Domain Name Theft: How to Get Your Domain Back

Revision Legal’s attorneys are experts in resolving domain name theft issues. Domain names, much like personal property, can be stolen, whether through the hacking of an email account or traditional means, such as fraud and social engineering. Our attorneys have handled domain name theft matters in state and federal courts around the country and understand the law concerning domain name theft.

If your domain name has been stolen, you may have federal claims, such as under the Computer Fraud and Abuse Act, or state-law claims, such as under the common law doctrine of conversion or state hacking statutes. If your domains have been stolen, contact Revision Legal today.

How Domain Name Theft Happens

Domain name theft—also called domain hijacking or domain name fraud—occurs when a third party unlawfully takes control of a domain name without the owner’s authorization. It is more common than most business owners realize, and it can happen through several methods:

• Email account compromise: Most registrar accounts can be accessed and transferred through a connected email address. If a thief gains access to your email account, they can initiate a domain transfer and complete it before you realize what has happened.
• Social engineering: Thieves contact registrars posing as the legitimate domain owner, using publicly available WHOIS data to answer verification questions and trick the registrar into initiating an unauthorized transfer.
• Phishing: Fraudulent emails that mimic your registrar prompt you to enter your login credentials on a fake website, giving the attacker your username and password.
• Registrar exploitation: Internal actors at a registrar or vulnerabilities in a registrar’s security protocols may be exploited to initiate unauthorized transfers.
• Expired domain poaching: When a domain registration lapses due to missed renewal notices—sometimes diverted by an attacker—a third party registers the domain the moment it becomes available.

Federal Legal Claims for Domain Name Theft

Several federal statutes provide remedies for domain name theft. The most commonly used are:

Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030

The CFAA creates civil and criminal liability for unauthorized access to computers and computer systems. When a domain is stolen by hacking an email account or exploiting a registrar’s systems, the perpetrator has accessed a “protected computer” without authorization within the meaning of the statute. Civil plaintiffs under the CFAA may recover damages and obtain injunctive relief. Courts have awarded CFAA damages in domain theft cases where the attacker accessed registrar accounts without authorization to redirect or transfer domain names.

Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d)

While the ACPA is primarily directed at cybersquatters who register domain names in bad faith to profit from the goodwill of an established trademark, it also provides a remedy for reverse domain name hijacking and domain theft where a trademark is involved. The ACPA allows a trademark owner to recover the domain, statutory damages between $1,000 and $100,000 per domain name, and attorney’s fees in exceptional cases.

Stored Communications Act, 18 U.S.C. § 2701

When domain theft is accomplished through unauthorized access to email or cloud storage, the Stored Communications Act may provide additional civil remedies against the perpetrator.

State Law Claims for Domain Name Theft

In addition to federal claims, domain theft victims frequently have viable state law claims. These include:

• Conversion: Conversion is the common law tort of unlawfully taking or exercising dominion over another person’s personal property. Courts in Michigan and most other states have recognized that domain names are a form of property subject to conversion claims. See Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2003) (treating a domain name as property for conversion purposes).
• Fraud and misrepresentation: If the theft was accomplished through social engineering or fraudulent representations to a registrar, state fraud claims may lie against the perpetrator.
• Unjust enrichment: Where the thief profits from use or resale of the stolen domain, an unjust enrichment claim allows the legitimate owner to recover those profits.
• State computer crime statutes: Many states, including Michigan under the Michigan Penal Code, MCL § 752.795, criminalize unauthorized access to computers and provide civil remedies for victims.

ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP)

For domain disputes involving trademark rights, the ICANN Uniform Domain Name Dispute Resolution Policy (UDRP) provides a faster and less expensive alternative to litigation. Under the UDRP, a trademark owner can file a complaint with an approved dispute resolution provider such as the World Intellectual Property Organization (WIPO) or the Forum. To prevail under the UDRP, the complainant must prove three elements: (1) the domain name is identical or confusingly similar to a trademark in which the complainant has rights; (2) the registrant has no rights or legitimate interests in the domain name; and (3) the domain name was registered and is being used in bad faith.

UDRP proceedings typically conclude within 60 days, making them significantly faster than federal litigation. If successful, the complainant can obtain transfer or cancellation of the disputed domain name. However, the UDRP does not award monetary damages—if you are seeking damages in addition to domain recovery, federal court litigation may be necessary.

Immediate Steps to Take If Your Domain Has Been Stolen

Time is critical when a domain name has been hijacked. The longer the thief controls your domain, the more damage is done to your business, your email operations, and your customers’ trust. If you believe your domain has been stolen, take these steps immediately:

• Contact your registrar immediately and report the unauthorized transfer. Request that the registrar freeze the domain pending investigation.
• Secure all associated email accounts by changing passwords and enabling two-factor authentication.
• Document everything—save copies of all communications, WHOIS records, transfer confirmations, and any correspondence from the registrar.
• File a complaint with ICANN if the registrar is unresponsive to your transfer dispute.
• Contact an experienced Internet attorney to evaluate your legal options under federal and state law.

If your domain name has been stolen, do not wait. The attorneys at Revision Legal have recovered stolen domain names in state and federal courts across the country and through UDRP proceedings before WIPO and the Forum. Contact us today for a consultation so we can begin the process of recovering what is rightfully yours.

Preventing Future Domain Name Theft

Once your domain has been recovered, implementing preventive measures to reduce the risk of future theft is essential. The most effective preventive measures include: enabling registrar lock on your domain to prevent transfers without explicit authorization; enabling two-factor authentication on both your registrar account and the email account associated with it; setting up domain privacy protection (WHOIS privacy) to limit the personal information available to potential attackers; using a strong, unique password for your registrar account; and setting up renewal reminders well in advance of your domain’s expiration date. Many registrars also offer domain monitoring services that alert you to any changes to your domain’s registration information.

For businesses with domain names that are critical to their operations and brand identity, the cost of implementing these security measures is trivial compared to the cost of recovering a stolen domain through litigation or arbitration. Our attorneys advise clients on domain security best practices and help establish the legal and operational safeguards necessary to protect their digital assets. Contact Revision Legal today if you have concerns about the security of your domain name portfolio.