Domain names are the backbone of the internet. Without domain names, we wouldn’t be able to type in a “domain name” into a web browser and visit a website. We wouldn’t have email addresses and be able to send an email to something like “[email protected]”. It would all be a bunch of numbers, IP Addresses, such as 123.45.67.89. We wouldn’t be able to easily remember those numbers typically, and having a unique domain name associated with your website is one reason why we have what is the internet today.
Domain names, especially short, unique domain names or domain names that describe a product, service, a thing, or a concept (we call those entities, people, places, or things), have become valuable over the years, continuing to grow in value. As more and more domain names have become registered, the good ones have become more scarce. So, there is a very big domain name aftermarket, whereas domain names are being sold for hundreds, thousands, and even tens of thousands of dollars on the aftermarket. Domain name registrars like GoDaddy are taking advantage of the aftermarket prices with their own marketplaces, such as DAN.com, Afternic.com, and Auctions.GoDaddy.com where expired domain names at their registrar are auctioned to the highest bidder, 30 days after domain name expires.
The prices of domain names in the domain aftermarket go way beyond the annual renewal fee for the domain names, which can range from $10/year to hundreds or thousands of dollars per year. ICANN, the organization that governs internet domain names, in 2013, released several thousand “New gTLDs”, or domain name extensions, typically with keyword endings, such as .CLUB, .DIAMONDS, .XYZ, .ICU, and others. New extensions are still being released, with several new extensions such as .FOOD and .VANA to be released in March 2024. These extensions, sometimes called endings or TLDs, work the same was as the original extensions (Top Level Domains, TLDs) that a lot are familiar with, .COM, .NET, and .ORG. Some TLDs are priced at an annual renewal fee of $1 per year, while others are priced at several thousand per year.
Because of the value of domain names in the aftermarket, there has been an increase in domain name investors–people buying domain names and then reselling them at a higher price than what they acquired them for. This has proven to be quite a lucrative business for some, as sought-after domain names have been sold for over US $1 million, with many recently being sold for over $100,000 in the past few years.
Domain Name Auctions
GoDaddy, a popular domain name registrar, has recently made changes to the way they deal with their customers’ expired domain names. When a domain name, registered at GoDaddy, expires (the customer does not pay to renew the domain name), then 30 days after the expiration date, the registrar puts it up for sale via their own auction system (Auctions.GoDaddy.com). GoDaddy renews the domain name for 1 year (which costs them less than $1), and puts the domain up for auction. The standard ICANN agreement for domain names that expire typically allows for 90 days until the domain name is released to the public. There’s a grace period (typically 30 days), a redemption period (another 30 days) and then a pending delete period (another 30 days). Then, the domain name “drops” and it’s first-come, first served for registering the domain name. There are several drop-catching services that allow someone to place a “backorder” on a domain name, and the service will attempt to “catch” the domain name for you. However, GoDaddy has found a “loophole” in the standard 90 day period of time, which ultimately was designed by ICANN to protect domain name owners, and give them 90 days to renew the domain name before losing it.
GoDaddy’s policy of auctioning the domain name after only 30 days after expiration is very frustrating to many of their customers, in my opinion. For example, a small business that is selling their products and services on the Wix platform recently lost the domain name. They didn’t know it was gone until the website went down, causing them an immediate loss of revenue. For some unknown reason, they had the domain name set to “auto renew” at GoDaddy, and the “auto renew” failed, according to GoDaddy, whereas the credit card on file was not charged or the charge didn’t go through: so the domain name expired. The website was still up and running during the 30 day “grace” period that GoDaddy allows, but the name servers on the domain name still pointed to Wix’s servers, allowing for the website to still be up and running. On the 30th day the domain name was auctioned off, a new buyer then changed the name servers to something else–and the website went down. It was too little too late at this point, the domain name was sold to someone else, and the business immediately stopped receiving revenue from their website. The business should have renewed the domain name for at least 5 years in advance, which is highly recommended by those who offer and suggest ways to “protect” your domain name. At this point, what’s this small business to do? They can only contact the current registrant and ask to buy the domain name back, which could end up costing them thousands–the current registrant determines the price. But what if the current registrant says no, they won’t sell the domain name? What if it’s a competitor of the business? Filing a UDRP is an option, which is an official domain name dispute. Filing costs are about $1500, and a domain name attorney needs to file the complaint. The going rate for a domain name attorney to file a UDRP complaint is about $3,000 to $5,000 or more.
When a domain name fails to be auto renewed, registrars like GoDaddy end up making money by selling the domain name via their own auction platform. Expired domain names can go for anywhere between $30 to tens of thousands of dollars. If the domain name was used for a business or had a live website on it previously, the domain name could go for well over $10,000, which would go directly into GoDaddy’s pockets.
There’s a whole group of SEOs (search engine optimizers) who are very eager to buy expired domain names that previously housed websites. They look for domain names that have “links” from other websites in order to “acquire” those links, which helps their website or their client’s website rank in the search engine results pages. Some SEOs will redirect the expired domain name (with links) to their own domain name (search engines combine the links from other websites when a website is redirected). Other “black hat” SEOs, those without certain ethics, will literally “steal” the former website’s copyrighted content from the Internet Archive at Archive.org, and put the website back up after purchasing the expired domain name. They may make minor changes to the website so the search engines don’t notice, such as adding links from that website to their own website, which then benefits their website with better positions in the search engine results pages. Some more ‘enterprising’ SEOs may use the expired domain names to build private networks of websites to help influence their main websites’ search engine rankings (the more links a website has from other websites, the better chance that a search engine will rank the website higher in the results). With the ability to use AI to generate hundreds, thousands, or even hundreds of thousands of pages of “good” content, SEOs are ditching the old methods of using scripts and templates to generate pages–they’ve shifted to simply using AI to generate “good” content, and not relying on the old “archive.org” method of stealing content from an older version of a website that may have existed on an expired domain name.
It’s not only the GoDaddy registrar that offers “pre-release” domain names (domain names that were not renewed by its owner and then auctioned before the ICANN 90-day period is up). Network Solutions has a similar program, where they will auction domain names that were not renewed by their customers. Network Solutions, through their Namejet platform, renews the domain name for one year and then puts the domain name up for auction. Those who have “backordered” the domain name, which is free, are put into a private auction amongst everyone who placed a backorder–sometimes 5, 10, or even up to 100 people. Then the highest bidder wins the domain name auction, and pays what they bid one time–the domain name annual renewal fee, about $10/year for a .COM domain name, is an additional cost.
Domain name investors typically watch and participate in the domain name aftermarket auctions, sometimes snatching up expired domain names for pennies as compared to what the domain names are actually worth. The website NameBio.com offers an archive of sorts, reporting on the price of what certain domain names went for at auction, as well as the source of where the domain name was sold. Domain name investors will typically have a “niche” of the type of domain names that they will buy, while others will stick to high-value domain names only. For some “dark” domain name investors, those who lack certain ethics, will purchase domain names that were company names, personal names, and those that they think they could potentially “sell back” to the former owner of the domain name. In the case of one particular artist and painter, the domain name was their own personal name, a very unique name. The domain name expired, as the domain name was supposed to be “auto renewed”. A domain name “investor” purchased the domain name on the domain name aftermarket (through a domain name auction), and proceeded to forward the domain name to a web page full of adult advertisements. The artist felt that doing this was ruining his reputation as an artist, as there were a lot of links and mentions of the artist’s website (on that domain name) out there on the web–and even customers had noticed and let him know there was a problem with his domain name and website. The artist reached out to DNAccess.com, a service that recovers domain names for individuals and businesses. The service reached out to the current domain name owner, the current registrant of the domain name, and quickly heard back. The domain name “investor” and current registrant wanted $8,000 to purchase the domain name, and wouldn’t take any less than $6,000. It’s questionable as to whether or not the current registrant ultimately had rights to the domain name over the artist. The artist could have filed a UDRP domain name dispute and potentially could had won that dispute–but UDRPs take a few weeks to file and get a decision (a UDPR panelist or panelists decide the case). The artist ultimately chose to pay what they described as a “ransom” to get the domain name back.
Stolen Domain Names
Sometimes domain name owners get their domain names stolen. There are a variety of ways that domain name thieves steal domain names. Oftentimes it involves a security issue, whereas the domain name owner has their email (oftentimes Gmail) account accessed without permission. The domain thief then is able to get into the domain registrar account via the email, and they then transfer the domain name to themselves at the same registrar or transfer the domain name out to another registrar. In the cases where an email account was hacked, the domain name registrar usually will claim that they have no liability, and won’t do anything to help recover the domain name.
In some cases, the domain name thief will attempt to “wash” the domain name. For example, one domain name owner’s gmail account was hacked. The domain thief then accessed the domain name registrar account and proceeded to delete the domain name. It then became available to register whereas it expired–and the domain name thief then “purchased” the domain name, seemingly washing the domain name. They then claimed that they “legitimately” acquired the domain name.
In another stolen domain name case, a domain name thief accessed a domain name registrar account without permission and transferred the domain name to another registrar (from a US/Canada-based registrar to a China-based registrar). From eNom to the gName registrar, in China. The domain thief may have had access to the domain owner’s email account, as there were no emails about the transfer of the domain name, which usually are sent by the registrar. The domain name thief listed the domain name for sale at Sedo.com, a popular internationally-known domain name aftermarket. The domain name was listed for sale–despite the fact that the domain name thief had stolen the domain name. After the DNAccess domain name recovery service helped the owner recover their domain name, they attempted to get the Sedo.com listing removed. The domain name owner went through a security process to prove ownership, and the domain name listing was taken down, only to reappear again after a few days, perhaps by the domain name thief. The listing then was ultimately taken down again, but not after additional complaints to Sedo. The domain name had been recovered and returned back to the original registrar–yet gName, the registrar where the domain thief transferred the domain, still lists the domain name for sale, and won’t remove the listing.
Sometimes a domain name registrar allows domain names to be stolen from their registrar. In the case of the domain name Patterns.com, the domain name was stolen from the Network Solutions domain name registrar. The domain had been identified by a stolen domain name recovery service associated with the Epik domain name registrar at the time, as several other domain names were stolen from Network Solutions at the same time. Working with the domain name owner, a software company based in Florida, the domain name was recovered via a UDRP domain name dispute. The company had been operating a website on the domain name for many years, and claimed a common-law trademark. After winning the UDRP, the company agreed to let the Epik domain name registrar try to sell the domain name on the owner’s behalf, sharing in the proceeds of the domain name sale if it were to be sold. A change in leadership at the Epik registrar occurred, and a new CEO falsely decided that the domain name was Epik’s domain name–and subsequently sold the domain name as a part of a large portfolio sale while liquidating a lot of the registrar’s assets. The Epik registrar was sold to another company, Northwest Registered Agents, shortly thereafter. The owner of the Patterns.com domain name, a highly valuable domain name, considers the domain name to have been stolen twice from his company. He has yet to receive any proceeds from the unauthorized “sale” of his domain name.
Sometimes domain names get stolen via social engineering. Domain name registrars have a lot of customers typically, and usually have processes and procedures in place to combat security-related issues. However, there have been several reports in the past of a domain name thief calling a domain name registrar and using “social engineering” to get access to an account at the registrar. Once they gain access to the account, then the domain name is then either transferred to another registrant at the registrar (themselves), or it’s transferred out to another domain name registrar. Let’s look at two different examples of this.
In one case, a non-profit organization, based in Washington D.C., had their domain name stolen. A few years ago, the founder of the organization, a woman, passed away. The organization continued to operate, and was run by the woman’s daughter. Someone called the domain name registrar on the phone and faked that they were the woman. The deceased woman. They were able to verify some information allegedly, and were given access to the account and then domain name. They they transferred the domain name to their own account at the same registrar.
In another case, a domain name registrar was again socially engineered. The customer support representative was convinced to provide the “auth code” to the domain thief. The auth code is literally the “keys to the car” for domain names. If you have the auth code for the domain name, then you can transfer that domain name to any other registrar, and then put your contact details on as the registrant (thus stealing the domain name). One high-value domain name was stolen this way, using social engineering. The domain name was “parked”, just sitting on the domain name owner to sell the domain name or use it for a website. Usually advertisements show up on the domain name when entered into a web browser, and the domain name owner receives money based on the number of “clicks” on the ads. The domain name owner uses a domain name Parking Company to deliver the ads on the domain name, and the domain name parking company shares in that revenue from the ads.
In the case of the high value domain name, the domain name registrar’s customer support gave out the Auth Code of the domain name, the domain name was transferred to the GoDaddy registrar, and then it was sold via GoDaddy within days or a few weeks–making the whole transaction suspect. Domain names, even higher value domain names can take years to sell, and aren’t usually sold within a few days. Nonetheless, a company purchased the domain name from the GoDaddy registrar, and put up a website on the domain name, also hosted by GoDaddy. The domain name owner, who has owned it for several years, has had their domain name stolen, sold, and now a website appears on the domain name. It’s clear that the domain name is stolen, as the domain name owner has been working with the original registrar to get the domain name back. However, the current registrar who profited from selling the stolen domain name, and is profiting by hosting the stolen domain name’s website. Eventually, after several months, the original registrar worked with GoDaddy and the domain name was put back into the owner’s account.
Are there any controls or security checks done by domain name registrars and domain name aftermarket marketplaces to ensure that they’re not selling or profiting from the sale of a stolen domain name? I have checked with several domain name registrars, and while they won’t reveal any “security measures” that they take (which is typical), they continue to profit from the sale and transfer of stolen domain names. They continue to find loopholes in ICANN rules in order to profit from expired domain names, domain auctions, and ways that domain names are sold in their aftermarket marketplaces. How many stolen domain names have been sold in the domain name aftermarket? We may never know, as many domain name owners oftentimes don’t know that their domain name was stolen–they just know that it’s not theirs anymore, and there isn’t any sort of way of reporting the lost domain name.
A Lack of Accountability
Currently, while there are laws in place that would cover “stealing a domain name”, to my knowledge, there aren’t any consequences to stealing domain names. For example, a domain name thief can access a domain name registrar account without permission, or social engineer a registrar’s customer support staff into giving up the “auth codes” (the code that allows you to transfer the domain, the ‘keys’ to the domain so to speak). Those typically would be considered to be cyber crimes. Many of which involve well over $5,000 (a felony), but even most domain name thefts involve domain names worth over $10,000, $50,000 and even over $100,000. But for the domain name thieves, there don’t appear to be any consequences. They won’t get arrested, let alone get convicted or actually serve any jail time for crimes involving a stolen domain name. Stolen domain names frequently are reported to IC3.gov as cyber crimes–and oftentimes police reports are made, as DNAccess.com usually recommends to their new clients that they file a police report to document the theft.
The only recourse that a domain name owner has if their domain name is stolen is to file a lawsuit (which can be expensive, typically costing $10,000 or more), or use the UDRP domain name dispute system to recover the domain name. The UDRP system is only designed around who has the “rights” to a certain domain name. It is not designed to be used for the recovery of stolen domain names. In the case of a “generic” domain name (versus a brand name or a company name), a domain name owner whose domain name was stolen would essentially lose a UDRP domain name dispute, if filed. In the case of ChampionshipRings.com, Dan Cera has owned the domain name for several years, although he has not “developed” the domain name and put up a website. There is no requirement that one put a website on a domain name that you own. Mr. Cera noticed in December 2023 that the domain name was no longer in his account at the Epik domain name registrar. In fact, it had been transferred to another registrar, GoDaddy, who currently hosts a website on the domain name, selling Championship Rings. Even though the domain name was stolen from Mr. Cera sometime in December 2023, Mr. Cera would have to prove that he has the rights to the domain name over the current registrant. This would be difficult for Mr. Cera to prove if he were to file a UDRP, as he would need to typically show the UDRP panelist that he had been using the domain name for a website (in such case he could show he had a common-law trademark) or if he simply owned the trademark for “Championship Rings”, which he does not. If he were to combine the proof of his rights to the domain name with the fact that the domain name was acquired through unlawful means, then he may be successful with the UDRP dispute. However, since the domain name would be considered to be a “generic” domain name rather than a brand, trademark, or company name, then the odds that Mr. Cera would be able to recover the domain name via a UDRP is rather slim. In Mr. Cera’s case, his original domain name’s registrar worked with the other registrar to get the domain name back to Mr. Cera–the details are unknown on the ‘deal’ that was done amongst the registrars, but the domain name, after several months, was put back in Mr. Cera’s account.
That’s just a small overview of all the “shady” things that go on in the domain name industry. Don’t get me wrong, though, there’s a lot of GOOD that goes on in the industry, and in coming months I’ll be highlighting the “Good” and not just the shady things. In fact, I look forward to sharing a lot more stories like this one: Domainer Returns Domain Name to Amazon’s Jeff Bezos (https://www.billhartzer.com/domain-names/exclusive-domainer-returns-domain-name-to-amazons-jeff-bezos/).
And finally, I’ve mentioned before, we all have domain names and of course we want to protect them. You may wish to read about what I recommend you do to protect your domain name. Read my article Minimizing the Risk of Having Your Domain Name Stolen over at DNAccess (https://www.dnaccess.com/blog-minimizing-risk-stolen-domain-name/).