Domain theft, also known as domain hijacking, is the practice of changing the registration of a domain name without the permission of the original registrant. While many may assume that domain hijacking is accomplished through nefarious methods, domain hijackers commonly acquire the domain owner’s personal information to persuade the domain registrar to transfer the domain to the hijacker. Since there are currently no specific international or federal laws that explicitly criminalize domain theft, recovering hijacked domains can often be difficult, time-consuming, and costly. Protecting your registration account credentials, in particular maintaining strong passwords that are changed periodically, is one of the best steps to prevent domain theft.

One of the most common ways that theft occurs is when hijackers, either through fraud or hacking into the domain owner’s accounts, gain access to the registry account and simply transfer ownership of the domain. This often results in the domain registration being transferred to an entity in foreign countries, making legal recourse difficult. Another method of domain hijacking is through hosting companies or registrars rather than through the domain owner’s systems. In this method, hijackers can stop or cancel a customer’s payment to renew the registration so that the registration expires and is obtained by the hijacker. Hijackers can even fraudulently enter whois data to access the domain registration account.

Responding to domain theft can be tricky. For domains that have trademark protection, a lawsuit for trademark infringement or claims for violation of the Consumer Protection Anti-Cybersquatting Act (ACPA) is a possibility. The domain owner can also resort to a domain name dispute procedure under ICANN or UDRP. These procedures are typically less expensive than a trademark / ACPA lawsuit filed in federal court.

In other cases, the domain owner may have to pay blackmail or a ransom to get the registration back. Other times, the current registrar can simply return the registration information to its original state. Finally, if the domain account credentials have been composed by a disgruntled former employee or vendor, a lawsuit seeking injunctions may be the quickest path to recovery. Texas is one of the few states that allows pre-lawsuit depositions. If a former employee, vendor, or other known person is suspected of theft, your best option may be to file a pre-lawsuit statement. Due to difficulties in enforcing US laws in foreign countries, it is very important to obtain injunctive relief to avoid transferring the record to a foreign entity or registrar. Ideally, the account and registry are frozen until the court can determine how to resolve the dispute.

If domain theft does occur, an Internet attorney with experience in domain theft or hijacking, as well as trademark law, is probably the best starting point.