Domain Theft

Domain Theft Forensic Workflow

A structured forensic workflow for reconstructing how and when a domain name was stolen or transferred without authorization.

Overview

When a Domain Is Stolen, Damage Is Immediate

When a domain name is stolen or transferred without authorization, the damage can be immediate. Websites go offline, business email stops working, and brand trust erodes with every hour the domain remains outside its rightful owner's control. Bill Hartzer provides a structured forensic workflow for domain theft matters and serves as an expert witness in related litigation, drawing on his direct background working within the domain registrar and registry industry.

Recovery is often possible if it is pursued quickly and correctly, but the window narrows the longer a theft goes undocumented. Establishing a clear, dated record of what happened is usually the single most important step, both for any recovery effort and for whatever litigation follows it.

Key Questions

Key Questions in Domain Theft Cases

Domain theft cases tend to turn on a consistent set of questions, regardless of the specific circumstances of the transfer.

  • When did the domain transfer occur, and between which registrars?
  • Who controlled the registrar account and the contact email address at the time of transfer?
  • Were standard security measures — registrar locks, two-factor authentication, registry locks — in place before the transfer?
  • Did any party ignore or override a security warning, such as a transfer confirmation email?
  • What steps were taken to recover or secure the domain after the theft was discovered?
Forensic Workflow

Forensic Workflow Overview

Answering those questions reliably requires working through a consistent, repeatable process rather than ad hoc investigation, since the records involved come from multiple parties and need to be assembled into a single coherent timeline.

Ownership Records

Collecting WHOIS, RDAP, and historical ownership records to establish the baseline of rightful control.

Registrar Logs

Reviewing registrar logs, email confirmations, and transfer notices where available from the registrar of record.

Transfer Path Mapping

Mapping the domain's path between registrars and accounts to identify exactly where control changed.

Security Gap Analysis

Identifying gaps in security practices and account controls that allowed the transfer to occur.

Reporting

Documentation Suitable for Court

Bill's workflow focuses on verifiable technical evidence. He explains the sequence of events, highlights the critical decision points, and provides opinions about how industry-standard security practices compare to what occurred in the specific case, in a format suitable for deposition and trial testimony.

Related

More Domain Name Topics

Next Step

Discuss This Type of Matter