Criminal is spoofing ICANN.
Hacking individual domain name registrar accounts is so old-school. Why not gain access to an entire registrar or registry?
The Internet Corporation for Assigned Names and Numbers (ICANN) issued an alert that someone is running a phishing scam impersonating ICANN. The emails (so far) come from sales (at) icann.org. The perpetrator is sending them to contracted parties.
ICANN recently sent an email to some contracted parties from accounting (at) erp.icann.org, which it says is a valid email.
Of course, if someone can spoof the sales address then they can probably spoof the other one or typos of it.
ICANN.org has a DMARC record but not a published DMARC quarantine/reject policy.