When a Domain Is Stolen, Damage Is Immediate
When a domain name is stolen or transferred without authorization, the damage can be immediate. Websites go offline, business email stops working, and brand trust erodes with every hour the domain remains outside its rightful owner's control. Bill Hartzer provides a structured forensic workflow for domain theft matters and serves as an expert witness in related litigation, drawing on his direct background working within the domain registrar and registry industry.
Recovery is often possible if it is pursued quickly and correctly, but the window narrows the longer a theft goes undocumented. Establishing a clear, dated record of what happened is usually the single most important step, both for any recovery effort and for whatever litigation follows it.
Key Questions in Domain Theft Cases
Domain theft cases tend to turn on a consistent set of questions, regardless of the specific circumstances of the transfer.
- When did the domain transfer occur, and between which registrars?
- Who controlled the registrar account and the contact email address at the time of transfer?
- Were standard security measures — registrar locks, two-factor authentication, registry locks — in place before the transfer?
- Did any party ignore or override a security warning, such as a transfer confirmation email?
- What steps were taken to recover or secure the domain after the theft was discovered?
Forensic Workflow Overview
Answering those questions reliably requires working through a consistent, repeatable process rather than ad hoc investigation, since the records involved come from multiple parties and need to be assembled into a single coherent timeline.
Ownership Records
Collecting WHOIS, RDAP, and historical ownership records to establish the baseline of rightful control.
Registrar Logs
Reviewing registrar logs, email confirmations, and transfer notices where available from the registrar of record.
Transfer Path Mapping
Mapping the domain's path between registrars and accounts to identify exactly where control changed.
Security Gap Analysis
Identifying gaps in security practices and account controls that allowed the transfer to occur.
Documentation Suitable for Court
Bill's workflow focuses on verifiable technical evidence. He explains the sequence of events, highlights the critical decision points, and provides opinions about how industry-standard security practices compare to what occurred in the specific case, in a format suitable for deposition and trial testimony.