In response to the escalating public trade policy feud between Elon Musk and Donald Trump — amplified by political tensions, social media clashes, and media coverage — threat actors are attempting to capitalize on this new, high-profile rivalry to register and weaponize a broad array of malicious domains.
PreCrime™ Labs, the threat research team at BforeAI, has identified multiple domains being used to proliferate crypto scams, phishing, fake betting sites, impersonation schemes, and engagement farming, leveraging the notoriety of both figures to lure victims.
Key Insights
Publicized online disputes, especially between celebrities or political figures, are repeatedly used as social engineering bait. In this case, multiple domains related to hypothetical Trump vs. Elon conflicts have surfaced, often mimicking betting platforms, fake giveaways, or crypto multipliers. Threat actors are using a wide range of low-cost and under-regulated top level domains (TLDs), including “.xyz”, “.space”, “.wtf”, “.live”, “.info”, “.fun”, “.store”, “.icu”, and “.online”, indicating abuse-friendly zones. Such TLDs are also known for their ongoing malicious use for hosting and conducting phishing campaigns.
Cyber Technology Insights : Cyber A.I. Group Appoints Irving Bruckstein as Director of Global Technology Integration
In the case of the Donald Trump and Elon Musk feud, once Musk publicly voiced his distaste for Trump’s “big beautiful bill” on June 4, 2025, cybercriminals leapt into action, creating at least 39 new domains aimed at scamming and defrauding internet users. All of these new domains were registered in the following two days, on June 5 and 6, 2025.
A wide range of typical TLDs were employed; however, “.com” had the most with 21. This is notable as “.com” is considered a more familiar and reputable TLD, indicating that the criminals were seeking to gain credibility with potential users.
The next largest cluster belongs the “.xyz” with 5 domains, followed by “.info” (3), “.online” and “.fun” (2 each) and “.space”, “.wtf”, “.live”, “.site”, “.store”, and “.icu” (with one each).
The team also observed a surge in the use of thematic keywords, delivering the relevance of the event on which it is based. For example, URLs containing keywords like “trumpvselon”, “elonvstrump”, “elonprivateaccess”, “trumploveselon”, “trumpmuskfeud”. Then, keywords such as “crypto”, “billiondollar”, “betting”, “private access”, and “game” were tied to the above set of keywords to establish the category of their operations, for example, to host fake apps, contests, etc., as discussed with examples below.
Cyber Technology Insights : NuHarbor Security Recognized as Top Workplace by VermontBiz, Best Practice Institute
Malicious Infrastructure Trends:
Telegram bot integrations seen through a purported malicious website (e.g., trumpversuselon.com) leveraged X (formerly Twitter) automation to redirect users to compose posts. Additionally, this particular domain was configured to leverage Telegram’s messaging API, either by auto-redirecting visitors or by presenting a Telegram bot interface. This functionality is achieved through client-side scripting (e.g., JavaScript) or meta-refresh tags, directing individuals to a specific Telegram handle or channel. This method is frequently observed in campaigns designed to funnel victims into fraudulent investment schemes, as the domain promotes crypto or facilitates impersonation-based scams.
Additionally, there were also themes based on users’ popular internet surfing preferences. For example, fake betting sites and phishing lures tied to online games and merchandise (e.g., elonvstrumpfight.com, elonvstrump.store, elongame.icu).
Abusive or reputational attack domains (e.g., elonsucksmydick.com, elonrip.com) were also observed to psychologically manipulate visitors, making them support one side of the conflict, depending on the website’s agenda. Such platforms often include calls-to-action, like signing up for a movement or providing sensitive personal details, which can compromise their identity.
Cyber Technology Insights : Mattermost Launches Enterprise Advanced for Multi-Domain Defense and Critical Infrastructure
Domain Breakdown & Threat Types
Crypto Scam Infrastructure
Gaming & Engagement Lures
elonvstrump.fun
Meme tournament bracket voting
Reddit-style image votes
Betting & Merchandise
Disinformation / Reputation Abuse
elonrip.com
Reputation defamation
Fake news site publishing false death
Bot Automation
Tactical Observations
Based on PreCrime Labs’ observations, certain scams are event-driven, in which threat actors pivot rapidly from one theme to another as public attention surges and wanes. The most recent example we have analyzed is the current Trump/Musk feud, in which domain registrations immediately peaked as this event was gaining attention. The active content themes (images of Trump/Musk in crypto, gaming, and shopping contexts), along with domain names combined with “.xyz”, “.space”, “.wtf”, “.live”, and “.site” TLDs, are consistent indicators of suspicious activity in this campaign.
The presence of Telegram integrations and fake app stores used in this campaign represents a shift to multi-channel attack vectors. There is a strong potential that we will continue to see scams spreading to other popular social media platforms, where media consumption and redirection are high.
Conclusions
The Elon vs. Trump feud has become a fertile ground for opportunistic threat actors, with a range of scams exploiting the names and media coverage of both figures. As public interest in these figures continues, more weaponized domains will likely be registered.
This trend is a reminder of the importance of real-time monitoring of current events in domain threat intelligence and the need to act fast when trending news becomes a vector for cybercrime.
Cyber Technology Insights : AvePoint Launches New Advanced Security and Optimization Features to Elements Platform
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: prnewswire
