What Is Punycode?

How xn-- Domains Can Hide Look-Alikes

Punycode is a way to represent international (non-ASCII) characters in domain names using plain ASCII. It exists so domain names can include characters from many languages (for example: accented Latin letters, Cyrillic, Greek, and more) while still working with DNS.

When a domain contains non-ASCII characters, it may appear in an ASCII form that starts with xn-- . This is called an IDN (Internationalized Domain Name) in punycode form.

Example

A domain shown as xn--… is the encoded version of a Unicode domain.

Important: Punycode itself is not malicious — it enables global-language domains. The risk is that it can be abused for look-alike (homograph) attacks.

Why punycode matters for security

Some characters from different alphabets look nearly identical. Attackers can register a domain that visually resembles a trusted brand by mixing characters from different writing systems.

Characters that look alike

a vs а

Latin "a" vs Cyrillic "а"

e vs е

Latin "e" vs Cyrillic "е"

o vs о

Latin "o" vs Cyrillic "о"

A link may look normal at a glance, but the actual domain can be different — and punycode is one way that difference becomes "hidden" until you inspect it carefully.

What is an xn-- domain?

xn-- indicates the domain is encoded in punycode. Browsers may show either:

1 The Unicode domain (human-friendly)
2 The ASCII punycode form ( xn--... )

This display depends on browser rules and the perceived safety of the characters used.

Important: Seeing xn-- does not automatically mean a domain is dangerous. It's simply a signal to slow down and verify what you're clicking.

How to spot a punycode / look-alike link

Here are practical checks that work in real life:

Look at the final domain, not the short link

Shorteners and redirects can hide the final destination. Always verify the final domain you actually land on.

Watch for xn-- in the domain

If the domain contains xn-- , treat it as "verify carefully." It might be a legitimate international domain — or a look-alike.

Mixed scripts are a red flag

Domains that mix alphabets (Latin + Cyrillic/Greek) are more suspicious than domains using a single script consistently.

Don't trust the visible text alone

In emails and messages, links can be disguised. A button might say "paypal.com" while the underlying URL goes somewhere else.

If it's sensitive, avoid clicking at all

For banking, password resets, invoices, delivery notices: open a new tab and navigate manually to the official site instead of clicking a link.

How unshorten.app helps with punycode links

When you paste a link into unshorten.app, you can:

Reveal the final destination behind short links and redirect chains

See the final domain clearly

View the redirect chain step by step

Get a warning flag if the domain uses punycode (xn--) or mixes scripts

This is a lightweight "sanity check" before you click.

Note: heuristics are not a guarantee of maliciousness — they highlight patterns worth a second look.

Check a link now

If you want to verify a suspicious link, paste it below

Unshorten URL

v1.2.0

Enter a shortened URL to reveal its redirect chain and security analysis

Common scenarios where punycode shows up

Phishing emails

Links pretending to be a bank, delivery service, or invoice provider

Social media & DMs

Shortened links that hide the final domain

International domains

Legitimate IDN usage for non-English audiences

FAQ

Common questions about punycode domains

Is punycode bad?

No. Punycode is a standard that makes international domain names possible. The issue is abuse via look-alike domains.

Why do attackers use punycode?

Because it can help create domains that visually resemble trusted brands using similar-looking characters from different alphabets.

What should I do if I see an xn-- domain?

Don't panic. Verify the final domain carefully, and if the link is about something sensitive, avoid clicking and navigate to the site manually.

Verify a suspicious link

Paste a link into the tool and see where it really leads

Check a link

Related guides

Unshorten Bitly

Reveal where bit.ly links really lead

Unshorten TinyURL

Check tinyurl.com destinations

Remove UTM Parameters

Clean tracking from any URL

Back to Home page