacy and modern credibility.

Domain registration trend
Domain registration trend

Thematic lures and use cases

The low but existing use of “financial/crypto” keywords suggests the campaign may be integrating deeper into the pig butchering model, where actors transition victims from a romantic relationship to a fraudulent cryptocurrency or investment platform. The next evolution may include more complex, short-lived domain names designed to impersonate specific financial platforms.

Thematic Lure
Key Domain Indicators & Examples
Social Engineering Strategy
Pig Butchering / Crypto Pivot
Indicators: crypto, fund, asset, trade.

Notable Domains: “valentinetraders.site”, “tradetinder.com”, “tindertrader.com”
After establishing an emotional relationship, the scammer introduces a 'secret' investment opportunity (crypto/Forex trading).
App Download / Live Chat Lure
Indicators: .app, download, chat, live (often combined with a dating term).

Notable Domains: “zipelovenapp.com, “onlinedating.tel”, “lovewithapple.com”
The domain is used to host a fake app download page or a generic live-chat service. The primary goal is to move the conversation from a monitored platform to an unmonitored channel (Telegram, WhatsApp) or to harvest credentials by asking the victim to "verify" their account on the fake app.
Support / Account Lure
Indicators: verify, support, help, account (less frequent in this set, but part of the general tradecraft).
Lures designed to make the victim fear their profile or account is compromised. The domain hosts a fake "account support" or "identity verification" page, compelling the user to enter login credentials or payment information to "save" their dating profile.
Thematic Lure
Overlap with Romance/Dating Scams
Potential Impact
Pig Butchering / Crypto Pivot
The emotional capital from the romance scam is leveraged as the 'trust' necessary for the victim to deposit funds.
Designed for large, repeated wire transfers and cryptocurrency deposits, often resulting in victims losing life savings.
App Download / Live Chat Lure
Used to quickly isolate the victim and secure long-term communication away from a platform that might detect and remove the scammer's profile.
Harvesting of dating site credentials and personal details.
Support / Account Lure
Used to extract data from victims who are hesitant to give financial details or to harvest credentials for existing accounts on legitimate platforms.
Primary goal is credential harvesting (login and password reuse) or personal verification data (e.g., driver's license photos for 'account support').

Notable campaigns observed

AI in dating

Some of the scam domains in this data set rely heavily on AI-driven matchmaking narratives to add a layer of intelligence to the platform. Some users may tend to rely on such platforms more than others, due to existing awareness of other AI platforms and their perceived convenience. This reflects a growing trend in which AI branding is used to scale romance-related domains with scripted interactions and potential automation of manipulation or data-collection workflows.

Figure 2 - The use of AI in suspicious dating related domains imparts trust and legitimacy while harvesting sensitive data
Figure 2 - The use of AI in suspicious dating related domains imparts trust and legitimacy while harvesting sensitive data
Figure 3 - The use of AI in suspicious dating related domains imparts trust and legitimacy while harvesting sensitive data
Figure 3 - The use of AI in suspicious dating related domains imparts trust and legitimacy while harvesting sensitive data

Political agenda

The example below leans heavily on a Valentine’s theme while subtly pushing a political agenda to make the campaign feel approachable rather than political. By presenting voting as a form of personal connection and ensuring the domain ranks higher as users strategically search for the “Valentine” keyword, it lowers skepticism and shifts engagement from policy to emotion while also driving traffic. This reflects a soft influence tactic, where familiarity and relatability are used to guide voter behavior instead of overt persuasion or technical abuse.

Figure 4 - Pushing U.S. election-based narratives during the peak of Valentine’s week to drive traffic (while not malicious, this site remains unverified by any authorized entity)
Figure 4 - Pushing U.S. election-based narratives during the peak of Valentine’s week to drive traffic (while not malicious, this site remains unverified by any authorized entity)

Crypto and betting

The sample domain below blends romance-coded language (“love”) with crypto wallet actions to compel a high-risk transaction while keeping it aligned with the intended theme. Certain patterns regarding such domains align with romance-to-crypto fraud workflows, where emotional framing is used to lead victims into Web3 exploitation rather than immediate theft. Otherwise, in this case, the user is asked to connect the wallet, while subtly leading the user into making a transaction.

Figure 5 - Crypto-based domains usually emerge ahead of all seasonal:significant events, making a presence during Valentine’s Day celebrations, as well
Figure 5 - Crypto-based domains usually emerge ahead of all seasonal:significant events, making a presence during Valentine’s Day celebrations, as well

Support services for dating apps

Certain domains present themselves as third-party support services for dating apps, positioning profile “optimization” as an external enhancement rather than an official feature. By promising better matches through minimal effort and implied AI-driven insight, it targets singles actively seeking connection, a demographic already primed for emotional investment and quick decisions, often leading to financial losses.

Figure 6 - Third party services associated with prominent dating services brands often leverage paid modules under various pretexts while not officially authorized
Figure 6 - Third party services associated with prominent dating services brands often leverage paid modules under various pretexts while not officially authorized

Support centers and career services

Domains such as “tinder-help[.]com” are classic helpdesk and BEC-style impersonation patterns, and while the compelling event is yet to be trending, the site appears to be under-construction, or could be effortlessly operating in the backend.

Another area of abuse is legitimate job and career content platforms embedded with Valentine-themed and workplace-romance narratives, a pattern often used to establish credibility before abuse. By mixing generic career advice, seasonal topics, and a familiar brand-adjacent identity (e.g., “tinderjobs”), it creates a low-suspicion environment that can later be leveraged for BEC-style recruitment scams, fake job outreach, or data harvesting.

Figure 7a - Brand impersonated support centers and job portals leveraged for establishing legitimacy
Figure 7a - Brand impersonated support centers and job portals leveraged for establishing legitimacy
Figure 7b - Brand impersonated support centers and job portals leveraged for establishing legitimacy
Figure 7b - Brand impersonated support centers and job portals leveraged for establishing legitimacy

Clickbait content

A cluster of domains from the IP address 43[.]174[.]14[.]129 accounted for ~298 associated domains within one month, indicating concentrated infrastructure abuse consistent with bulk-hosted social-engineering campaigns. The domains largely follow romance and event-driven naming patterns (e.g., “valentine’s/love” themes) and are designed for rapid rotation, suggesting automation or DGA-like generation to evade takedowns and blocklists.

This level of domain density on a single IP points to centralized campaign staging, enabling threat actors to efficiently launch, recycle, and scale emotionally driven lures that funnel victims toward downstream fraud, data harvesting, or monetization schemes. This setup reflects a low-cost, high-volume operational model, prioritizing reach and resilience over long-lived infrastructure.

Figure 8 - Randomly generated domains appear to be bulk registered on free hosting providers that can potentially execute different malicious actions once human interaction has taken place
Figure 8 - Randomly generated domains appear to be bulk registered on free hosting providers that can potentially execute different malicious actions once human interaction has taken place
Figure 9 - Randomly generated domains appear to be bulk registered on free hosting providers that can potentially execute different malicious actions once human interaction has taken place
Figure 9 - Randomly generated domains appear to be bulk registered on free hosting providers that can potentially execute different malicious actions once human interaction has taken place

The same cluster of malicious domains that hosted Valentine’s message bait using the above-mentioned string pattern hosted other random themes such as gaming, which is irrelevant to romance scams. This can possibly be a detection evasion technique, or planned event to attract singles. This model is profitable because it is low-cost, automated, and reusable across a range of seasons and events, enabling mass victim targeting, easy takedown recovery, and traffic funneling to secondary scams (romance fraud, crypto, malware, ads).

Figure 10 - Some gaming domains, while not using the romance-based theme, use the keywords in the domain for ranking (as seen in above example, but various other themes were also observed)
Figure 10 - Some gaming domains, while not using the romance-based theme, use the keywords in the domain for ranking (as seen in above example, but various other themes were also observed)

Campaign impact

  • Business Impact: Brand impersonation risk for legitimate dating and social mediaplatforms is very high. Abuse of a registrar’s infrastructure places significant strain on abuse and compliance teams, incurring substantial mitigation costs.
  • User Risk: This campaign directly targets users’ emotional vulnerabilities, leading to severe financial loss (often life savings) and significant psychological harm, far exceeding the impact of a simple credential theft.
  • Brand Impersonation Risk: While not overtly impersonating specific major brands by name, the domains are structured to look like generic dating services, creating a ‘category’ impersonation risk that erodes trust in the legitimate online dating industry.

 

Likely Modus Operandi:
The data clearly aligns with known TTPs (tactics, techniques, and procedures) of romance scams, characterized by bulk, temporal registration bursts, and theme-specific keywords.

Attacker next steps:

  • Immediate Deployment: The large number of newly registered domains suggests immediate deployment is underway to maximize return before takedown.
  • Platform Shifting: Once initial contact is made via the fraudulent domain/site, the actor will quickly pivot the conversation to encrypted messaging apps (WhatsApp, Telegram) to break the tie to the domain infrastructure, making further tracking difficult.
  • Financial Pivot: A significant portion of the successful engagements will pivot to investment fraud (pig Butchering), leveraging newly stood-up crypto-themed infrastructure (as suggested by the minor financial/crypto keyword theme).

Mitigation and recommendations

  1. TLD Blocking: Preemptive blocking or high-risk flagging of traffic originating from the observed non-”.com” TLDs (specifically “.dating”, “.biz”, “.online”) when not from an explicitly whitelisted source.
  2. Nameserver Monitoring: Implement proactive monitoring and block lists for the identified high-volume, generic name servers associated with this campaign.
  3. Registrar Abuse Reporting: Priority reporting of all observed domains to the top-volume registrars (GoDaddy, Spaceship, Namecheap) using automated abuse submission tools.
  4. Pre-Release Monitoring: Monitor newly registered domains containing the top keywords (“date”, “love”, “meet”, “match”, “single”) using a combination of high-risk TLDs and common registrars as early-warning indicators.
  5. Temporal Anomaly Detection: Flag any bulk registration of domains (e.g., >50 in a single month) associated with a single name server or registrant country/state as a high-confidence threat event.
  6. Communication Channel Analysis: Educate users that any shift from a dating platform to an end-to-end encrypted app (WhatsApp, Telegram) for “investment advice” is a critical indicator of a scam pivot.

Domain-based early-warning indicators

  • New domain registration with a “Creation Date” within the last 60 days.
  • Contains a “Dating/Social” keyword (e.g., “date”, “match”, or “love”).
  • Hosted on a generic/parking name server (e.g., *dns-parking.com*, *registrar-servers.com*).
  • Registered with one of the top high-abuse or low-cost registrars (Porkbun, Namecheap, Spaceship).

Explore our latest PreCrime™ Labs report:

Suspicious Domain Activity in Lead up to 2026 FIFA World Cup Tournament

Phishing Campaign Imitating U.S. Department of Education G5

Your move → Share with your peers!

LinkedIn
Twitter

Keep going down the rabbit hole

See PreCrime™ in action

Just sign up, talk to one of our experts, and deploy in minutes.
No coding skills or training required. Works right out of the box!

Book a demo