I keep asking myself why they don't start using a more traditional domain in order to avoid these types of errors on the user's side.
For example, this one is still free: exch.services
Which reduces the possibility of making mistakes, or at least is more perceptible to the user.
You have a point and while that might somewhat improve the above situation, a change in the domain extension isn't going to provide any protection against Punycode attacks
[unfortunately]:
e.g. Copy-paste the following link in the Punycode field of this "
converter" and see the result:
xn--xh-mlc3c.services
I hope exch.cx should try to find similar sites that clone their website and report them also.
I found another one that was recently registered
[Whois result]:
https://exch.ac/