Domain theft, also known as domain hijacking, is the practice of changing a domain name’s registration without the permission of the original registrant. While many may assume that domain hijacking is accomplished through nefarious methods, domain hijackers often acquire the domain owner’s personal information to persuade the domain registrar to transfer the domain to the hijacker. Because there are currently no specific international or federal laws that explicitly criminalize domain theft, recovery of hijacked domains can often be difficult, time consuming, and expensive. Safeguarding account registration credentials, particularly by maintaining strong passwords that are changed regularly, is one of the best steps to prevent domain theft.
One of the most common ways that theft occurs is when hijackers, either through fraud or by hacking into the domain owner’s accounts, gain access to the registrar account and simply transfer ownership of the domain. This often results in the domain registration being transferred to an entity in foreign countries, making legal recourse difficult. Another method of domain hijacking is through hosting or registry companies rather than through the domain owner’s systems. In this method, the hijackers can stop or cancel a customer’s payment to renew the registration so that the registration expires and the hijacker gets it. Hijackers can even fraudulently enter whois data to gain access to the domain registration account.
Responding to domain theft can be difficult. For domains that have trademark protection, there is the possibility of a trademark infringement lawsuit or claims for violation of the Anti-Cybersquatting Consumer Protection Act (ACPA). The domain owner may also employ a domain name dispute procedure under ICANN or UDRP. These proceedings are typically less expensive than an ACPA/trademark infringement lawsuit filed in federal court.
In other cases, the domain owner may have to pay a blackmail or ransom payment to get the registration back. Other times, the current registrar may simply return the registration information to its original state. Finally, if a disgruntled former employee or vendor misunderstood the domain account credentials, a lawsuit seeking injunctive relief may be the quickest path to recovery. Texas is one of the few states that allows pre-suit statements. If a former employee, vendor, or other known person is suspected of committing theft, filing a pre-suit statement may be your best option. Due to the difficulties in enforcing US laws in foreign countries, it is very important to obtain injunctive relief to prevent the transfer of the registration to a foreign entity or registrar. Ideally, the account and registration are frozen until the court can determine how to resolve the dispute.
If domain theft occurs, an Internet lawyer with experience in domain theft or hijacking, as well as trademark law, is probably the best place to start.