When Hackers Steal A Web Address, Few Owners Ever Get It Back

09/29/2014 07:33 am ET | Updated Oct 07, 2014

hacker

For nearly two decades, Michael Lee owned a prized piece of Internet real estate: the website MLA.com. The three letters stood for his graphic design and advertising business, Michael Lee and Associates, but they also represented an unusual investment opportunity. A short or memorable Internet address can be worth thousands or even millions of dollars. Facebook reportedly paid $8.5 million to buy Fb.com in 2010, while Porn.com went for $9.5 million in 2007.

Lee, 58, bought his domain in 1997 for a modest $600. A domain name appraiser recently valued the website at $47,000. Lee planned to eventually sell MLA.com and use the money as part of his retirement.

That is, until May of last year, when he received shocking news: A hacker had stolen his website, and there was nothing GoDaddy, his domain registrar, could do to get it back.

“That’s when I freaked out,” he said in a recent interview.

michael lee domain theft
Michael Lee's domain name, MLA.com, was stolen last

year. He still hasn't got it back.

More than a year later, Lee still hasn’t recovered his website. He has filed a lawsuit against the site’s new owner, a man in Russia named Alexey Kremnev, hoping a judge will return the address to him. Meanwhile, Lee said the theft has damaged both his professional and personal life. He said his business has lost $200,000 in sales since MLA.com was stolen because customers still try to reach him at his old address. The lost revenue has forced him to lay off freelancers, eat fewer meals out and move his family into a less-expensive home. Lee, who has three grandchildren and lives in the Chicago suburbs with his wife of 34 years, said his retirement plans are now on hold.

“A lot of customers have said, ‘I tried to email you and it kept bouncing back, so I gave the job to someone else,” Lee said in an interview. “I’ve lost a ton of business. I’ve also lost a three-letter domain that I was counting on for my retirement.”

Lee is a victim of domain theft, a scheme in which hackers steal valuable Internet addresses and sell them in online forums or extort their rightful owners. At a time when cyber criminals are targeting banks, retailers and celebrities, domain theft victims suffer a uniquely devastating blow. Many are small business owners who rely on their websites to reach customers online and consider their unique URLs to be expensive property they can sell for a large profit.

Domain theft has been happening since the dawn of the Web. But while the Internet has created a place where small and large businesses can flourish, the law has not evolved to protect people from thieves who hijack their domains. When their websites are stolen, many business owners find they have nowhere to turn to recover them.

Several recent victims interviewed by The Huffington Post said they got little or no help from domain registrars like GoDaddy, Internet.bs or HostMonster. Victims also said they couldn't get help from local law enforcement or the Internet Corporation for Assigned Names and Numbers, known as ICANN, a California-based nonprofit responsible for managing the Internet address system.

jonathan askin domain
Jonathan Askin says domain theft victims have little

legal recourse.

In many cases, victims can’t even file a lawsuit to recover their stolen web addresses because most states don’t have laws that recognize domain names as property, said Jonathan Askin, a technology law professor at Brooklyn Law School.

“It’s a serious problem without any legitimate recourse,” Askin said.

As the value of domain names has grown, major companies are taking security more seriously, even hiring third-party firms to guard their web addresses from thieves. Perhaps as a result, reports of domain theft have become somewhat rare. The FBI received 26 reports of domain theft over the past year, according to an FBI spokesman.

But domain hijacking often goes unreported, Askin said. And it's small businesses that are both more vulnerable and more likely to be financially destroyed by the theft. Hackers know small businesses make easy targets because they don’t have the resources or knowledge to secure their domain names, said Leo Taddeo, head of the FBI’s cyber division in New York.

Hackers typically go after websites that are not being used by their owners, who have either bought the domains to host websites or to sell them for profit later. So thefts often go unnoticed for months. When victims finally discover what happened, they feel it’s too late to do anything about it, Askin said.

domain name sales

A short, catchy domain name can be worth millions of dollars,

making the URLs valuable targets for hackers.

Criminals typically steal domain names by hacking into a victim’s email account. From there, they gain control of a domain -- often without its rightful owner knowing -- by replying to an email sent by the registrar to approve the transfer of the website to the hacker's account.

When that happens, most victims contact the company where they bought their domain name, assuming the registrar can quickly get it back. But that’s not always the case.

Known for its sexually charged Super Bowl ads, GoDaddy is the world’s largest registrar. It boasts of having the widest selection of domain names and mostly sells them for between $10 and $50 a year.

But in the fine print, GoDaddy’s terms of service state that customers are “solely responsible” for keeping their websites secure and the company is not liable for loss due to fraud.

When websites are stolen, GoDaddy spokesman Nick Fuller said the company “does everything in our power to help our customers recover their domain names.”

“GoDaddy has a knowledgeable and experienced team dedicated to handling these situations,” Fuller said in an email. “We employ every avenue available to us in order to return hijacked or disputed domain names.”

GoDaddy said the company’s policies -- such as waiting two months before transferring a domain to someone else -- have protected many customers from thieves who falsely claim their domains were stolen. “In reality, the supposed ‘victim’ in such cases is often really a thief attempting to socially engineer our staff,” Fuller said.

Fuller said the company also offers two-step authentication, which requires customers to enter a pin code sent to their phones when they log in to their accounts. The security feature is supposed to make it harder for hackers to steal domains because they must also have access to their victims' phones.

Lee said he does not remember GoDaddy offering him the added security feature, and he assumed that he could trust the company to protect his website from hackers.

“The case is pretty clear,” Lee wrote in an email to GoDaddy after he lost MLA.com. “I’ve owned the domain since 1997. I parked [it] with GoDaddy for two years. Someone hacked my account and now it is gone. Your job is to bring it back to where it was.”

But Fuller, the GoDaddy spokesman, said the company can only go so far when a customer's website is stolen because GoDaddy must follow rules created by ICANN. Fuller said GoDaddy could not return MLA.com to Lee because someone had transferred it to Internet.bs, a lesser-known registrar based in the Bahamas, and Internet.bs refused to transfer it back to GoDaddy.

“We have little recourse in this type of situation, and cannot ‘force’ a gaining registrar to return a domain,” Fuller said.

In an emailed statement, Patty Miller, an Internet.bs representative, said the company could not determine the rightful owner of MLA.com because it was allegedly stolen while managed by another registrar and was transferred legally to Internet.bs. Miller said the company was willing to cooperate with any investigation into the matter, but so far the alleged theft of MLA.com “remains unsubstantiated.”

“Our own investigations into the matter have been concluded,” Miller said. “We urge Mr. Lee to pursue his complaint through the proper legal channels.”

In April, Lee’s attorney, Stevan Lieberman, filed a lawsuit, asking a judge to return MLA.com to him. The case is still pending.

Lee’s graphic design and advertising company has four full-time employees and more than 20 clients, including the credit card company Discover. He said it took eight months to build his business back to where it was before his domain name was stolen. He now runs the company from michaellee.com, which he calls “a longer, less-attractive” domain. Visitors to MLA.com are greeted with a default web page that suggests the site’s new owner hasn’t decided what to do with it.

Lee said the episode has been a painful lesson in how easily someone can steal a domain and “totally upset your personal and business life.”

“You have to start over after having spent years building something up. It just kind of wipes you out.”
- Michael Lee, the former owner of MLA.com

“You have to start over after having spent years building something up,” he said. “It just kind of wipes you out.”

If a registrar like GoDaddy can’t help, domain theft victims have little other recourse. They rarely win lawsuits because courts in most states have ruled that website names are only contracts between customers and domain registrars and victims can’t sue to get them back. California and Nebraska are just two of a few states where the courts treat domain names as physical property and allow victims to file lawsuits to recover them, according to Askin, the professor at Brooklyn Law School.

albert angel domain
Albert Angel convinced prosecutors to charge the hacker

who stole his domain name, P2P.com.

Local police don’t provide much help either because they don’t know how to handle such cases, according to Albert Angel, a former Justice Department lawyer. Angel bought the website P2P.com for $160,000 in July 2005 as an investment, but it was stolen from him a year later. He reported the theft to Miami-Dade police, who sent an officer to his door.

“I told the officer that our domain had been stolen. He scratched his head and said, ‘OK, what’s a domain?’”
- Former Justice Department lawyer Albert Angel

“I told the officer that our domain had been stolen,” Angel said in an interview. “He scratched his head and said, ‘OK, what’s a domain?’”

Angel filed a lawsuit against the thief in New Jersey, where Angel believed that he was living, and gathered enough evidence to convince prosecutors there to pursue a criminal case. They charged Daniel Goncalves, a 25-year-old computer technician living in New Jersey, with stealing P2P.com by hacking Angel’s email account. Goncalves later sold the website for $111,000 to Mark Madsen, a professional basketball player who last played for the Los Angeles Clippers and has also bought and sold domain names.

Madsen was unaware the domain was stolen and later gave P2P.com back to Angel, who has since turned the address into a website that matches people in need of loans with lenders. In 2011, Goncalves pleaded guilty and was sentenced to five years in prison in what is believed to be the only criminal conviction for domain theft.

Legal experts and victims have offered several solutions that, if implemented, could help domain theft victims. They argue that Congress should pass legislation that creates a way for them to get their stolen websites back. ICANN could also change its policies to hold registrars like GoDaddy more accountable when domain names are stolen, they say.

For victims who struggle to reclaim their stolen websites, one blogger has emerged as an unlikely source of help. The blogger, who asked that his name not be used because he feared reprisal from hackers, works as a website designer by day and spends his free time publishing a blog about the domain industry called domaingang.com.

domaingang mla

DomainGang.com, run by an anonymous blogger, publishes news on the domain industry. The blogger reported that MLA.com appeared to have been stolen.

In an interview, he said he scours online forums for domain names that appear to be stolen because they are advertised for much less money than they are likely worth. He writes about such cases on his blog and notifies the rightful owners.

“I’ll call them up and say ‘Are you aware that your domain name is up for sale?’ They’ll say, ‘No, I had no idea,’” he said.

The blogger said he wants to help others navigate the confusing, stressful process of recovering a stolen domain because he was once a victim of domain theft himself. A decade ago, hackers found a security hole in the company where he registered a website and stole his domain “just because they could,” he said.

“I don’t want these people to lose their property,” he said. “It’s a big headache for a small business owner who has to go through all these hoops to figure out what’s going on, and then they get resistance from their registrars.”

jordan reid domain theft
Jordan Reid was forced to negotiate with a hacker to get

her domain name back.

Jordan Reid, a popular lifestyle blogger who writes under a pseudonym, said she was met with such resistance when her website, RamshackleGlam.com, was stolen. She took a less-traveled route to get it back: negotiating with the hacker.

In April, Reid learned that a hacker stole her blog name and tried to sell it for $30,000 on Flippa.com, a marketplace for buying and selling websites. The hacker promised the winning bidder all of Reid’s traffic, files, and data, and said she was available to continue writing posts “for hire.”

Reid said she spent 12 hours a day for the next three days on the phone with HostMonster, where she registered the website name, and GoDaddy, where the hacker had transferred it into a private account. Neither company could return her domain.

So Reid decided to deal with the hacker directly. After they agreed on a price, which she said was less than $30,000, Reid wired the money to the hacker through an account with Escrow.com, a third-party money-transfer website.

Three days after her domain had been stolen, her website was released back to her. But the hacker never got the money. Reid said she quickly placed a stop on the payment, and eventually got the money back in a check from Escrow.com five months later. She also filed a complaint with the FBI, which is still investigating. In a blog post about the ordeal, she said she was “absolutely blown away” by the FBI’s quick response.

But Reid is still surprised that she was forced to take matters into her own hands.

“I think it’s pretty extraordinary that the only recourse I had was to interact with a criminal and pay him off,” Reid said in an interview. “That was the only thing I could do.”

CONVERSATIONS