Hubbry Logo
search
logo
Domain hijacking avatar
Domain hijacking
Domain hijacking
current hub
D

Domain hijacking

logo
Community Hub0 Subscribers
Read side by side
Domain hijacking
View on Wikipedia
from Wikipedia

Domain hijacking or domain theft is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.[1]

This can be devastating to the original domain name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain's e-mail accounts,[2] but also in terms of readership and/or audience for non-profit or artistic web addresses. After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as log-in passwords, spam, or may distribute malware from the perceived "trusted" domain.[3]

Description

[edit]

Domain hijacking can be done in several ways, generally by unauthorized access to, or exploiting a vulnerability in the domain name registrar's system, through social engineering, or getting into the domain owner's email account that is associated with the domain name registration.[4]

A frequent tactic used by domain hijackers is to use acquired personal information about the actual domain owner to impersonate them and persuade the domain registrar to modify the registration information and/or transfer the domain to another registrar, a form of identity theft. Once this has been done, the hijacker has full control of the domain and can use it or sell it to a third party.[citation needed]

Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers, and phishing sites.[5]

Responses to discovered hijackings vary; sometimes the registration information can be returned to its original state by the current registrar, but this may be more difficult if the domain name was transferred to another registrar, particularly if that registrar resides in another country. If the stolen domain name has been transferred to another registrar, the losing registrar may invoke ICANN's Registrar Transfer Dispute Resolution Policy to seek the return of the domain.[6]

In some cases, the losing registrar for the domain name is not able to regain control over the domain, and the domain name owner may need to pursue legal action to obtain the court ordered return of the domain.[7] In some jurisdictions, police may arrest cybercriminals involved, or prosecutors may file indictments.[8]

Although the legal status of domain hijacking was formerly thought to be unclear,[9] certain U.S. federal courts in particular have begun to accept causes of action seeking the return of stolen domain names.[10] Domain hijacking is analogous with theft, in that the original owner is deprived of the benefits of the domain, but theft traditionally relates to concrete goods such as jewelry and electronics, whereas domain name ownership is stored only in the digital state of the domain name registry, a network of computers. For this reason, court actions seeking the recovery of stolen domain names are most frequently filed in the location of the relevant domain registry.[11] In some cases, victims have pursued recovery of stolen domain names through ICANN's Uniform Domain Name Dispute Resolution Policy (UDRP), but a number of UDRP panels have ruled that the policy is not appropriate for cases involving domain theft. Additionally, police may arrest cybercriminals involved.[8][12][13][14][15]

Notable cases

[edit]
  • During the dot com boom, there was extensive media coverage of the hijacking of "sex.com".[16]
  • Basketball player Mark Madsen unknowingly bought a "stolen" (or hijacked) domain in an eBay auction.[17]
  • In 2015 Lenovo's website and Google's main search page for Vietnam were briefly hijacked.[18]
  • In early 2021, the domain for programming language Perl was briefly hijacked,[19][20] causing problems for the CPAN system.[citation needed]
  • On August 19, 2024, Fur Affinity's domain was hijacked for over a day, redirecting users to a Washington Post article, then to Kiwi Farms.[21][22]
  • In early 2024, 8,000 domains and 13,000 subdomains of major brands including eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, and The Economist were taken over via a specific form of hijacking called SubdoMailing. This attack focused on spam proliferation and click monetization.[23][24]

Prevention

[edit]

ICANN imposes a 60-day waiting period between a change in registration information and a transfer to another registrar. This is intended to make domain hijacking more difficult, since a transferred domain is much more difficult to reclaim, and it is more likely that the original registrant will discover the change in that period and alert the registrar. Extensible Provisioning Protocol is used for many TLD registries, and uses an authorization code issued exclusively to the domain registrant as a security measure to prevent unauthorized transfers.[25]

RFC’s

[edit]
  • RFC 3375 - Generic Registry-Registrar Protocol Requirements
  • RFC 3735 - Guidelines for Extending EPP
  • RFC 3915 - Domain Registry Grace Period Mapping (e.g. Add Grace Period, Redemption Grace Period)
  • RFC 4114 - Using EPP for ENUM addresses
  • RFC 5910 - Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP) (obsoletes RFC 4310, DNSSEC)
  • RFC 5730 - Extensible Provisioning Protocol (EPP) (obsoletes RFC 4930, which obsoleted RFC 3730)
  • RFC 5731 - Extensible Provisioning Protocol (EPP) Domain Name Mapping (obsoletes RFC 4931)
  • RFC 5732 - Extensible Provisioning Protocol (EPP) Host Mapping (obsoletes RFC 4932)
  • RFC 5733 - Extensible Provisioning Protocol (EPP) Contact Mapping (obsoletes RFC 4933)
  • RFC 5734 - Extensible Provisioning Protocol (EPP) Transport over TCP (obsoletes RFC 4934)

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Domain hijacking

View on Grokipedia
from Grokipedia
Domain hijacking, also known as domain theft, refers to the unauthorized acquisition or transfer of control over a domain name from its legitimate registrant to a malicious actor, typically without the owner's consent or knowledge.[1] This process often involves exploiting weaknesses in domain registrars, DNS configurations, or user credentials, allowing the hijacker to redirect traffic, impersonate the original site, or monetize the domain for illicit purposes.[2] The mechanics of domain hijacking generally begin with gaining access to the domain registrar account, where attackers may alter WHOIS contact information, transfer the domain to a new registrar, or modify DNS records to point to malicious servers.[3] Common methods include social engineering attacks such as phishing emails that trick registrants into revealing login credentials, exploiting expired or lapsed domain renewals, or breaching registrar systems through vulnerabilities like weak authentication.[1] In some cases, attackers compromise email accounts linked to domain recovery processes, enabling password resets and unauthorized transfers.[2] These tactics have evolved with the growth of the domain ecosystem, which includes thousands of accredited registrars overseen by organizations like ICANN.[1] The impacts of domain hijacking are profound, encompassing financial losses from disrupted services, reputational harm through phishing or malware distribution, and potential regulatory violations for affected businesses.[3] Notable incidents illustrate its scale: in 2024, over 70,000 domains were hijacked in "Sitting Ducks" campaigns due to DNS providers' failure to verify ownership during transfers, enabling widespread abuse for spam and fraud.[4] Earlier high-profile cases include the hijacking of sex.com in the late 1990s, which led to a $65 million court judgment against the perpetrator, and 2015 breaches affecting domains of Google and Lenovo Vietnam.[2] More recently, in May 2025, the threat actor Hazy Hawk exploited DNS misconfigurations to hijack subdomains of the CDC and Deloitte, redirecting users to scam sites laden with malware.[5] Prevention relies on robust security practices, such as enabling two-factor authentication (2FA) on registrar accounts, implementing domain and registry locks to block unauthorized transfers, and utilizing ICANN's inter-registrar transfer lock periods.[2] Registrants should also employ WHOIS privacy services to obscure contact details, monitor domain status regularly, and use strong, unique passwords while keeping renewal information current to avoid expiration exploits.[1] Advanced measures like DNSSEC (DNS Security Extensions) further protect against record tampering, though adoption remains inconsistent across the industry.[1] Despite these defenses, the decentralized nature of domain management continues to pose challenges, underscoring the need for ongoing vigilance and registrar accountability.[3]

Definition and Background

Definition

Domain hijacking, also known as domain theft, refers to the unauthorized transfer or seizure of control over a domain name registration from its legitimate owner to an attacker, typically by exploiting vulnerabilities in domain registrar systems or compromising owner credentials.[3][2] This form of cyberattack allows the perpetrator to alter the domain's configuration, redirecting traffic or repurposing the domain for malicious purposes without the owner's consent.[6] Key elements of domain hijacking include manipulation of the Domain Name System (DNS) to redirect user traffic, alteration of WHOIS records to reflect false ownership details, or direct compromise of the registrar account, often leading to outcomes such as website defacement, redirection to phishing sites, or exploitation for financial gain through ransomware or fraudulent transactions.[7][1][8] These actions disrupt the legitimate owner's control over associated online assets, including websites, email services, and subdomains, potentially causing significant reputational and economic harm.[9][10] Unlike domain squatting, which involves the preemptive registration of desirable or trademarked domain names by third parties for resale or extortion, or typosquatting, where attackers register slight misspellings of popular domains to intercept traffic, domain hijacking specifically targets domains that are already registered and owned by victims.[11][12] This distinction underscores hijacking's focus on illicit takeover of established assets rather than opportunistic new registrations.[13] In a typical process, the attacker first gains unauthorized access to the domain owner's registrar account—often through phishing, weak passwords, or social engineering—then modifies critical settings such as nameservers, administrative contacts, or ownership details to redirect DNS resolution or initiate a domain transfer.[14][15] This enables full control over the domain's resolution and associated services, allowing the attacker to host malicious content or monetize the hijacked asset until recovery efforts intervene.[16]

Historical Development

Domain hijacking emerged in the mid-1990s with the commercialization of domain name registrations, initially monopolized by Network Solutions as the sole registrar for .com, .net, and .org top-level domains under U.S. government oversight. Early systems lacked robust security protocols, relying on minimal verification of registrant identity, which enabled fraudulent transfers through forged documents or spoofed communications. The first prominent case occurred around 1995, when Stephen Cohen illicitly transferred the valuable sex.com domain from its owner, Gary Kremen, by submitting a falsified letter to Network Solutions claiming Kremen had abandoned the registration; Cohen profited millions from the domain before a court ordered its return in 2001, establishing domains as transferable property susceptible to theft.[16][17] To address escalating vulnerabilities, ICANN formalized the Inter-Registrar Transfer Policy in 2003 following recommendations from its Transfer Task Force, with full implementation by November 2004. This policy standardized procedures for moving domains between accredited registrars, mandating tools like the EPP authorization code for secure transfers and prohibiting registrars from unreasonably denying requests. By enhancing authentication and reducing reliance on insecure email confirmations, it aimed to curb unauthorized hijackings amid the proliferation of competitive registrars post-Network Solutions' monopoly.[18][19] Incidents proliferated after 2005, as detailed in ICANN's Security and Stability Advisory Committee (SSAC) report, which analyzed cases exploiting Whois data inaccuracies and weak transfer validations, often for resale or extortion. The phenomenon shifted from opportunistic exploits targeting lax registrars to deliberate attacks on high-value assets like brand and government domains, fueled by the internet's expansion and rising domain valuations. In the 2010s, this evolution intensified with cryptocurrency's emergence, enabling anonymous monetization; attackers hijacked domains to redirect traffic for crypto theft, as in a 2018 DNS manipulation stealing over $400,000 in Stellar Lumen tokens. Concurrently, ransomware integration grew, with compromised domains used to host malicious payloads or demand payments. Global domain registrations ballooned from under 10 million in the late 1990s to more than 362 million by 2021, and reaching 378.5 million as of September 2025 (Q3 2025), heightening exposure and contributing to a marked uptick in reported hijackings—from isolated early-2000s cases to broader trends tracked in ICANN and registrar security assessments.[20][21][22][23]

Mechanisms of Domain Hijacking

Technical Methods

Domain hijacking exploits various technical vulnerabilities in the domain name system (DNS) infrastructure, registrar operations, and related protocols, allowing attackers to gain unauthorized control over domain registrations without necessarily relying on direct human interaction. These methods target weaknesses in authentication, data management, and transfer mechanisms that underpin domain ownership and resolution.[20] Registrar account compromise represents a primary technical vector, where attackers exploit weak passwords, absence of two-factor authentication (2FA), or vulnerabilities in application programming interfaces (APIs) to achieve unauthorized logins and initiate domain transfers. Weak passwords enable brute-force or dictionary attacks on registrar portals, while the lack of 2FA allows credential reuse from breached sources to suffice for access. API vulnerabilities, such as insufficient input validation or exposed endpoints, permit automated exploitation, enabling attackers to script changes to domain settings without manual intervention. Once inside, attackers can update registrant details or request transfers, often bypassing basic verification if multi-step authentication is not enforced.[2][24][20] DNS manipulation involves altering nameserver records or exploiting access to zone files, redirecting traffic to attacker-controlled servers and disrupting legitimate services. Attackers with compromised registrar access can modify nameserver (NS) records to point to malicious DNS servers, effectively hijacking resolution for the domain. Zone file access, if inadequately secured at the registrar or registry level, allows direct edits to resource records like A, MX, or CNAME entries. DNSSEC misconfigurations, such as unsigned zones or improper key management, fail to validate record authenticity, enabling undetected alterations that persist until detected through monitoring. These exploits leverage the distributed nature of DNS, where changes propagate quickly across resolvers. A specific variant is subdomain takeover, where dangling DNS records point to decommissioned third-party services (e.g., unused AWS S3 buckets or Heroku apps), allowing attackers to claim those services and control the subdomain without altering the parent domain's registration. This method has been used in campaigns as recent as 2025.[1][25][20][6][5] WHOIS data exploits capitalize on outdated or falsified registrant contact information to circumvent registrar verification processes during administrative actions. Publicly accessible WHOIS records containing obsolete email addresses or phone numbers prevent timely notifications to owners about pending changes, allowing attackers to approve transfers or updates in their stead. Falsified data, if inserted via prior compromises, can impersonate the registrant during verification loops, exploiting registrars' reliance on self-reported details without robust identity checks. This method thrives on the lag in updating WHOIS after personnel changes or mergers, creating windows for unauthorized interventions. Another related exploit involves domain expiration, where attackers monitor soon-to-expire domains and register them immediately upon lapse, hijacking valuable names if auto-renewal fails or notifications are missed. As of 2025, this remains a significant risk for high-value domains.[26][20][1][27] Abuse of transfer protocols, particularly the Extensible Provisioning Protocol (EPP), facilitates unauthorized domain moves between registrars through lock bypass techniques and interface manipulations. EPP, used for inter-registrar transfers, requires an authorization code (authInfo) that, if weakly generated or reused across domains, can be guessed or extracted to initiate transfers. Attackers exploit registrar interfaces via vulnerabilities such as insufficient input validation to manipulate transfer requests, or by bypassing clientTransferProhibited locks if not properly enforced at the registry level. These vulnerabilities stem from inconsistent implementation of EPP status codes, allowing pending transfers to proceed without final confirmation from the original registrant.[20][28][1] Advanced persistent threats (APTs) employ malware to target endpoint devices of domain administrators, stealing credentials for sustained access to registrar and DNS systems. Keyloggers or credential-dumping tools, deployed via drive-by downloads or supply chain compromises, capture login details during routine management tasks. Once obtained, these credentials enable persistent modifications, such as repeated DNS tweaks or transfer attempts, often evading detection through rootkit-like evasion. Groups like APT1 have historically hijacked domains to support broader infrastructure compromises, highlighting the role of malware in amplifying technical exploits.[6][29]

Social Engineering Methods

Social engineering methods in domain hijacking exploit human psychology to deceive individuals into surrendering control over domain registrations, often targeting registrants, registrar staff, or hosting providers. These tactics rely on manipulation rather than technical exploits, preying on trust, urgency, or reciprocity to extract credentials, verification codes, or approvals for unauthorized transfers. According to the Internet Corporation for Assigned Names and Numbers (ICANN) Security and Stability Advisory Committee (SSAC), social engineering has been a primary vector for domain hijacking since at least the early 2000s, enabling attackers to bypass security measures through human error.[3] Phishing attacks are among the most prevalent social engineering techniques in domain hijacking, where attackers send fraudulent emails masquerading as official communications from domain registrars. These emails often mimic renewal notices, account verification requests, or security alerts, urging recipients to click malicious links that lead to spoofed login pages designed to capture usernames, passwords, and other credentials. For instance, an email might warn of impending domain expiration and direct the user to a fake registrar site to "update" information, resulting in full account compromise and subsequent domain transfer. The SSAC has documented such impersonation phishing as a targeted threat to domain registrants, emphasizing the use of deceptive hyperlinks to redirect victims to attacker-controlled sites.[30] Once credentials are obtained, attackers can initiate transfers or modify domain settings.[1] Pretexting and impersonation involve attackers fabricating plausible scenarios or assuming false identities to extract sensitive information directly from victims. In domain hijacking contexts, perpetrators may pose as IT support personnel, registrar representatives, or even ICANN officials via phone calls or emails, requesting verification codes, personal details, or approval for administrative changes under the guise of routine maintenance or dispute resolution. This method exploits the victim's willingness to assist trusted authorities, often leading to unauthorized access to registrar accounts. The SSAC identifies impersonation as a core social engineering risk, where attackers convincingly mimic legitimate entities to coerce compliance from registrars or domain owners.[3] Security analyses further note that such tactics have enabled hijackers to convince registrar staff to release domains without proper authentication.[31] Baiting and quid pro quo tactics lure victims with enticing offers or promises of reciprocal benefits to lower defenses and prompt credential sharing. In domain-related scenarios, attackers might offer fake technical support, discounted renewals, or "free" security audits in exchange for login details or access to domain management portals, capitalizing on the human tendency toward reciprocity. Quid pro quo often involves impersonating a service provider promising to fix a fabricated issue, such as a domain vulnerability, in return for verification. Cybersecurity experts classify these as established social engineering approaches adaptable to domain environments, where the bait leads to account compromise and hijacking.[32] Insider threats represent a particularly insidious form of social engineering, where attackers bribe, coerce, or otherwise influence employees at registrars, registries, or hosting providers to misuse their privileged access. This could involve financial incentives to approve fraudulent transfers or threats to compel disclosure of customer data, allowing external parties to seize control of domains. The SSAC highlights insiders—whether malicious employees or coerced staff—as a significant risk in domain hijacking, noting that such compromises often occur without triggering automated alerts.[3] Spear-phishing has evolved as a more sophisticated variant, tailoring attacks to specific domain owners using publicly available WHOIS data for personalization, such as referencing exact registration details or owner names to build credibility. These customized emails heighten the success rate by making the deception appear highly relevant and urgent, often prompting immediate action like credential submission. The SSAC advises that WHOIS-based personalization in phishing directly facilitates domain hijacking by increasing victim compliance.[30] Following successful social engineering, attackers typically alter DNS records to redirect traffic for phishing or other illicit activities.[1]

Notable Incidents

Pre-2010 Cases

One of the earliest prominent domain hijacking incidents occurred in 1995 involving sex.com, registered by entrepreneur Gary Kremen in 1994 through Network Solutions, the then-sole domain registrar.[33] Stephen Michael Cohen, a convicted felon, forged a letter claiming Kremen had abandoned the domain and convinced Network Solutions to transfer control to him without verifying the original registrant's consent.[34] Cohen subsequently monetized the domain through adult content partnerships, generating an estimated $5 to $10 million annually before a 2001 federal court ruling awarded Kremen $65 million in damages and restored ownership after a seven-year legal battle.[35] This case highlighted the vulnerabilities in early registrar processes, which relied on minimal authentication like faxed documents without robust identity checks.[33] In 1997, Eugene Kashpureff, founder of the rival AlterNIC registry, executed a high-profile DNS-based hijack of internIC.net, the official website of Network Solutions.[36] By exploiting BGP routing flaws and altering DNS records, Kashpureff redirected traffic from www.internic.net to his own alternic.net site for nearly two weeks as a protest against Network Solutions' monopoly on .com registrations.[37] The incident disrupted access to domain registration services and exposed the fragility of the internet's core infrastructure, leading to legal action by Network Solutions and FTC scrutiny over consumer deception.[38] Although not a traditional registrar transfer, it underscored early security gaps in DNS management and registrar oversight.[39] The 2005 hijacking of panix.com exemplified social engineering tactics against registrars. On January 14, 2005, fraudsters impersonated Public Access Networks Corporation (Panix), a New York-based ISP, and contacted reseller Fibranet (affiliated with Melbourne IT) with a forged transfer request using stolen credit card details to pay fees.[40] The domain was transferred to a Canadian registrar, redirecting Panix's email and website services and causing outages for thousands of customers over a U.S. holiday weekend.[41] Panix regained control approximately 40 hours later after providing proof of ownership to ICANN and the registrars involved, but the incident resulted in significant operational disruption and data exposure risks.[20] Between 2005 and 2008, domain hijackings surged, particularly targeting high-value .com domains for redirection to spam or phishing sites, with notable cases including hushmail.com in April 2005, where attackers used social engineering at Network Solutions to alter DNS records and deface the secure email provider's site.[20] Similar tactics affected domains like hz.com in February 2005 via spoofed authorization emails and eBay.de in September 2004 by a teenager exploiting registrar verification lapses for a prank.[20] During election periods, such as the 2004 and 2008 U.S. campaigns, hijackers increasingly targeted political-related .com domains to redirect traffic to spam operations or disinformation pages, amplifying risks amid heightened online activity.[41] This period saw a proliferation of incidents tied to cybercrime rings using hijacked domains for pharmaceutical spam redirection, as registrars processed thousands of transfers annually without standardized locks.[20] These pre-2010 cases inflicted substantial financial losses, such as diverted ad revenue in the sex.com hijacking exceeding $100 million over its duration, and operational harms like the Panix outage, which halted services for a major ISP serving academic and business clients.[34] Reputational damage was acute, as seen in Hushmail's defacement, eroding user trust in privacy-focused services.[20] Collectively, they elevated awareness of domain security, prompting early adoption of transfer locks by registrars to prevent unauthorized moves.[20] Common factors in these incidents included the absence of two-factor authentication (2FA) at registrars, reliance on easily spoofed email or fax verifications, and manual processes lacking real-time registrant notifications.[20] Pre-2010 systems often prioritized speed over security, allowing social engineering exploits where attackers posed as account holders without independent confirmation, as evidenced in the Panix and sex.com cases.[40][33] This era's hijackings typically involved .com domains due to their commercial value, revealing systemic flaws in the WHOIS database and inter-registrar communication protocols.[20]

Post-2010 Cases

In 2013, the Syrian Electronic Army (SEA) compromised the domain registrar Melbourne IT through a spear-phishing attack on an employee, enabling the group to alter DNS records for twitter.co.uk and redirect traffic to a page promoting their cause. Although the primary twitter.com domain remained unaffected due to its separate registration and monitoring, the incident disrupted Twitter's United Kingdom operations for several hours and exposed critical vulnerabilities in registrar authentication processes for high-profile domains.[42] The attack underscored the risks of social engineering targeting third-party providers, prompting Twitter to enhance its domain security protocols and collaborate with registrars on improved verification measures.[43] A series of domain hijacking incidents targeted UK businesses in 2014, exploiting weaknesses in registrar management consoles and WHOIS data accessibility to facilitate unauthorized transfers and DNS changes. For instance, in February 2014, UK registrar 123-Reg suffered a breach where attackers accessed customer accounts, hijacking hundreds of .co.uk and .org.uk domains and redirecting them to malicious sites distributing ransomware. These attacks relied on stolen credentials obtained via phishing or weak authentication, allowing perpetrators to impersonate owners using publicly available WHOIS information.[44] The wave of thefts affected small and medium-sized enterprises, leading to financial losses from site downtime and cleanup efforts, and drew scrutiny from ICANN, which initiated reviews of global registrar security standards to address systemic flaws in domain transfer protections.[45] In 2019, attackers hijacked crypto-related domains as part of broader DNS infrastructure campaigns like DNSpionage, which involved state-sponsored actors compromising registrars to redirect traffic for phishing and espionage. Specifically, the Crypto.com domain faced attempted redirection through registrar credential theft, briefly disrupting service access and exposing users to phishing sites mimicking the platform to steal wallet credentials and funds. This incident, part of a global campaign affecting financial and government targets, resulted in temporary outages and heightened risks to user assets, with no direct financial loss reported but significant reputational damage.[46] The event highlighted the vulnerability of cryptocurrency platforms to domain-level attacks, prompting Crypto.com to implement multi-factor authentication for domain management and public warnings on phishing detection.[47] In 2022, during the Russia-Ukraine conflict, there were reports of Russian-linked actors hijacking Ukrainian government and military domains to redirect users to fake portals for malware delivery and propaganda dissemination. These operations compromised official communications and sowed confusion, with attackers using compromised registrars to alter DNS records and evade detection.[48] From 2023 to 2025, domain hijackings in the Web3 ecosystem have involved AI-assisted phishing techniques, where attackers craft personalized lures to exploit domain vulnerabilities for credential theft. These attacks often target NFT marketplaces and decentralized finance protocols, redirecting domains to fake sites that siphon assets. The trend reflects the integration of AI with social engineering, increasing the scale of such incidents.[49][50] In 2024, the "Sitting Ducks" campaigns hijacked over 35,000 domains by exploiting DNS providers' failure to verify ownership during transfers, enabling widespread abuse for spam, fraud, and malware distribution. Attackers targeted expired or lapsed domains from vulnerable providers, redirecting traffic to malicious endpoints and causing significant disruptions for businesses and users.[51] In May 2025, the threat actor Hazy Hawk exploited DNS misconfigurations to hijack subdomains of the CDC and Deloitte, redirecting users to scam sites laden with malware. This incident highlighted ongoing risks to high-profile organizations from DNS tampering.[5]

Prevention and Mitigation

Best Practices for Registrants

Domain registrants, whether individuals or organizations, play a critical role in safeguarding their assets against hijacking attempts, which often exploit weak access controls or oversight lapses. Implementing robust security measures at the user level can significantly reduce risks from unauthorized transfers or modifications.[52] Credential Security
To protect registrar accounts, registrants should use strong, unique passwords consisting of at least 14 characters, including a mix of uppercase and lowercase letters, numbers, and symbols, without reusing them across multiple sites. Enabling multi-factor authentication (MFA), such as one-time passwords via mobile devices, adds a vital layer against unauthorized access, as it requires proof of identity beyond just a password. Regularly auditing access logs provided by the registrar helps detect suspicious activity, such as unusual login attempts, allowing for prompt credential rotation if breaches are suspected.[53][52][1] Domain Locking
Activating transfer locks, often referred to as clientTransferProhibited status, prevents unauthorized domain transfers to another registrar without explicit owner approval. For enhanced protection, registrants can request registry-level locks, such as serverTransferProhibited, which require additional verification steps before any changes. These locks are standard features offered by most registrars and should be enabled by default for high-value domains to block common hijacking vectors like phishing-induced transfers.[3][52][54] Monitoring Tools
Setting up WHOIS alerts notifies registrants of any changes to domain registration details, such as contact information or status updates, enabling rapid response to potential compromises. DNS change notifications from the registrar or third-party services can flag unauthorized modifications to nameservers or records, while automated expiration reminders prevent opportunistic hijacks via lapsed renewals. Tools like those from DomainTools or WhoisXML API provide comprehensive monitoring for registrant, IP, and nameserver alterations, often with real-time alerts.[52][54][1] Backup and Recovery
Maintaining off-registrar backups of website content and DNS configurations ensures quick restoration if a hijacking occurs, minimizing downtime and data loss. These backups should be stored offline or in physically separated, encrypted locations with a securely guarded master key to avoid single points of failure. Developing an incident response plan in advance, including steps to contact the registrar and DNS provider for recovery, facilitates coordinated action to regain control and mitigate damage.[53][16] Education
Training staff to recognize phishing attempts, such as suspicious emails requesting registrar credentials, is essential to counter social engineering tactics that lead to hijacking. Organizations should conduct regular security awareness sessions, drawing from resources like ICANN's global programs on credential management, and perform audits of high-value domains to identify vulnerabilities. Building a culture of cybersecurity vigilance ensures ongoing compliance with best practices, reducing human error as a weak link.[53][55]

Technological and Policy Measures

Registrar enhancements have focused on strengthening account security through the adoption of mandatory two-factor authentication (2FA), as recommended by ICANN's Security and Stability Advisory Committee (SSAC) in advisory reports emphasizing the need for robust authentication to mitigate unauthorized access to registrant accounts.[53] Automated transfer verification processes, mandated under ICANN's Inter-Registrar Transfer Policy, require confirmation via email or SMS to authorize domain transfers, thereby reducing the risk of fraudulent changes by ensuring the account holder's explicit approval.[56] These measures, implemented by major registrars like Verisign since 2022, add layers of protection against account compromise.[57] The implementation of DNS Security Extensions (DNSSEC) serves as a key technical safeguard, enabling cryptographic signing of DNS records to verify their authenticity and prevent unauthorized modifications to domain zones that could facilitate hijacking.[58] By establishing a chain of trust from the root DNS servers downward, DNSSEC thwarts attacks such as DNS spoofing and cache poisoning, with widespread deployment by registries like those supported by Cloudflare and Microsoft Azure enhancing overall ecosystem resilience.[59] This protocol directly addresses vulnerabilities in the DNS infrastructure that hijackers exploit to redirect traffic.[60] ICANN policy frameworks support recovery of hijacked domains primarily through contacting the registrar with proof of ownership, such as original registration documentation, to initiate restoration. The Uniform Domain-Name Dispute-Resolution Policy (UDRP) may apply in cases involving bad-faith use following a hijacking. At the registry level, anti-hijack rules such as the mandatory 60-day lock on inter-registrar transfers following registrant contact updates prevent immediate exploitation of compromised accounts.[3][2] These policies, enforced across gTLD registries, promote proactive verification and dispute resolution to restore legitimate ownership swiftly.[3] Monitoring systems have evolved to include global threat intelligence sharing among registrars and cybersecurity firms, facilitating the early detection of hijacking patterns through collaborative platforms like the Cyber Threat Alliance.[61] AI-driven anomaly detection tools analyze transfer logs for irregularities, such as unusual IP origins or rapid successive changes, enabling automated alerts and blocks on suspicious activities within registrar systems.[62] Emerging technologies offer advanced protections, such as blockchain-based domain ownership proofs that create immutable, decentralized records to verify legitimacy and resist tampering during disputes or transfers.[63] Zero-knowledge proofs are being integrated into these systems to enable verification of ownership credentials without exposing sensitive registrant data, enhancing privacy in transfer processes.[64]

Legal and Regulatory Aspects

Governing Laws

Domain hijacking, involving unauthorized access or transfer of domain name registrations, is addressed under various national and international legal frameworks that criminalize unauthorized computer access, data interference, and related fraudulent activities. In the United States, the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, prohibits unauthorized access to protected computers, which can encompass registrar systems used in domain hijacking, with penalties including fines and imprisonment up to 10 years for aggravated offenses. Additionally, the Lanham Act, particularly Section 43(d) added by the Anticybersquatting Consumer Protection Act of 1999 (15 U.S.C. § 1125(d)), targets trademark-related domain hijacks by allowing civil actions against bad-faith registration or use of domain names that dilute or infringe trademarks, providing remedies such as domain transfer and damages.[65] In the European Union, the Cybercrime Directive (2013/40/EU) harmonizes member states' laws by criminalizing illegal access to information systems (Article 3), which applies to domain hijacking through unauthorized breaches of registrar security measures, with minimum penalties of two years' imprisonment for serious cases.[66] The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) further impacts domain security by restricting public access to personal data in WHOIS databases, requiring registrars to redact registrant information to protect privacy, though this reduces transparency and complicates detection of hijacking attempts or verification of ownership during breaches.[67] Internationally, the Budapest Convention on Cybercrime (2001), the first treaty addressing cyber offenses, requires signatory states to criminalize illegal access to computer systems (Article 2), covering domain theft as a form of unauthorized entry into registration systems, and facilitates cross-border cooperation through mutual legal assistance.[68] Domain-specific governance includes ICANN's anti-abuse policies, such as those outlined in the Registrar Accreditation Agreement, which are contractually enforceable against registrars to prevent and mitigate hijacking through requirements for secure transfer processes and rapid response to abuse reports. National variations exist, exemplified by China's Cybersecurity Law (2017), which prohibits unauthorized intrusion into computer information systems (Article 27), treating domain hijacking as a punishable offense under hacking provisions with potential criminal liabilities including detention or imprisonment.[69] Despite these frameworks, significant gaps persist in extraterritorial enforcement for cross-border domain hijacks, where perpetrators operate across jurisdictions, complicating prosecution due to differing legal standards, evidence collection challenges, and reliance on mutual assistance treaties that often delay or hinder action.[70]

Enforcement and Remedies

Enforcement of laws against domain hijacking typically involves criminal prosecution for severe cases, particularly when hijacking entails fraud, extortion, or violence, with agencies like the FBI's Internet Crime Complaint Center (IC3) playing a central role in investigations. The IC3 receives and triages complaints related to cybercrimes, including unauthorized domain transfers, facilitating coordination with local law enforcement and federal prosecutors under various federal statutes, such as the Computer Fraud and Abuse Act (CFAA). For instance, in a 2019 case, the U.S. Department of Justice, supported by FBI investigations, secured a 14-year prison sentence under 18 U.S.C. § 1951 for a social media influencer who orchestrated a home invasion to force a domain owner to relinquish control of an internet domain at gunpoint, highlighting prosecutions for organized schemes involving physical threats.[71] Europol similarly coordinates international probes into cyber rings, leading to arrests in operations targeting malware distribution and credential theft that often enable domain hijacks, though specific domain-focused arrests are integrated into broader cybercrime takedowns. Dispute resolution mechanisms provide faster, non-judicial paths for domain recovery, primarily through the Uniform Domain-Name Dispute-Resolution Policy (UDRP) administered by organizations like the World Intellectual Property Organization (WIPO) and the Uniform Rapid Suspension (URS) system for new generic top-level domains (gTLDs). The UDRP allows trademark owners to challenge bad-faith registrations or transfers before independent panels, resulting in domain transfers or cancellations without court involvement; complainant success rates have consistently hovered around 85% since its inception, based on historical WIPO data. The URS, introduced by ICANN in 2013 as a quicker and lower-cost alternative, suspends domains pending further action and achieves similar high success rates, often exceeding 80% for clear-cut abusive cases, enabling rapid reclamation within weeks. Victims may pursue civil remedies through lawsuits seeking damages under tort theories such as conversion or trespass to chattels, as well as statutory claims under the Anticybersquatting Consumer Protection Act (ACPA), which permits recovery of statutory damages up to $100,000 per domain and attorney's fees for willful violations. Courts can issue preliminary injunctions to seize or lock hijacked domains during litigation, preventing further misuse, as seen in federal cases where plaintiffs successfully halted unauthorized transfers and obtained compensatory awards for lost revenue. These actions provide avenues for financial redress beyond mere domain recovery, though they require proving bad faith and often involve higher costs than administrative processes. International cooperation is essential for cross-border hijackings, with Interpol issuing Red Notices to facilitate arrests and extraditions in multi-jurisdictional cases, such as those involving overseas registrars or anonymous actors. Operations coordinated by Interpol and partners have led to the seizure of thousands of malicious domains tied to cybercrime networks, though challenges persist in prosecuting attackers using anonymity tools like Tor, which encrypt traffic and obscure identities, complicating attribution and evidence gathering by law enforcement. Despite these hurdles, collaborative efforts through mutual legal assistance treaties have enabled domain freezes and perpetrator identifications in global schemes. Victim support includes cyber insurance policies that cover losses from domain hijacking, such as business interruption, forensic investigations, and legal fees, with many providers offering first-party coverage for unauthorized access and extortion under broader hacking endorsements. Post-incident protocols emphasize immediate actions like notifying the domain registrar to lock the account, conducting security audits to change credentials and enable two-factor authentication, and filing complaints with ICANN or national authorities to initiate reclamation, often restoring control within days if the hijacker has not yet transferred the domain to a new registrar.

Technical Standards

Relevant RFCs

RFC 2136, published in April 1997 by the Internet Engineering Task Force (IETF), defines the Dynamic Updates mechanism for the Domain Name System (DNS), enabling clients to add, delete, or modify resource records in a zone file without manual intervention by administrators.[72] This standard supports automated management of DNS data, such as IP address changes for dynamic hosts, but relies on optional authentication methods like transaction signatures (TSIG) or secure dynamic updates (as later specified in RFC 3007). Without these safeguards, servers configured to accept unauthenticated updates expose domains to unauthorized alterations, allowing attackers to redirect traffic or spoof records in domain hijacking attacks.[73] Research has identified widespread vulnerabilities in non-secure dynamic update implementations; for example, a 2016 study found 188 unique vulnerable authoritative DNS servers in a random sample of domains and 560 in the Alexa Top 1M, while broader scans in 2017 identified approximately 5,575 susceptible nameservers.[74] Remediation efforts, including registrar notifications, have since reduced this to about 2,072 vulnerable nameservers as of 2022, though risks persist in remaining misconfigured systems.[75] To counter such vulnerabilities, RFC 4033, RFC 4034, and RFC 4035, all published in March 2005, establish the DNS Security Extensions (DNSSEC) framework, which introduces cryptographic signing of DNS zones to ensure data origin authentication and integrity.[76] Specifically, RFC 4033 outlines the requirements and concepts for a signed zone, including the use of public-key cryptography to validate responses and prevent tampering; RFC 4034 details new resource records like RRSIG (signatures), DNSKEY (public keys), and DS (delegation signer) for chain-of-trust validation; while RFC 4035 specifies protocol modifications for DNSSEC-aware resolvers and servers. By enabling verification of DNS responses against expected signatures, DNSSEC directly mitigates hijacking attempts that involve forging or altering records, such as those exploiting dynamic updates. However, deployment faces significant challenges, including key management complexity, performance overhead from larger response sizes, and the need for coordinated signing across the delegation chain, which has slowed widespread adoption.[77] RFC 7489, published in March 2015, specifies the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol, which builds on DNS records (SPF, DKIM) to authenticate email sources and provide aggregated reporting on usage and abuse for a domain.[78] Through feedback reports on authentication failures and policy enforcement (e.g., quarantine or reject), DMARC enables domain owners to monitor anomalies indicative of hijacking, such as unauthorized email campaigns from compromised domains, allowing early detection via metrics on sending IP reputations and volume spikes. This reporting mechanism supports broader abuse mitigation efforts, including those tracking domain hijacks used for phishing or spam.[79] Complementing DNSSEC, RFC 8624, published in August 2019, updates the algorithm implementation requirements and usage guidance to promote agility in cryptographic choices, obsoleting earlier specifications like RFC 6944.[80] It mandates support for mandatory-to-implement algorithms (e.g., RSASHA256 for signing) while allowing rollover to stronger or post-quantum-resistant options, thereby reducing risks from key compromises in hijacking scenarios where attackers might exploit weak or deprecated cryptography to forge signatures. This agility facilitates timely transitions without breaking validation chains, enhancing long-term resilience against evolving threats.[81] Despite these advancements, the global implementation of these RFCs remains incomplete, limiting their effectiveness against domain hijacking. For instance, DNSSEC adoption is low at the second-level domain, with approximately 5% of .com domains signed as of 2024, due to ongoing barriers like operational complexity and incomplete resolver support. Similarly, non-secure dynamic updates persist in legacy systems, though at reduced levels, and DMARC reporting uptake varies, with many domains lacking policy enforcement, leaving gaps in detection capabilities.[82]

ICANN and Registrar Policies

The ICANN Inter-Registrar Transfer Policy, amended in 2008 to clarify denial reasons for transfers and updated in 2017 to strengthen registrant protections, imposes a 60-day lock on domain names following initial registration or changes to registrant contact information, preventing inter-registrar transfers during this period to reduce hijacking risks.[83][84] This lock applies unless the registrant explicitly opts out via a confirmed notification from the registrar.[85] The policy also requires explicit authorization for all transfers, typically through methods like email confirmation to the administrative contact or two-factor authentication, ensuring that only verified requests proceed.[86] The Registrar Accreditation Agreement (RAA), which binds ICANN-accredited registrars operating in gTLDs, mandates comprehensive security measures to safeguard against unauthorized domain actions.[87] Registrars must perform regular security audits of their operational systems, including financial and data handling processes, with results subject to ICANN verification upon request.[88] Customer verification is required at key points, such as during domain registration, renewal, and transfer initiation, involving steps like email or phone confirmation to validate registrant identity and prevent account compromises.[89] Additionally, the RAA obligates registrars to designate an abuse contact for receiving and investigating reports of potential hijacking or other malicious activities, with requirements to respond within specified timelines and take remedial actions like suspending domains if warranted.[90] ICANN's WHOIS Accuracy Program, established in 2006 and operationalized in 2007, enforces rules requiring registrars to collect and maintain accurate registrant contact data in the public WHOIS database.[91] Registrars must conduct annual WHOIS data audits, verify information at registration and upon material changes, and correct inaccuracies reported through complaints or monitoring.[92] These measures directly counter social engineering tactics in domain hijacking, where attackers exploit outdated or falsified data to impersonate owners and authorize fraudulent transfers.[89] In the 2020s, ICANN has incorporated multi-stakeholder input from its Generic Names Supporting Organization (GNSO) and other advisory groups to refine anti-hijacking elements across policies, including enhanced verification in the 2024 RAA amendments addressing DNS abuse such as unauthorized modifications.[93] These updates emphasize proactive registrar responsibilities for detecting and mitigating hijack attempts through improved logging and response protocols.[94] Policies also outline procedures for emergency domain reversions in cases of suspected unauthorized transfers, directing registrars to investigate claims and, where possible, restore original registrant control pending dispute resolution, though ICANN lacks direct authority to mandate reversions.[95] Compliance with ICANN policies differs markedly between gTLDs, such as .com, which fall under mandatory contractual oversight via the RAA and registry agreements, and ccTLDs, where ICANN's influence is limited to voluntary Accountability Frameworks lacking enforcement teeth.[96] For gTLD registrars, ICANN enforces adherence through its Contractual Compliance program, conducting targeted and random audits to assess policy implementation, with non-compliance leading to notices, corrective plans, and escalation to accreditation suspension or termination.[97] While the RAA does not impose direct monetary fines, ICANN can withhold variable accreditation fees as a sanction and pursue legal remedies for repeated violations.[87]

References

  1. What is domain name hijacking? - Cloudflare
  2. What is Domain Hijacking? - UpGuard
  3. SAC 007 | Domain Name Hijacking: Incidents, Threats, Risks ... - icann
  4. Over 35k Domains Hijacked in 'Sitting Ducks' Attacks - SecurityWeek
  5. Hazy Hawk Exploits DNS Records to Hijack CDC, Corporate ...
  6. Compromise Infrastructure: Domains, Sub-technique T1584.001
  7. Domain Hijacking: How It Works and Prevention - Bright Security
  8. Domain Hijacking: The Menace of Unauthorized Domain Transfers
  9. Domain Name Compromise - Vercara - DigiCert
  10. Domain Hijacking: Risks, Costs & How to Protect Your Brand
  11. What do domain hijacking and cybersquatting mean? - Combell
  12. What Is Cybersquatting? Definition & Real Examples - CrowdStrike
  13. Domain Hijacking | A definition - Wix.com
  14. [PDF] Domain Hijacking - ISC
  15. Domain Hijacking: The Definitive Guide to Detection & Remediation
  16. Domain Hijacking: What It Is and How To Prevent It
  17. https://www.wired.com/2001/04/cost-of-sex-com-theft-65-mil/
  18. Inter-Registrar Transfer Policy - ICANNWiki
  19. https://www.icann.org/en/transfers/
  20. [PDF] Domain Name Hijacking - icann cdn
  21. https://www.eset.com/uk/about/newsroom/blog/dns-hijack-used-to-steal-cryptocurrency/
  22. Domain Facts And Stats 2021 – A Complete Guide
  23. What is domain hijacking? - Paubox
  24. DNS Predators Hijack Domains to Supply their Attack Infrastructure
  25. What is Domain Hijacking and How Do I Prevent it? - Openprovider
  26. EPP Status Codes | What Do They Mean, and Why Should I Know?
  27. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
  28. [PDF] SAC 028 SSAC Advisory on Registrar Impersonation Phishing Attacks
  29. Top Strategies for Preventing Domain Hijacking - SecurityScorecard
  30. 10 Types of Social Engineering Attacks | CrowdStrike
  31. The Sordid Saga of Sex.com - WIRED
  32. Sexy Sum: $65 Million for Sex.com - ABC News
  33. Judge Awards $65 Million in Portal Hijacking - Los Angeles Times
  34. From Jail and Boardroom, A Street Fight for the Internet
  35. Network Solutions Takes AlterNIC to Court - WIRED
  36. Internic "Copycat" May Deceive Consumers: FTC Staff
  37. When the Internet Nearly Fractured, and How It Could Happen Again
  38. Panix.com domain hijacked - Computerworld
  39. Panix recovers from domain hijack - The Register
  40. New York Times, Twitter domain hijackers 'came in through front door'
  41. Twitter and New York Times still patchy as registrar admits SEA hack
  42. Mass domain hijack leaves Reg reader angry with 123-Reg
  43. Nominet formalises approach to tackling criminal activity on .UK ...
  44. DNS Infrastructure Hijacking Campaign - CISA
  45. Hackers Stole Over $4 Billion From Crypto Crimes In 2019 So Far ...
  46. Microsoft Stops Russian Hackers From Targeting Ukraine With ...
  47. Known Brand, Government Domains Hijacked via Sitting Ducks ...
  48. Web3 Attacks Result in $2.3Bn in Cryptocurrency Losses
  49. Q2 2025 Digital Trust Index: AI Fraud Data and Insights | Sift
  50. [PDF] SAC 044 A Registrant's Guide to Protecting Domain Name ...
  51. [PDF] SAC074 SSAC Advisory on Registrant Protection - icann cdn
  52. [PDF] THE DOMAIN NAME INDUSTRY BRIEF
  53. Teach Employees to Avoid Phishing - CISA
  54. Everything you need to know about ICANN's new transfer policy
  55. The Journey to Required 2-Factor Authentication at Verisign
  56. Overview of DNSSEC - Azure Public DNS | Microsoft Learn
  57. Universal DNSSEC | Cloudflare
  58. Worried About DNS Hijacking? DNSSEC Can Help - EfficientIP
  59. Documentation is Key to Recovering Hijacked Domain Names - icann
  60. ICANN Domain Disputes (UDRP): How to Recover a Hijacked Domain
  61. Suspicious Domain Registrations and Other Scams
  62. AI in anomaly detection: Use cases, methods, algorithms and solution
  63. Implementing blockchain to secure domain names - Namecheap Blog
  64. Blockchain Identity Management: Beginner's Guide 2025 - Dock Labs
  65. https://www.law.cornell.edu/uscode/text/15/1125
  66. Directive - 2013/40 - EN - EUR-Lex
  67. General Data Protection Regulation (GDPR) Compliance Guidelines
  68. [PDF] CETS 185 - Convention on Cybercrime - https: //rm. coe. int
  69. Cybersecurity Laws and Regulations Report 2025 China - ICLG.com
  70. [PDF] Cybercrime, Evidence and Territoriality: Issues and Options
  71. RFC 2136 - Dynamic Updates in the Domain Name System (DNS ...
  72. https://datatracker.ietf.org/doc/html/rfc2136#section-7
  73. RFC 4033 - DNS Security Introduction and Requirements
  74. https://datatracker.ietf.org/doc/html/rfc4033#section-4
  75. RFC 7489 - Domain-based Message Authentication, Reporting, and ...
  76. https://datatracker.ietf.org/doc/html/rfc7489#section-7
  77. RFC 8624 - Algorithm Implementation Requirements and Usage ...
  78. https://datatracker.ietf.org/doc/html/rfc8624#section-4
  79. None of the biggest internet services are DNSSEC-enabled - SIDN
  80. ICANN POLICY UPDATE | Issue 5 - July 2008
  81. 5 Things Every Domain Name Registrant Should Know About ...
  82. FAQs for Registrants: Transferring Your Domain Name - ICANN
  83. Transfer Policy - icann
  84. 2013 Registrar Accreditation Agreement - icann
  85. [PDF] Registrar Audit Plan - icann
  86. About Verification of Contact Information - ICANN
  87. Registrar Abuse Reports - ICANN
  88. [PDF] ICANN's Whois Data Accuracy and Availability Program
  89. WHOIS Data and Accuracy - ICANN
  90. Advisory: Compliance With DNS Abuse Obligations in the Registrar ...
  91. [PDF] Transfer Policy Review Final Report - GNSO
  92. About Unauthorized Transfers and Changes of Registrant - ICANN
  93. About ccTLD Compliance - ICANN
  94. [PDF] Contractual Compliance Registrars' Audit Report January–July 2024
User Avatar
No comments yet.