In recent years, a new form of crime has been emerging, leaving both law enforcement and the judicial system as a whole at a loss for how to approach it and what they can do to prevent it. Domain name theft, otherwise known as domain name hijacking, is the “wrongful taking of control of a domain name from the rightful name holder.” Domain name theft is the result of someone committing fraud, misrepresentation, or impersonation of the actual domain name registrant.
ICANN, the Internet Corporation for Assigned Names and Numbers, published a report in 2005 which analyzed the concept of hijacking and looked at the impact domain name theft is having on original registrants.
Domain name theft can have a detrimental effect on both the finances and the reputation of the affected business. Some of the challenges created by this theft include:
Domain registrars, such as GoDaddy and Internet.bs, are often unable to do anything to help their clients. This is largely due to the three most common ways domain name theft occurs:
When a domain name is stolen, the original registrant has several avenues for recovery. The strength of each remedy depends on how the theft occurred, whether a trademark is involved, and how quickly the victim acts.
ICANN’s Transfer Dispute Resolution Policy (TDRP) provides an administrative remedy specifically for unauthorized inter-registrar transfers — cases where a domain was moved from one registrar to another without the registered name holder’s consent. A TDRP proceeding can result in the domain being transferred back to the original registrar, but it does not address transfers of ownership within the same registrar or changes to the registrant contact information. The TDRP is most useful in the immediate aftermath of a theft before the domain has been moved multiple times or sold to a third party.
If the stolen domain incorporates a trademark owned by the victim, the UDRP provides a faster and cheaper alternative to federal litigation. To prevail under the UDRP, the complainant must establish three elements: (1) the domain name is identical or confusingly similar to a trademark in which the complainant has rights; (2) the respondent has no rights or legitimate interests in the domain; and (3) the domain was registered and is being used in bad faith. If successful, the panel can order the domain transferred or cancelled. UDRP proceedings typically conclude within two months and cost a fraction of federal litigation.
The Anti-Cybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d), provides a federal cause of action against any person who registers, traffics in, or uses a domain name with bad faith intent to profit from the mark of another. Unlike the UDRP, the ACPA provides for damages — statutory damages between $1,000 and $100,000 per domain name, actual damages, attorney’s fees, and injunctive relief. Federal courts can also exercise in rem jurisdiction over the domain name itself when the domain owner is located abroad or cannot be identified, a provision that is particularly useful in international theft cases.
Domain theft may also give rise to state law claims including conversion (the wrongful taking of personal property), fraud, and computer fraud under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The CFAA provides civil remedies for unauthorized access to protected computers — a category that includes registrar account systems — and allows victims to recover damages and injunctive relief. Courts have split on the precise scope of CFAA civil liability, but it remains a viable claim in cases where account credentials were compromised through hacking or phishing.
Registrars are generally reluctant to accept liability for domain theft, and courts have been inconsistent in imposing it. A registrar that processes a transfer without following its own security procedures — such as failing to verify the identity of the person requesting the transfer or failing to honor a transfer lock — may face negligence claims. The standard of care for registrars is evolving as domain names become increasingly valuable assets.
In 2021, the registrar GoDaddy was implicated in a series of domain hijackings involving social engineering attacks on its staff. These incidents illustrate that even robust account-level security can be defeated if the registrar’s internal procedures are vulnerable to social engineering. When pursuing recovery of a stolen domain, it is worth analyzing whether the registrar’s conduct contributed to the theft.
Domain theft is a time-sensitive problem. Once a domain has been transferred to a new registrar, ICANN’s 60-day inter-registrar transfer lock prevents it from being transferred again for 60 days — which can work in your favor if you move quickly. If the thief flips the domain to a third party before you can secure a remedy, recovery becomes substantially more complicated because the new holder may have paid value for the domain without knowledge of the theft.
The first steps after discovering a domain theft are: (1) notify your registrar’s abuse department immediately and document the notification; (2) contact ICANN’s Compliance Department; (3) preserve all records of your ownership — registration confirmations, WHOIS history, screenshots, and correspondence; and (4) consult an internet lawyer to evaluate your recovery options.
If your domain name has been stolen or hijacked, Revision Legal’s internet lawyers can help you pursue recovery through ICANN procedures, UDRP arbitration, or federal litigation. We act quickly and aggressively on domain theft matters because delay has real consequences. Contact us at 855-473-8474 or complete the contact form on this page.
Cybersquatting involves registering domain names in bad faith to profit from others’ trademarks. Here’s an overview of the ACPA and how it protects trademark owners.
Read more about An Overview of Cybersquatting Laws
UDRP proceedings can recover stolen domain names, but they have limitations. Here’s when UDRP is the right tool for domain theft recovery and when other options work better.
Read more about Will UDRP Help You Recover a Stolen Domain?
A Michigan court addressed a novel issue involving cybersquatting and bad faith domain registration. Here’s what the ruling means for domain name dispute resolution.
Read more about Michigan Court Decides Unique Cybersquatting Case