Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Documentation is Key to Recovering Hijacked Domain Names

14 April 2016
By Dave Piscitello

In addition to the ICANN Languages, this content is also available in

When victims of domain name hijackings contact our Security Team for guidance, we will ask about the circumstances relating to the attack. We'll ask whether they have contacted their hosting provider, registrar, or law enforcement. We next ask, "do you have any way to demonstrate to your sponsoring registrar that the registration or use of the domain is rightfully yours?"

Sadly, many parties who contact us haven't considered that they will have to prove that the domain is theirs to use. Some parties contact us only after they've already experienced difficulties when they've tried to recover their domain names. They'll ask, "Why is the recovery process so hard?"

In this post, we discuss domain name hijacking or domain registration account hacking and identify documentation that you might use should you or your organization fall victim to either of these attacks.

The Threat Landscape

Domain hijacking, theft, or registration account attacks typically result in one of two types of consequences: (1) the attacker changes DNS configuration, so that name resolution for the domain is performed by a name server not operated by (or for) the victim, or (2) the attacker alters registration contact information and effectively takes control of any domains registered under the compromised account.

In cases where the attackers want to keep the name, domain thieves may alter the registration data (WHOIS) associated with a domain name, because this is the immediate, most accessible "proof." They may alter payment information. They may transfer the domain name to a new registrar: the new registrar will have information about its customer, but may not have any registration activity history. Any of these factors can make the recovery process long and trying.

Recovery Procedures

You should first contact your domain registrar. You can use ICANN's WHOIS service to identify your registrar and the accredited registrar list to obtain additional contact information. Additional information is available at the Domain Name Holders FAQ. In other cases, procedures for resolving domain name disputes are well defined; for example, you can submit a complaint regarding an unauthorized transfer of your domain name to another party, a trademark infringement, or a dispute between you and your registrar.

You will need to provide documentation to registrars or dispute resolution service provider that proves an association existed between you, the complainant (the one who has legitimately registered the domain name) and the hijacked domain name or account, prior to the incident. (Note that the UDRP is a forum for trademark disputes.)

Documentation is Key

Some or all of the following "paper trail" can serve as proof that you have a prior claim to the rights to use a domain name over a party or organization identified as the registrant in a hijacked domain name registration record:

  • A domain history, i.e., copies of registration records that show you or your organization as the registrant of record for the hijacked domain.
  • Billing records or email receipts demonstrating that you or your organization has maintained account currency.
  • System or web logs, or archives illustrating that the hijacked domain name has been associated with content published you have published on a web or other form of hosting site.
  • A history of financial transactions that associate you or your organization with the hijacked domain name. Increasingly, credit cards or bank statements provide purchase details: merchandise– along with the merchant name, business address and contact phone numbers. The hijacked domain name may appear as the merchandise, and the registrar as the merchant name.
  • Telephone directories (Yellow pages), marketing material, etc. that contain advertising that associate the hijacked domain name with your organization.
  • Correspondence from registrars relating to the hijacked domain name; for example, the annual WHOIS reporting notice, renewal notices, notices of DNS change, telephone call records, etc., or generally any correspondence sent or placed to email or postal addresses or telephone numbers of you, your employees or your legal agents.
  • Legal documents, for example, a contract for the sale of a business that contains a clause such as "as a condition of sale, seller agrees that the domain name <hijacked domain name> shall be transferred to buyer".
  • Tax filings, business tax notices, etc. that associate you or your organization with the hijacked domain name.

This list is representative of the type of information that might be useful. Some or perhaps all of these documents might require corroboration from other parties (i.e., credit card companies, tax collectors/IRS etc.) or a notary stamp or equivalent. Presenting these kinds of documentation to the current sponsoring registrar of the hijacked domain may be sufficient to justify a return of the domain or restoration of correct DNS configuration data.

If you haven't prepared for the possibility of a domain hijacking by gathering proofs of your rights to use, we encourage you to do so now.


Dave Piscitello