Threat Research Overview of Elon vs. Trump Feud Drives Malicious Domain Surge
In response to the escalating public trade policy feud between Elon Musk and Donald Trump — amplified by political tensions, social media clashes, and media coverage — threat actors are attempting to capitalize on this new, high-profile rivalry to register and weaponize a broad array of malicious domains.
PreCrime™ Labs, the threat research team at BforeAI, has identified multiple domains being used to proliferate crypto scams, phishing, fake betting sites, impersonation schemes, and engagement farming, leveraging the notoriety of both figures to lure victims.
Key Insights
Publicized online disputes, especially between celebrities or political figures, are repeatedly used as social engineering bait. In this case, multiple domains related to hypothetical Trump vs. Elon conflicts have surfaced, often mimicking betting platforms, fake giveaways, or crypto multipliers. Threat actors are using a wide range of low-cost and under-regulated top level domains (TLDs), including “.xyz”, “.space”, “.wtf”, “.live”, “.info”, “.fun”, “.store”, “.icu”, and “.online”, indicating abuse-friendly zones. Such TLDs are also known for their ongoing malicious use for hosting and conducting phishing campaigns.
In the case of the Donald Trump and Elon Musk feud, once Musk publicly voiced his distaste for Trump’s “big beautiful bill” on June 4, 2025, cybercriminals leapt into action, creating at least 39 new domains aimed at scamming and defrauding internet users. All of these new domains were registered in the following two days, on June 5 and 6, 2025.
A wide range of typical TLDs were employed; however, “.com” had the most with 21. This is notable as “.com” is considered a more familiar and reputable TLD, indicating that the criminals were seeking to gain credibility with potential users.
The next largest cluster belongs the “.xyz” with 5 domains, followed by “.info” (3), “.online” and “.fun” (2 each) and “.space”, “.wtf”, “.live”, “.site”, “.store”, and “.icu” (with one each).
The team also observed a surge in the use of thematic keywords, delivering the relevance of the event on which it is based. For example, URLs containing keywords like “trumpvselon”, “elonvstrump”, “elonprivateaccess”, “trumploveselon”, “trumpmuskfeud”. Then, keywords such as “crypto”, “billiondollar”, “betting”, “private access”, and “game” were tied to the above set of keywords to establish the category of their operations, for example, to host fake apps, contests, etc., as discussed with examples below.
Malicious Infrastructure Trends:
Telegram bot integrations seen through a purported malicious website (e.g., trumpversuselon.com) leveraged X (formerly Twitter) automation to redirect users to compose posts. Additionally, this particular domain was configured to leverage Telegram’s messaging API, either by auto-redirecting visitors or by presenting a Telegram bot interface. This functionality is achieved through client-side scripting (e.g., JavaScript) or meta-refresh tags, directing individuals to a specific Telegram handle or channel. This method is frequently observed in campaigns designed to funnel victims into fraudulent investment schemes, as the domain promotes crypto or facilitates impersonation-based scams.
![Example of an autocomposed X post seen when a victim visits trumpversuselon[.]com](https://bfore.ai/wp-content/uploads/2025/06/Figure-2-Example-of-an-autocomposed-X-post-seen-when-a-victim-visits-trumpversuselon.com_-1024x721.jpeg)
Additionally, there were also themes based on users’ popular internet surfing preferences. For example, fake betting sites and phishing lures tied to online games and merchandise (e.g., elonvstrumpfight.com, elonvstrump.store, elongame.icu).
Abusive or reputational attack domains (e.g., elonsucksmydick.com, elonrip.com) were also observed to psychologically manipulate visitors, making them support one side of the conflict, depending on the website’s agenda. Such platforms often include calls-to-action, like signing up for a movement or providing sensitive personal details, which can compromise their identity.
Domain Breakdown & Threat Types
Crypto Scam Infrastructure
| Threat Type | Domain | Notes |
|---|---|---|
| Crypto scam | trumpvselon.space | Fake Trump-vs-Elon event giveaway |
| trumpbilliondollar.com | Claims Trump backing $1B giveaway | |
| trump2mars.com | Exploits Musk’s Mars ambitions | |
| trumpvselon.wtf | URL suggests “shocking” feud content | |
| trumpvselon.live | Hosted fake livestream countdown | |
| trumpvsmusk.xyz | Hosted Musk impersonator wallet | |
| elonxparty.site | Meme coin airdrop impersonating Musk | |
| elonvstrump.xyz | Live wallet embedded | |
| elonprivateaccess.com / .info / .online | Mimic Tesla private share sale | |
| elonrip.online | Used fake obituary as bait |
Gaming & Engagement Lures
| Threat Type | Domain | Notes |
|---|---|---|
| Fake game | elonvstrumpfight.com | HTML5 game redirect to betting page |
| Fake mobile app | elongame.icu | Pseudo Google Play page, scam download |
| Engagement farming | elonvstrumpwars.fun elonvstrump.fun |
Meme tournament bracket voting Reddit-style image votes |
Betting & Merchandise
| Threat Type | Domain | Notes |
|---|---|---|
| Betting | trumpelonbingo.com | Hosted a Trump-Elon ‘Bingo’ card wager |
| Merchandise | elonvstrump.store | Shirt sales, unclear legitimacy |
Disinformation / Reputation Abuse
| Threat Type | Domain | Notes |
|---|---|---|
| Abuse | elonsucksmydick.com elonrip.com |
Reputation defamation Fake news site publishing false death |
Bot Automation
| Threat Type | Domain | Notes |
|---|---|---|
| Telegram bot | trumpversuselon.com | Auto-post crypto promo links |
Tactical Observations
Based on PreCrime Labs’ observations, certain scams are event-driven, in which threat actors pivot rapidly from one theme to another as public attention surges and wanes. The most recent example we have analyzed is the current Trump/Musk feud, in which domain registrations immediately peaked as this event was gaining attention. The active content themes (images of Trump/Musk in crypto, gaming, and shopping contexts), along with domain names combined with “.xyz”, “.space”, “.wtf”, “.live”, and “.site” TLDs, are consistent indicators of suspicious activity in this campaign.
The presence of Telegram integrations and fake app stores used in this campaign represents a shift to multi-channel attack vectors. There is a strong potential that we will continue to see scams spreading to other popular social media platforms, where media consumption and redirection are high.
Conclusions
The Elon vs. Trump feud has become a fertile ground for opportunistic threat actors, with a range of scams exploiting the names and media coverage of both figures. As public interest in these figures continues, more weaponized domains will likely be registered.
This trend is a reminder of the importance of real-time monitoring of current events in domain threat intelligence and the need to act fast when trending news becomes a vector for cybercrime.
