Immediate Triage
1) Confirm hijack: check WHOIS, DNS, and registrar account. 2) Lock down: change passwords, revoke API keys, enable 2FA. 3) Contact registrar fraud desk via phone—email may be compromised.
Evidence Collection
Screenshot current WHOIS, save email headers of unauthorized change confirmation, export DNS history from passive database (SecurityTrails). You’ll need this for legal filings.
Registrar Emergency Actions
Most registrars can freeze domain within 1 hour if you provide: photo ID, proof of original payment, and timeline of events. They may revert nameservers to your last-good state immediately.
Registry-Level Help
If domain transferred to rogue registrar, petition registry (Verisign for .com) for “Transfer Dispute Action.” Requires notarized statement + $375 fee but can reverse transfer within 5 days.
Legal Routes
File UDRP if trademark exists and domain matches. For pure ownership disputes without TM, use URS (cheaper) or state court replevin action. Obtain preliminary injunction to freeze domain during litigation.
Law Enforcement
If theft involves forged documents or hacked email, file FBI IC3 complaint (US) or Action Fraud (UK). Include logs, IPs, Bitcoin addresses—helps build criminal case and pressures registrar.
Recovery Timeline
Registrar freeze: 1-24 hours. Registry dispute: 5-20 days. UDRP: 2-4 months. Civil litigation: 6-18 months. Combine routes: freeze first, UDRP second, lawsuit last.
Negotiation Option
If thief contacts you for ransom, involve law enforcement before paying. Marking bills or tracing crypto can lead to arrests. Ransom payment may also fund organized crime—legal risk for payer.
After Recovery
Enable registry lock, 2FA, and 10-year renewal. Transfer to new registrar with better security reputation. Document incident for insurance claim and update internal SOP to prevent repeat.
Insurance Claims
Domain hijack riders cover legal fees, expert witnesses, and lost revenue during outage. Keep all receipts and hourly logs—insurers require proof of mitigation efforts.