The Anticybersquatting Consumer Protection Act (“ACPA”) is a federal statute that creates a civil course of action under intellectual property. Specifically, the statute is for owners of certain marks pursuing civil action against registrants of domain names that can negatively impact those marks and their owners.

To be successful under the ACPA, the owner of the mark must demonstrate that (1) the mark and the domain name are identical or confusingly similar, (2) the mark was distinctive when the domain name was first registered, (3) the trademark’s owner used the mark commercially before the domain name was registered, and (4) the domain registrant acted in bad faith and intended to profit from the trademark’s use.

As of today, the United States Supreme Court has not considered application of the ACPA. However, the ACPA has been looked at by many Circuit Courts across the US. The element often requiring the most analysis by the courts is in determining whether or not the domain registrant acted in bad faith. To aid in this analysis, Congress has included a list of nine factors in the ACPA for the court to consider. It is also noted that the list is not exhaustive and that the courts can consider additional factors they feel demonstrate elements of bad faith.

With all of this in mind, can the ACPA be of any help to you if you have been the victim of a domain theft? The answer, unfortunately, is no. Domain theft, or domain hijacking, is when someone steals your actual domain name, either for their own personal use or to sell it on the market and make a profit. Cybersquatting, which the ACPA specifically deals with, looks at when an individual legally purchases a domain name with the intent of selling it to the owner of the mark for an escalated price or for the purposes of “piggy-backing” off the popularity of the mark.

Sadly, there are still no statutes specific to domain theft, and only minimal case law, leaving this as an area of confusion and uncertainty for many.

For more information about domain name theft, what you can do if you have been a victim of it, and what the ACPA can do for you, contact Revision Legal’s Internet attorneys, specializing in Cybersquatting, through the form on this page or call 855-473-8474.

How ACPA Bad Faith Is Established

Where the ACPA does apply—in genuine cybersquatting cases—the most contested element is whether the domain registrant acted in “bad faith intent to profit” from the mark. Congress provided courts with nine non-exclusive factors for this analysis in 15 U.S.C. § 1125(d)(1)(B)(i). These range from protective factors (does the registrant have prior trademark rights in the name? does the domain contain the registrant’s own legal name?) to inculpatory factors (did the registrant offer to sell the domain to the mark owner for a price exceeding out-of-pocket costs? did the registrant provide false contact information?).

Courts evaluate these factors holistically. No single factor is dispositive. In Virtual Works, Inc. v. Volkswagen of America, Inc., 238 F.3d 264 (4th Cir. 2001), the Fourth Circuit found bad faith where the registrant registered “VW.net” knowing it would be valuable to Volkswagen and then sought to sell it to Volkswagen for $100,000. The court rejected the registrant’s argument that VW also stood for “Virtual Works,” finding that the registrant’s own communications demonstrated an intent to profit from Volkswagen’s mark.

Domain Theft: The Distinction and Why It Matters

Domain theft is fundamentally distinct from cybersquatting, and understanding the distinction determines which legal remedies are available to you. Cybersquatting involves a third party legitimately registering a domain name that incorporates your mark with bad faith intent to profit. Domain theft involves someone unlawfully transferring or hijacking a domain name that you legitimately own—typically through credential theft, social engineering of registrar staff, or unauthorized use of transfer authorization codes.

The ACPA focuses on the registration and use of domain names by registrants acting in bad faith. It is not designed to address unauthorized transfers. A domain thief who steals your domain is not a “registrant” within the meaning of the ACPA—they are a thief. The appropriate legal framework for domain theft draws from computer fraud law (the CFAA, 18 U.S.C. § 1030), conversion under state law, and injunctive relief through federal equity jurisdiction.

Immediate Steps After Domain Theft

If your domain has been stolen, time is critical. The longer you wait, the greater the risk that the domain will be transferred again to a third party who may qualify as a bona fide purchaser for value—a status that complicates recovery significantly. The immediate steps should be:

• File an emergency fraud report with your registrar documenting the unauthorized transfer with all available evidence
• Request a domain transfer lock at the registry level to prevent further transfers while the dispute is pending
• File a complaint with ICANN’s Compliance department if the registrar fails to respond within 24-48 hours
• Report the theft to the FBI’s Internet Crime Complaint Center (IC3) — criminal referrals sometimes prompt faster cooperation from registrars
• Consult an attorney immediately about seeking a temporary restraining order from a federal court to freeze the domain registration while litigation proceeds

ACPA’s In Rem Jurisdiction as a Tool

Even where the ACPA’s primary provisions do not apply to domain theft, the in rem jurisdiction provision under § 1125(d)(2) can sometimes be used creatively. If you can demonstrate that a domain name incorporating your trademark was transferred to an unknown or unlocatable party, the in rem mechanism allows you to sue the domain name itself in the judicial district where the registrar or registry is located and seek an order transferring the domain back to you. This approach requires trademark rights in the relevant name, which is another reason why federal trademark registration is valuable—it provides the standing to bring an in rem ACPA action even where personal jurisdiction over the thief cannot be established.

If you have been the victim of domain theft or cybersquatting, contact the internet law attorneys at Revision Legal at 855-473-8474 or complete the contact form on this page. We handle ACPA litigation, domain recovery proceedings, and injunctive relief actions for both trademark holders and domain registrants.

Protecting Your Domain Before Theft Occurs

The most effective response to domain theft is prevention. Domain owners should implement the following security measures as standard practice: enable domain locking at both the registrar and registry level—registry locks (also called “thick locks”) require a phone call to a designated contact before any transfer or modification can be processed; use a dedicated email address for domain registrar communications that is not widely shared or used for other purposes; enable two-factor authentication on all registrar accounts; keep WHOIS administrative contact information current, since transfer authorization codes are sent to the email address on file; and monitor your domain’s WHOIS record periodically for unauthorized changes using automated WHOIS monitoring services.

If your domain is business-critical—as most company domains are—it is worth the modest cost of registrar-level and registry-level security upgrades. The cost of recovering a stolen domain, if recovery is possible at all, will far exceed the cost of these preventive measures. For advice on domain portfolio security or to respond to a domain theft emergency, contact Revision Legal at 855-473-8474.