Internationalised domain names (IDNs) let the web speak every language: domains can contain Cyrillic, Greek, Han, Arabic — almost any script Unicode covers. They also hand attackers an alphabet of lookalikes. A Cyrillic а (U+0430) is, to a human eye at reading speed, identical to the Latin a (U+0061). Swap one for the other and apple.com becomes a completely different domain that renders almost identically in an address bar.
Punycode: the mask and the tell
Under the hood, DNS only speaks ASCII. Every IDN is encoded to an ASCII form called punycode before resolution — the encoded form always starts with xn--. The Cyrillic-a version of a famous fruit company encodes to something like xn--pple-43d.com, and that string is the ground truth of what you are actually connecting to.
Browsers defend against the worst of this by refusing to render mixed-script domains in their Unicode form, falling back to raw punycode. But the policy has gaps: single-script confusables (a domain entirely in Cyrillic that happens to look Latin) still render prettily in several clients, and email clients, chat apps and PDF viewers are far less strict than browsers.
What we see in the corpus
Homograph domains in our scan corpus cluster into three patterns:
- Brand-adjacent registrations parked for weeks, then activated for a single spear-phishing wave — the quiet period launders the domain's age-based reputation.
- Mixed-script mail lures that never expect a browser to render them: the link only needs to survive a glance inside an email client.
- Certificate-backed clones — a free DV certificate works exactly as well for
xn--domains, so the padlock is present and meaningless.
The padlock tells you the connection is encrypted. It has never told you who is on the other end.
How Voretix handles it
Every hostname in a scan is normalised to both its Unicode and punycode forms before analysis. The report flags skeleton-matches against high-value brands — the same confusable-skeleton algorithm Unicode publishes in UTS #39 — and mixed-script labels are scored as an independent risk signal, regardless of where the domain points.
If you take one habit away from this post: when a link matters, read the domain from the scan report, not from the address bar. The report shows you the xn-- truth.
Frequently asked questions
What is a homograph attack?
A lookalike-domain technique that replaces characters with visually identical ones from other scripts — such as Cyrillic a for Latin a — so the fake domain passes a human eye check while resolving somewhere else entirely.
How can I tell if a URL uses punycode?
Scan it: Voretix normalises every hostname to both its Unicode and punycode forms and flags mixed scripts and confusable-skeleton matches against high-value brands. Punycode forms always start with xn--.