So your domain has been stolen. What now?
I was recently contacted by a local entrepeneur, Michael Q, after his internet domain was taken in circumstances similar to my own.
An intruder gained entry to his email account and used that to get enough information to transfer ownership of his domain away from his registrar.
His registrar was "crazy domains" (in my case it was 'Go Daddy') and the gaining registrar was a french registrar, bookmyname.com (in my case it was WebNames.ru, a russian registrar).
Michael and I wrote back and forth a lot over the next few days. I gave him as much advice as I could, and he kept me informed about his progress. On about the fifth day I got the excellent news that he was back in charge of his domain again.
Michael wrote a complete chronology of the incident: How I Lost My Domain Name and How I Got it Back
And here's my own step by step guide to what happens and what to do if your domain is hijacked, based on my experience and Michael's:
Losing and Regaining Your Domain, Step by Step
- Notice a warning in your gmail account that you've logged in using an unknown means from a distant location. Your spidey senses will begin tingling.
- Check for deleted emails -- find one from your domain registrar, saying you've transferred away from them. This will include details of the gaining registrar.
- Panic and or freak out completely at this point.
- Check for email rules that automatically delete any emails from the losing or gaining registrar. take screenshots of and then remove those rules.
- Secure your gmail account. change your password, change all your security questions and answers, change your recovery email address, disable any third party apps from accessing it, and disable pop and imap access. Start using 2-step verification.
- Think about all of the other things you store in your email account. Other passwords in particular. Start the long process of resetting every password you have. Put it in priority order. Use a proper password management system (e.g. password safe) so that all passwords are unique, complex and as long as possible.
- Now, and only now, is it time to stop panicking.
- All registrars are ICANN accredited businesses. They must abide by a code of practice, or they will lose their accreditation. One of the rules is that a domain can't hop to a new registrar for another 60 days. So breathe a sigh of relief and realise that you have 60 days to regain control of your domain.
- Contact your registrar and inform them that your domain has been hijacked and moved to the gaining registrar. Tell them it is a "disputed transfer", and that you want to fill out their disputed transfer away form. See if they have one (they should).
- Contact the gaining registrar -- it's their co-operation that will matter the most. Be nice to them. You may need to register at their site, go ahead and do this.
- Tell them your domain was hijacked from the losing registrar and moved to them.
To establish your identity you may need to send them a scanned copy of your identification (drivers license, passport). It's a scary thing to do, but seems to help, so go ahead and do this if they ask for it.
(It may also, for reasons that are beyond the scope of this article, help to send them a photo of yourself with a loaf of bread on your head)
Tell them when you first got the domain, what it was used for. Direct them to the way back machine screenshots of your use. If you don't speak their language you may need to find someone to help translate, or fall back to google translate.
- If you receive emails from the thief, take screenshots but do not respond. You have nothing to gain by responding. If however you do respond, I suggest you say some scary cold blooded shit like Liam Neeson's character in Taken. His message was perfectly direct:
I don't know who you are. I don't know what you want. If you are looking for ransom I can tell you I don't have money. But what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my website go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you and I will kill you.
On second thoughts, killing people and even threatening to kill people, are considered a tad illegal in most jurisdictions. So you might want to write that email and then delete it without sending it. A better tactic is to try and draw out the hijacker. Ideally you'll get him to explicitly ask you to give him money to get your website back. People have used emails like this as part of the evidence they provide to the gaining registrar.
- Once the gaining registrar has established the facts, you should get your domain back. You may not be able to transfer it to the registrar of your choice until the 60 days have elapsed. You may need to wait while they wait for the hijacker to respond to their questions. Naturally the hijacker isn't going to have a very good story, and may simply fail to reply to their questions. But even this takes time. Patience is necessary. Remember you have 60 days.
That's all I've got. If something like this happens to you, or has happened to you, I wish you the best of luck.Next → ← Previous