blog.pypi.org - The Python Package Index Blog - PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over PyPI accounts through password resets.

These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts.

Since early June 2025, PyPI has unverified over 1,800 email addresses when their associated domains entered expiration phases. This isn't a perfect solution, but it closes off a significant attack vector where the majority of interactions would appear completely legitimate.

Background
PyPI user accounts are linked to email addresses. Email addresses are tied to domain names; domain names can expire if unpaid, and someone else can purchase them.

During PyPI account registration, users are required to verify their email addresses by clicking a link sent to the email address provided during registration. This verification ensures the address is valid and accessible to the user, and may be used to send important account-related information, such as password reset requests, or for PyPI Admins to use to contact the user.

PyPI considers the account holder's initially verified email address a strong indicator of account ownership. Coupled with a form of Two-Factor Authentication (2FA), this helps to further secure the account.

Once expired, an attacker could register the expired domain, set up an email server, issue a password reset request, and gain access to accounts associated with that domain name.

Accounts with any activity after January 1 2024 will have 2FA enabled, and an attacker would need to have either the second factor, or perform a full account recovery.

For older accounts prior to the 2FA requirement date, having an email address domain expire could lead to account takeover, which is what we're attempting to prevent, as well as minimize potential exposure if an email domain does expire and change hands, regardless of whether the account has 2FA enabled.

This is not an imaginary attack - this has happened at least once for a PyPI project back in 2022, and other package ecosystems.

TL;DR: If a domain expires, don't consider email addresses associated with it verified any more.

The U.S. Attorney’s Office for the Eastern District of Virginia announced today the seizure of approximately 145 darknet and traditional internet domains, and cryptocurrency funds associated with the BidenCash marketplace. The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information.

BidenCash commenced operations in March 2022. BidenCash administrators charged a fee for every transaction conducted on the website. The BidenCash marketplace had grown to support over 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated over $17 million in revenue during its operations.

The BidenCash marketplace domains will no longer be operational and will be redirected to a U.S. law enforcement-controlled server, preventing future criminal activity on these sites. The marketplace also sold compromised credentials that could be used to access computers without proper authorization.

Between October 2022 and February 2023, the BidenCash marketplace published 3.3 million individual stolen credit cards for free to promote the use of their services. The stolen data included credit card numbers, expiration dates, Card Verification Value (CVV) numbers, account holder names, addresses, email addresses, and phone numbers.

According to court records, the United States obtained court authorization to seize cryptocurrency funds that BidenCash marketplace used to receive illicit proceeds from its illegal sales.

Erik S. Siebert, U.S. Attorney for the Eastern District of Virginia; John Szydlik, Resident Agent in Charge of the U.S. Secret Service’s Frankfurt Resident Office; and Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Field Office, made the announcement.

This case was investigated by the U.S. Secret Service’s Frankfurt Resident Office, the U.S. Secret Service’s Cyber Investigative Section, and the FBI Albuquerque Field Office.

The Department of Justice thanks the Dutch National High Tech Crime Unit, The Shadowserver Foundation and Searchlight Cyber for their assistance with the investigation.

The government is represented by Assistant U.S. Attorney Zoe Bedell in these matters.

The FBI and Microsoft have seized more than 100 web domains they say Russian intelligence used for cyber-espionage, according to court documents unsealed Thursday.

The simultaneous actions targeted the Star Blizzard espionage operation, which targeted government and civil society around the world.

U.S. seizes 32 Russian propaganda domains influencing U.S. elections, targets Kremlin-backed disinformation efforts.

Cybersecurity has always been transient: what is deemed to be secure today, may be considered easily hackable tomorrow. Domain names in web and e-mail addresses, such as info@inti.io, are leased in time. This means that if nobody thinks of renewing them after they expire, they will be put up for sale. It made me wonder what would happen to the graveyard of cloud accounts attached to the e-mail addresses that once belonged to these expired domains.

DGA is one of the classic techniques for botnets to hide their C2s, attacker
only needs to selectively register a very small number of C2 domains, while for
the defenders, it is difficult to determine in advance which domain names will
be generated and registered.