Punycode

How it works

Browsers display internationalized domain names in their native script, but store and resolve them as Punycode. A domain that looks like "paypal.com" with a Cyrillic letter is really "xn--..." under the hood. Some browsers show the Punycode form as a defence, but not always.

Reading the Punycode reveals whether a domain contains mixed or foreign scripts that the eye cannot catch.

How it relates to brand impersonation

Punycode is the technical tell behind homoglyph domains, one of the hardest lookalikes to spot. Resolving it is how monitoring exposes impersonation that looks identical to your real domain.

How nebty helps

nebty domain monitoring decodes Punycode and flags mixed-script registrations targeting your brand, so homoglyph lookalikes surface for review and on-demand takedown.

Reading the xn-- form

Punycode is just an encoding, not an attack by itself, but reading it is how you unmask a homoglyph domain. Any internationalized domain is stored in DNS as ASCII beginning with xn--, followed by an encoded representation of the original characters. A normal internationalized brand, say a German site using an umlaut, has a legitimate xn-- form. The suspicious case is a domain that looks like plain Latin text in the browser but resolves to an xn-- string, because that means at least one character is not what it appears. You do not need to decode it by hand; the point for defenders is that any detection system has to normalize domains to their Punycode form before comparing them to your brand, otherwise a homoglyph lookalike looks like an exact match to the eye and a totally different string to a naive filter.