Domain theft, also known as domain hijacking, is the practice of changing a domain name’s registration without the permission of the original registrant. While many may assume that domain hijacking is accomplished through nefarious methods, domain hijackers most commonly acquire a domain owner’s personal information in order to persuade the domain registrar to transfer the domain to the hijacker. Because there are currently no specific international or federal laws that explicitly criminalize domain theft, recovering hijacked domains can often be difficult, time-consuming, and expensive. Safeguarding credentials for the registration account, in particular maintaining secure passwords that are changed periodically, is one of the best steps to avoid domain theft.
One of the most common ways theft happens is where the hijackers either through fraud or hacking the domain owner’s accounts gains access to the registration account and simply transfers ownership of the domain. This often results in the domain registration being transferred to an entity in foreign countries making legal recourse difficult. Another method of domain hijacking is via the hosting or registrar companies as opposed to through the domain owner’s systems. In this method, the hijackers may stop or cancel a customer’s payment to renew the registration so that the registration expires and is obtained by the hijacker. Hijackers may even fraudulently enter whois-data to access the domain registration account.
Responding to domain theft can be difficult. For domains that have trademark protection, a trademark infringement lawsuit or claims for violation of the Anti-Cybersquatting Consumer Protection Act (ACPA) are a possibility. The domain owner may also employ a domain name dispute proceeding under ICANN or UDRP. These proceedings are typically less expensive than a trademark infringement/ACPA lawsuit filed in federal court.
In other cases, the domain owner may have to pay a blackmail or ransom payment to obtain the registration back. Other times, registration information can be simply returned to its original state by the current registrar. Finally, if the domain account credentials have been comprised by an ex-employee or disgruntled vendor, a lawsuit seeking injunctive relief may be the quickest path to recovery. Texas is one of the few states that allows for pre-suit depositions. If an ex-employee, vendor, or other known person is suspected of theft, filing for a pre-suit deposition may be the best option. Because of the difficulties in enforcing US laws in foreign countries, obtaining injunctive relief to prevent transfer of the registration to a foreign entity or registrar is very important. Ideally, the account and registration is frozen until the court can determine how to resolve the dispute.
If domain theft occurs, an Internet attorney experienced in domain theft or hijacking as well as trademark law is likely the best starting point.