Domain hijacking
Domain hijacking, also known as domain theft, refers to the unauthorized acquisition or transfer of control over a domain name from its legitimate registrant to a malicious actor, typically without the owner's consent or knowledge.[1] This process often involves exploiting weaknesses in domain registrars, DNS configurations, or user credentials, allowing the hijacker to redirect traffic, impersonate the original site, or monetize the domain for illicit purposes.[2] The mechanics of domain hijacking generally begin with gaining access to the domain registrar account, where attackers may alter WHOIS contact information, transfer the domain to a new registrar, or modify DNS records to point to malicious servers.[3] Common methods include social engineering attacks such as phishing emails that trick registrants into revealing login credentials, exploiting expired or lapsed domain renewals, or breaching registrar systems through vulnerabilities like weak authentication.[1] In some cases, attackers compromise email accounts linked to domain recovery processes, enabling password resets and unauthorized transfers.[2] These tactics have evolved with the growth of the domain ecosystem, which includes thousands of accredited registrars overseen by organizations like ICANN.[1] The impacts of domain hijacking are profound, encompassing financial losses from disrupted services, reputational harm through phishing or malware distribution, and potential regulatory violations for affected businesses.[3] Notable incidents illustrate its scale: in 2024, over 70,000 domains were hijacked in "Sitting Ducks" campaigns due to DNS providers' failure to verify ownership during transfers, enabling widespread abuse for spam and fraud.[4] Earlier high-profile cases include the hijacking of sex.com in the late 1990s, which led to a $65 million court judgment against the perpetrator, and 2015 breaches affecting domains of Google and Lenovo Vietnam.[2] More recently, in May 2025, the threat actor Hazy Hawk exploited DNS misconfigurations to hijack subdomains of the CDC and Deloitte, redirecting users to scam sites laden with malware.[5] Prevention relies on robust security practices, such as enabling two-factor authentication (2FA) on registrar accounts, implementing domain and registry locks to block unauthorized transfers, and utilizing ICANN's inter-registrar transfer lock periods.[2] Registrants should also employ WHOIS privacy services to obscure contact details, monitor domain status regularly, and use strong, unique passwords while keeping renewal information current to avoid expiration exploits.[1] Advanced measures like DNSSEC (DNS Security Extensions) further protect against record tampering, though adoption remains inconsistent across the industry.[1] Despite these defenses, the decentralized nature of domain management continues to pose challenges, underscoring the need for ongoing vigilance and registrar accountability.[3]Definition and Background
Definition
Domain hijacking, also known as domain theft, refers to the unauthorized transfer or seizure of control over a domain name registration from its legitimate owner to an attacker, typically by exploiting vulnerabilities in domain registrar systems or compromising owner credentials.[3][2] This form of cyberattack allows the perpetrator to alter the domain's configuration, redirecting traffic or repurposing the domain for malicious purposes without the owner's consent.[6] Key elements of domain hijacking include manipulation of the Domain Name System (DNS) to redirect user traffic, alteration of WHOIS records to reflect false ownership details, or direct compromise of the registrar account, often leading to outcomes such as website defacement, redirection to phishing sites, or exploitation for financial gain through ransomware or fraudulent transactions.[7][1][8] These actions disrupt the legitimate owner's control over associated online assets, including websites, email services, and subdomains, potentially causing significant reputational and economic harm.[9][10] Unlike domain squatting, which involves the preemptive registration of desirable or trademarked domain names by third parties for resale or extortion, or typosquatting, where attackers register slight misspellings of popular domains to intercept traffic, domain hijacking specifically targets domains that are already registered and owned by victims.[11][12] This distinction underscores hijacking's focus on illicit takeover of established assets rather than opportunistic new registrations.[13] In a typical process, the attacker first gains unauthorized access to the domain owner's registrar account—often through phishing, weak passwords, or social engineering—then modifies critical settings such as nameservers, administrative contacts, or ownership details to redirect DNS resolution or initiate a domain transfer.[14][15] This enables full control over the domain's resolution and associated services, allowing the attacker to host malicious content or monetize the hijacked asset until recovery efforts intervene.[16]Historical Development
Domain hijacking emerged in the mid-1990s with the commercialization of domain name registrations, initially monopolized by Network Solutions as the sole registrar for .com, .net, and .org top-level domains under U.S. government oversight. Early systems lacked robust security protocols, relying on minimal verification of registrant identity, which enabled fraudulent transfers through forged documents or spoofed communications. The first prominent case occurred around 1995, when Stephen Cohen illicitly transferred the valuable sex.com domain from its owner, Gary Kremen, by submitting a falsified letter to Network Solutions claiming Kremen had abandoned the registration; Cohen profited millions from the domain before a court ordered its return in 2001, establishing domains as transferable property susceptible to theft.[16][17] To address escalating vulnerabilities, ICANN formalized the Inter-Registrar Transfer Policy in 2003 following recommendations from its Transfer Task Force, with full implementation by November 2004. This policy standardized procedures for moving domains between accredited registrars, mandating tools like the EPP authorization code for secure transfers and prohibiting registrars from unreasonably denying requests. By enhancing authentication and reducing reliance on insecure email confirmations, it aimed to curb unauthorized hijackings amid the proliferation of competitive registrars post-Network Solutions' monopoly.[18][19] Incidents proliferated after 2005, as detailed in ICANN's Security and Stability Advisory Committee (SSAC) report, which analyzed cases exploiting Whois data inaccuracies and weak transfer validations, often for resale or extortion. The phenomenon shifted from opportunistic exploits targeting lax registrars to deliberate attacks on high-value assets like brand and government domains, fueled by the internet's expansion and rising domain valuations. In the 2010s, this evolution intensified with cryptocurrency's emergence, enabling anonymous monetization; attackers hijacked domains to redirect traffic for crypto theft, as in a 2018 DNS manipulation stealing over $400,000 in Stellar Lumen tokens. Concurrently, ransomware integration grew, with compromised domains used to host malicious payloads or demand payments. Global domain registrations ballooned from under 10 million in the late 1990s to more than 362 million by 2021, and reaching 378.5 million as of September 2025 (Q3 2025), heightening exposure and contributing to a marked uptick in reported hijackings—from isolated early-2000s cases to broader trends tracked in ICANN and registrar security assessments.[20][21][22][23]Mechanisms of Domain Hijacking
Technical Methods
Domain hijacking exploits various technical vulnerabilities in the domain name system (DNS) infrastructure, registrar operations, and related protocols, allowing attackers to gain unauthorized control over domain registrations without necessarily relying on direct human interaction. These methods target weaknesses in authentication, data management, and transfer mechanisms that underpin domain ownership and resolution.[20] Registrar account compromise represents a primary technical vector, where attackers exploit weak passwords, absence of two-factor authentication (2FA), or vulnerabilities in application programming interfaces (APIs) to achieve unauthorized logins and initiate domain transfers. Weak passwords enable brute-force or dictionary attacks on registrar portals, while the lack of 2FA allows credential reuse from breached sources to suffice for access. API vulnerabilities, such as insufficient input validation or exposed endpoints, permit automated exploitation, enabling attackers to script changes to domain settings without manual intervention. Once inside, attackers can update registrant details or request transfers, often bypassing basic verification if multi-step authentication is not enforced.[2][24][20] DNS manipulation involves altering nameserver records or exploiting access to zone files, redirecting traffic to attacker-controlled servers and disrupting legitimate services. Attackers with compromised registrar access can modify nameserver (NS) records to point to malicious DNS servers, effectively hijacking resolution for the domain. Zone file access, if inadequately secured at the registrar or registry level, allows direct edits to resource records like A, MX, or CNAME entries. DNSSEC misconfigurations, such as unsigned zones or improper key management, fail to validate record authenticity, enabling undetected alterations that persist until detected through monitoring. These exploits leverage the distributed nature of DNS, where changes propagate quickly across resolvers. A specific variant is subdomain takeover, where dangling DNS records point to decommissioned third-party services (e.g., unused AWS S3 buckets or Heroku apps), allowing attackers to claim those services and control the subdomain without altering the parent domain's registration. This method has been used in campaigns as recent as 2025.[1][25][20][6][5] WHOIS data exploits capitalize on outdated or falsified registrant contact information to circumvent registrar verification processes during administrative actions. Publicly accessible WHOIS records containing obsolete email addresses or phone numbers prevent timely notifications to owners about pending changes, allowing attackers to approve transfers or updates in their stead. Falsified data, if inserted via prior compromises, can impersonate the registrant during verification loops, exploiting registrars' reliance on self-reported details without robust identity checks. This method thrives on the lag in updating WHOIS after personnel changes or mergers, creating windows for unauthorized interventions. Another related exploit involves domain expiration, where attackers monitor soon-to-expire domains and register them immediately upon lapse, hijacking valuable names if auto-renewal fails or notifications are missed. As of 2025, this remains a significant risk for high-value domains.[26][20][1][27] Abuse of transfer protocols, particularly the Extensible Provisioning Protocol (EPP), facilitates unauthorized domain moves between registrars through lock bypass techniques and interface manipulations. EPP, used for inter-registrar transfers, requires an authorization code (authInfo) that, if weakly generated or reused across domains, can be guessed or extracted to initiate transfers. Attackers exploit registrar interfaces via vulnerabilities such as insufficient input validation to manipulate transfer requests, or by bypassing clientTransferProhibited locks if not properly enforced at the registry level. These vulnerabilities stem from inconsistent implementation of EPP status codes, allowing pending transfers to proceed without final confirmation from the original registrant.[20][28][1] Advanced persistent threats (APTs) employ malware to target endpoint devices of domain administrators, stealing credentials for sustained access to registrar and DNS systems. Keyloggers or credential-dumping tools, deployed via drive-by downloads or supply chain compromises, capture login details during routine management tasks. Once obtained, these credentials enable persistent modifications, such as repeated DNS tweaks or transfer attempts, often evading detection through rootkit-like evasion. Groups like APT1 have historically hijacked domains to support broader infrastructure compromises, highlighting the role of malware in amplifying technical exploits.[6][29]Social Engineering Methods
Social engineering methods in domain hijacking exploit human psychology to deceive individuals into surrendering control over domain registrations, often targeting registrants, registrar staff, or hosting providers. These tactics rely on manipulation rather than technical exploits, preying on trust, urgency, or reciprocity to extract credentials, verification codes, or approvals for unauthorized transfers. According to the Internet Corporation for Assigned Names and Numbers (ICANN) Security and Stability Advisory Committee (SSAC), social engineering has been a primary vector for domain hijacking since at least the early 2000s, enabling attackers to bypass security measures through human error.[3] Phishing attacks are among the most prevalent social engineering techniques in domain hijacking, where attackers send fraudulent emails masquerading as official communications from domain registrars. These emails often mimic renewal notices, account verification requests, or security alerts, urging recipients to click malicious links that lead to spoofed login pages designed to capture usernames, passwords, and other credentials. For instance, an email might warn of impending domain expiration and direct the user to a fake registrar site to "update" information, resulting in full account compromise and subsequent domain transfer. The SSAC has documented such impersonation phishing as a targeted threat to domain registrants, emphasizing the use of deceptive hyperlinks to redirect victims to attacker-controlled sites.[30] Once credentials are obtained, attackers can initiate transfers or modify domain settings.[1] Pretexting and impersonation involve attackers fabricating plausible scenarios or assuming false identities to extract sensitive information directly from victims. In domain hijacking contexts, perpetrators may pose as IT support personnel, registrar representatives, or even ICANN officials via phone calls or emails, requesting verification codes, personal details, or approval for administrative changes under the guise of routine maintenance or dispute resolution. This method exploits the victim's willingness to assist trusted authorities, often leading to unauthorized access to registrar accounts. The SSAC identifies impersonation as a core social engineering risk, where attackers convincingly mimic legitimate entities to coerce compliance from registrars or domain owners.[3] Security analyses further note that such tactics have enabled hijackers to convince registrar staff to release domains without proper authentication.[31] Baiting and quid pro quo tactics lure victims with enticing offers or promises of reciprocal benefits to lower defenses and prompt credential sharing. In domain-related scenarios, attackers might offer fake technical support, discounted renewals, or "free" security audits in exchange for login details or access to domain management portals, capitalizing on the human tendency toward reciprocity. Quid pro quo often involves impersonating a service provider promising to fix a fabricated issue, such as a domain vulnerability, in return for verification. Cybersecurity experts classify these as established social engineering approaches adaptable to domain environments, where the bait leads to account compromise and hijacking.[32] Insider threats represent a particularly insidious form of social engineering, where attackers bribe, coerce, or otherwise influence employees at registrars, registries, or hosting providers to misuse their privileged access. This could involve financial incentives to approve fraudulent transfers or threats to compel disclosure of customer data, allowing external parties to seize control of domains. The SSAC highlights insiders—whether malicious employees or coerced staff—as a significant risk in domain hijacking, noting that such compromises often occur without triggering automated alerts.[3] Spear-phishing has evolved as a more sophisticated variant, tailoring attacks to specific domain owners using publicly available WHOIS data for personalization, such as referencing exact registration details or owner names to build credibility. These customized emails heighten the success rate by making the deception appear highly relevant and urgent, often prompting immediate action like credential submission. The SSAC advises that WHOIS-based personalization in phishing directly facilitates domain hijacking by increasing victim compliance.[30] Following successful social engineering, attackers typically alter DNS records to redirect traffic for phishing or other illicit activities.[1]Notable Incidents
Pre-2010 Cases
One of the earliest prominent domain hijacking incidents occurred in 1995 involving sex.com, registered by entrepreneur Gary Kremen in 1994 through Network Solutions, the then-sole domain registrar.[33] Stephen Michael Cohen, a convicted felon, forged a letter claiming Kremen had abandoned the domain and convinced Network Solutions to transfer control to him without verifying the original registrant's consent.[34] Cohen subsequently monetized the domain through adult content partnerships, generating an estimated $5 to $10 million annually before a 2001 federal court ruling awarded Kremen $65 million in damages and restored ownership after a seven-year legal battle.[35] This case highlighted the vulnerabilities in early registrar processes, which relied on minimal authentication like faxed documents without robust identity checks.[33] In 1997, Eugene Kashpureff, founder of the rival AlterNIC registry, executed a high-profile DNS-based hijack of internIC.net, the official website of Network Solutions.[36] By exploiting BGP routing flaws and altering DNS records, Kashpureff redirected traffic from www.internic.net to his own alternic.net site for nearly two weeks as a protest against Network Solutions' monopoly on .com registrations.[37] The incident disrupted access to domain registration services and exposed the fragility of the internet's core infrastructure, leading to legal action by Network Solutions and FTC scrutiny over consumer deception.[38] Although not a traditional registrar transfer, it underscored early security gaps in DNS management and registrar oversight.[39] The 2005 hijacking of panix.com exemplified social engineering tactics against registrars. On January 14, 2005, fraudsters impersonated Public Access Networks Corporation (Panix), a New York-based ISP, and contacted reseller Fibranet (affiliated with Melbourne IT) with a forged transfer request using stolen credit card details to pay fees.[40] The domain was transferred to a Canadian registrar, redirecting Panix's email and website services and causing outages for thousands of customers over a U.S. holiday weekend.[41] Panix regained control approximately 40 hours later after providing proof of ownership to ICANN and the registrars involved, but the incident resulted in significant operational disruption and data exposure risks.[20] Between 2005 and 2008, domain hijackings surged, particularly targeting high-value .com domains for redirection to spam or phishing sites, with notable cases including hushmail.com in April 2005, where attackers used social engineering at Network Solutions to alter DNS records and deface the secure email provider's site.[20] Similar tactics affected domains like hz.com in February 2005 via spoofed authorization emails and eBay.de in September 2004 by a teenager exploiting registrar verification lapses for a prank.[20] During election periods, such as the 2004 and 2008 U.S. campaigns, hijackers increasingly targeted political-related .com domains to redirect traffic to spam operations or disinformation pages, amplifying risks amid heightened online activity.[41] This period saw a proliferation of incidents tied to cybercrime rings using hijacked domains for pharmaceutical spam redirection, as registrars processed thousands of transfers annually without standardized locks.[20] These pre-2010 cases inflicted substantial financial losses, such as diverted ad revenue in the sex.com hijacking exceeding $100 million over its duration, and operational harms like the Panix outage, which halted services for a major ISP serving academic and business clients.[34] Reputational damage was acute, as seen in Hushmail's defacement, eroding user trust in privacy-focused services.[20] Collectively, they elevated awareness of domain security, prompting early adoption of transfer locks by registrars to prevent unauthorized moves.[20] Common factors in these incidents included the absence of two-factor authentication (2FA) at registrars, reliance on easily spoofed email or fax verifications, and manual processes lacking real-time registrant notifications.[20] Pre-2010 systems often prioritized speed over security, allowing social engineering exploits where attackers posed as account holders without independent confirmation, as evidenced in the Panix and sex.com cases.[40][33] This era's hijackings typically involved .com domains due to their commercial value, revealing systemic flaws in the WHOIS database and inter-registrar communication protocols.[20]Post-2010 Cases
In 2013, the Syrian Electronic Army (SEA) compromised the domain registrar Melbourne IT through a spear-phishing attack on an employee, enabling the group to alter DNS records for twitter.co.uk and redirect traffic to a page promoting their cause. Although the primary twitter.com domain remained unaffected due to its separate registration and monitoring, the incident disrupted Twitter's United Kingdom operations for several hours and exposed critical vulnerabilities in registrar authentication processes for high-profile domains.[42] The attack underscored the risks of social engineering targeting third-party providers, prompting Twitter to enhance its domain security protocols and collaborate with registrars on improved verification measures.[43] A series of domain hijacking incidents targeted UK businesses in 2014, exploiting weaknesses in registrar management consoles and WHOIS data accessibility to facilitate unauthorized transfers and DNS changes. For instance, in February 2014, UK registrar 123-Reg suffered a breach where attackers accessed customer accounts, hijacking hundreds of .co.uk and .org.uk domains and redirecting them to malicious sites distributing ransomware. These attacks relied on stolen credentials obtained via phishing or weak authentication, allowing perpetrators to impersonate owners using publicly available WHOIS information.[44] The wave of thefts affected small and medium-sized enterprises, leading to financial losses from site downtime and cleanup efforts, and drew scrutiny from ICANN, which initiated reviews of global registrar security standards to address systemic flaws in domain transfer protections.[45] In 2019, attackers hijacked crypto-related domains as part of broader DNS infrastructure campaigns like DNSpionage, which involved state-sponsored actors compromising registrars to redirect traffic for phishing and espionage. Specifically, the Crypto.com domain faced attempted redirection through registrar credential theft, briefly disrupting service access and exposing users to phishing sites mimicking the platform to steal wallet credentials and funds. This incident, part of a global campaign affecting financial and government targets, resulted in temporary outages and heightened risks to user assets, with no direct financial loss reported but significant reputational damage.[46] The event highlighted the vulnerability of cryptocurrency platforms to domain-level attacks, prompting Crypto.com to implement multi-factor authentication for domain management and public warnings on phishing detection.[47] In 2022, during the Russia-Ukraine conflict, there were reports of Russian-linked actors hijacking Ukrainian government and military domains to redirect users to fake portals for malware delivery and propaganda dissemination. These operations compromised official communications and sowed confusion, with attackers using compromised registrars to alter DNS records and evade detection.[48] From 2023 to 2025, domain hijackings in the Web3 ecosystem have involved AI-assisted phishing techniques, where attackers craft personalized lures to exploit domain vulnerabilities for credential theft. These attacks often target NFT marketplaces and decentralized finance protocols, redirecting domains to fake sites that siphon assets. The trend reflects the integration of AI with social engineering, increasing the scale of such incidents.[49][50] In 2024, the "Sitting Ducks" campaigns hijacked over 35,000 domains by exploiting DNS providers' failure to verify ownership during transfers, enabling widespread abuse for spam, fraud, and malware distribution. Attackers targeted expired or lapsed domains from vulnerable providers, redirecting traffic to malicious endpoints and causing significant disruptions for businesses and users.[51] In May 2025, the threat actor Hazy Hawk exploited DNS misconfigurations to hijack subdomains of the CDC and Deloitte, redirecting users to scam sites laden with malware. This incident highlighted ongoing risks to high-profile organizations from DNS tampering.[5]Prevention and Mitigation
Best Practices for Registrants
Domain registrants, whether individuals or organizations, play a critical role in safeguarding their assets against hijacking attempts, which often exploit weak access controls or oversight lapses. Implementing robust security measures at the user level can significantly reduce risks from unauthorized transfers or modifications.[52] Credential SecurityTo protect registrar accounts, registrants should use strong, unique passwords consisting of at least 14 characters, including a mix of uppercase and lowercase letters, numbers, and symbols, without reusing them across multiple sites. Enabling multi-factor authentication (MFA), such as one-time passwords via mobile devices, adds a vital layer against unauthorized access, as it requires proof of identity beyond just a password. Regularly auditing access logs provided by the registrar helps detect suspicious activity, such as unusual login attempts, allowing for prompt credential rotation if breaches are suspected.[53][52][1] Domain Locking
Activating transfer locks, often referred to as clientTransferProhibited status, prevents unauthorized domain transfers to another registrar without explicit owner approval. For enhanced protection, registrants can request registry-level locks, such as serverTransferProhibited, which require additional verification steps before any changes. These locks are standard features offered by most registrars and should be enabled by default for high-value domains to block common hijacking vectors like phishing-induced transfers.[3][52][54] Monitoring Tools
Setting up WHOIS alerts notifies registrants of any changes to domain registration details, such as contact information or status updates, enabling rapid response to potential compromises. DNS change notifications from the registrar or third-party services can flag unauthorized modifications to nameservers or records, while automated expiration reminders prevent opportunistic hijacks via lapsed renewals. Tools like those from DomainTools or WhoisXML API provide comprehensive monitoring for registrant, IP, and nameserver alterations, often with real-time alerts.[52][54][1] Backup and Recovery
Maintaining off-registrar backups of website content and DNS configurations ensures quick restoration if a hijacking occurs, minimizing downtime and data loss. These backups should be stored offline or in physically separated, encrypted locations with a securely guarded master key to avoid single points of failure. Developing an incident response plan in advance, including steps to contact the registrar and DNS provider for recovery, facilitates coordinated action to regain control and mitigate damage.[53][16] Education
Training staff to recognize phishing attempts, such as suspicious emails requesting registrar credentials, is essential to counter social engineering tactics that lead to hijacking. Organizations should conduct regular security awareness sessions, drawing from resources like ICANN's global programs on credential management, and perform audits of high-value domains to identify vulnerabilities. Building a culture of cybersecurity vigilance ensures ongoing compliance with best practices, reducing human error as a weak link.[53][55]