Dynadot

WARNING: SEVERAL STOLEN NAMES, MUST READ!

Spaceship Spaceship
Watch
I am back to running down thieves, never stopped but stumbled across a rather large operation a week ago and feel I need to share with the community. I am aware it may tip off the thief to a degree but unless the names are made public he is and will continue to sell them. He likes contacting domainers privately and using 4.CN. He also uses several rars and sometimes transfers ownership 1-2 times to make separation.

Back round: About 1+ weeks ago I was informed of a stolen 4 letter dot com (remain anon for now).

I was asked for my help in recovery of said name and have done so, in fact any day now it will be recovered. I have many people at RAR's to thank and will once back to rightful owners account.

As par the course when you discover 1 you unearth many more and this case is no different.

Most all these names were stolen in 2015 and up until recently (most seem to be from web.com rars/register.com/netsol but not always). I reverse searched the thief and discovered in 2015 he went from owning a dozen or so "garbage" names to suddenly trading in 3L dot com 4L dot com 4-5N dot com etc. Rather a huge upswing set off red flags. I placed several calls to their former owners and confirmed many are stolen. I also discovered a few are legit buys from drops and other places, likely with funds made from selling the stolen names. My advice at this point avoid buying anything from this person it is just too risky and they are a confirmed thief. It was also interesting to tie them to the theft of Ammar.com, google that story, name was recovered. I also noticed this thief was a member of Namepros until banned but no reason I can see was given.

If you have a good contact for 4.CN please notify them of these thefts and the names being listed on their site! Hopefully they will remove them and ban his account.

Names confirmed stolen are as follows, names I cannot confirm yet have a (?) beside them, waiting to be contacted.

1371.com STOLEN spoke to victim
XXXX.com STOLEN working to recover will unveil name once complete
VXL.com STOLEN?
AMMAR.com STOLEN and recovered
09931.com STOLEN?
ETTI.com STOLEN?
ETST.com STOLEN?
PJDO.com Apparent buy off drop
MMAZ.com STOLEN?
7576.com STOLEN? Hope not because it appears thief already resold
ESVV.com STOLEN?
39339.com STOLEN?
2517.com STOLEN?
LFQH.com STOLEN Spoke with victim
PZYA.com STOLEN?
RQEI.com STOLEN?
ZAWA.com STOLEN?
QURO.com STOLEN

Thieves info is as follows, he went from showing info to using privacy but the link to him is undeniable. He also seems to like to scatter where he transfers them too as well.


Registrant Name: STANISLAV KHRAMOV
Registrant Organization:
Registrant Street: METALLURGOV 7-7
Registrant City: MAGNITOGORSK
Registrant State/Province: CHE
Registrant Postal Code: 455023
Registrant Country: RU
Registrant Phone: +7.9124020000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

Ammar.com which was I believe one of if not the first name he stole, notice the email contact, same guy as above but he changed that email out on his later thefts since that cover was blown. I believe he brute force the registrants password and switched out email to complete the theft.

Registrant Name: Mohammed Ali
Registrant Organization: Mohammed Ali
Registrant Street: Villa 24, Block 4, Al-Mutawakel Street
Registrant City: Kuwait City
Registrant State/Province: Da-aiyah
Registrant Postal Code: 13113
Registrant Country: KW
Registrant Phone: +965.22563033
Registrant Fax: +965.22563033
Registrant Email: [email protected]


Here was his namepros.com account I believe....God only knows if Poob.com was clean?
https://www.namepros.com/threads/poob-com.846270/

If you have any info on this guy please share.


UPDATE TO COME!
 
42
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
I will share this thread in WeChat.. I think there r members fr 4.cn
 
2
•••
Your post has been read by several Chinese domainers/community and

Eva Wang from DN.com will label these as stolen names in their database.
 
Last edited:
3
•••
2
•••
YOU GUYS ROCK = What a big job but I looked at every domain I have...
Check your wallets people
 
1
•••
Terrible news. A stolen domain database would be ideal. Has anyone tried to put one up?

a good thread about only that on namepros can be good enough for that.
it gets easily indexed into google searches etc.
like a showcase thread for an extesion or niche.. except for stolen domains
 
2
•••
like a showcase thread for an extesion or niche.. except for stolen domains
Superb idea! I would follow it.
 
3
•••
saw this on that domenforum dot net site. posted by mattNetsol.

Posted by Bassta https://domenforum/images/buttons/viewpost.gif
From 4N currently have:
1371.com
2517.com
7576.com month ago 2755.com sold for $ 48K


Stasik steal domains is bad. We have already filed a complaint with the Department To carry out the fight against computer crime, is now apply to the police in Magnitogorsk. Also, I believe the Federal Tax Service will be very interesting to look at your bank account, but that is a secondary matter.

Oh schuckz! he's in trouble now! they've brought in Magneto from X-men!
 
Last edited:
2
•••
saw this on that domenforum dot net site. posted by mattNetsol.

Posted by Bassta https://domenforum/images/buttons/viewpost.gif
From 4N currently have:
1371.com
2517.com
7576.com month ago 2755.com sold for $ 48K


Stasik steal domains is bad. We have already filed a complaint with the Department To carry out the fight against computer crime, is now apply to the police in Magnitogorsk. Also, I believe the Federal Tax Service will be very interesting to look at your bank account, but that is a secondary matter.


Great stuff, my hope is they give him some Russian style justice, his brazenness is sickening.
 
2
•••
4
•••
The TAKE AWAY from this story is make sure to change your password regularly. even better never access your registrar via Mobile or at the very least use Mcafee's Password Storage app that generates a highly encrypted password for any site you enter from your desktop and keeps yours passwords in an encrypted file.
 
Last edited:
1
•••
btw STANISLAV KHRAMOV the thief is starting to move names to a Russian registrar Reg.ru 2517.com for example but never fear it doesn't matter where they are, they can be recovered. We have contacted the owners of that rar and I suggest everyone who reads this thread emails them too to complain and link this thread.

Email/Contact/Phone especially Russian speakers and let them know STANISLAV is a thief!

Registrant Name: Alexey Korolyuk
Registrant Organization: Domain name registrar REG.RU
Registrant Street: Domain names registrar REG.RU, house 3, Vassily Petushkov str.
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 125476
Registrant Country: RU
Registrant Phone: +74955801111
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
 
Last edited:
1
•••
You guys are doing a public service. Hope that guy gets what he deserves.
 
3
•••
Here's a thought and it's something I've asked on NP and never got a reply. After reading this thread. Anyone ever get the "Feeling" the you registered or bought a specific domain but since you have so many you can't keep track?

You read threads on NP about a niche you are following. Then you think hmmm what did I have in that niche? oh yea! I remember regging blahblahblahvr.com then you check it's not in your account. then you check the whois. and it's owned by someone else.

and you check the date. it was registered years before.

could these thieves like this guy brute force a domainers registrar account and cherry pick certain domains and take it out the account without and record even of a transfer? and then somehow "fudge" the whois data to make it look like it was registered years before?

maybe I'm just being paranoid but you can't be too paranoid these days. anything is possible. if they can hack the NSA. trust me they can hack anything if given enough motivation.
 
2
•••
To answer in short, no all transfers recorded, they cannot play with dates in whois. They can photo shop what they want but the recorded whois data, no.

As far as brute force your account, sure they can and they do, I am sure it is one of the ways our thief here works that and many other ways.
 
3
•••
thanks for the heads up JP...
ex-Domainstate right?
 
0
•••
Email/Contact/Phone especially Russian speakers and let them know STANISLAV is a thief!

I will try to call him later today. But I guess the owner is already aware (mattNetsol at domenforum who posted about filing a police complaint). Anyway, I'll give a call just in case the domains were stolen from different people.

It's also interesting that Stanislav (username Bassta at domenforum) who is suspected to be a theif here, said on that Russian forum that he had bought those domains from someone for a low price (no proof of purchase provided though). So, he might not necessarily be a real thief, just someone who bought those domains despite the fact he knew (or at least must have suspected because of low price) that they were stolen. He registered at that forum in 2006 and sold good domains back in 2013 and earlier, so he has some reputation there. But I guess xxx,xxx$ numbers he is talking there about can make miracles. It's up to police to investigate now.
 
Last edited:
1
•••
There is no doubt he is the thief, you do not buy 20+ stolen domains from 20 different people within 18 months and expect us to believe on top of that nearly improbable scenario you have no real proof of paying anyone because bitcoin.

One stolen name, maybe even a few from the same seller but not 20+ all owned by different people, this guys lies lack creativity and insult intelligence.

Keep in mind as he flips the stolen domains I have seen where he does buy with the ill gotten gains.

Any way appreciate the calls to the reg.ru rar and reporting this guy.
 
2
•••
another way to protect yourself from domain theft is to use 2 factor authentication and have your domains monitored by a service like domaintools.com

When someone unlocks your domain the service will send you an email. Then you could contact the registrar to have them cancel the transfer.
 
1
•••
There is no doubt he is the thief, you do not buy 20+ stolen domains from 20 different people within 18 months and expect us to believe on top of that nearly improbable scenario you have no real proof of paying anyone because bitcoin.

One stolen name, maybe even a few from the same seller but not 20+ all owned by different people, this guys lies lack creativity and insult intelligence.

Keep in mind as he flips the stolen domains I have seen where he does buy with the ill gotten gains.

Any way appreciate the calls to the reg.ru rar and reporting this guy.

I get your point. But in my opinion it still doesn't prove that the guy (Stanislav aka Bassta) is the real thief. He might have bought all those domains from the same thief who stole domains, and then resold. Surely doing this continually and closing eyes on the origin of the domains can be considered as being a companion in crime. I think it's the case. Let's hope police will be able to investigate it
 
0
•••
another way to protect yourself from domain theft is to use 2 factor authentication and have your domains monitored by a service like domaintools.com

When someone unlocks your domain the service will send you an email. Then you could contact the registrar to have them cancel the transfer.

I don't really see how this may help. If a thief wants to transfer a domain from your account, he will have to have an access to your email account to confirm it. Unless you indicate a different email for domain unlocking notification.
 
0
•••
I get your point. But in my opinion it still doesn't prove that the guy (Stanislav aka Bassta) is the real thief. He might have bought all those domains from the same thief who stole domains, and then resold. Surely doing this continually and closing eyes on the origin of the domains can be considered as being a companion in crime. I think it's the case. Let's hope police will be able to investigate it


Believe me there is no doubt he is the thief, he goofed up on names that he stole where he didn't move them twice (he likes to do this often) to try and cover his tracks or lie about origins. Secondly several rar's now know his IP address and it matches the IP that has illegally accessed the victims of his crime. You cannot see an IP access a victims account and two registrars later be the same IP and not be the thief! He thinks he is smart but the evidence of your tracks are clear online, he IS the thief, no doubt. And in the coming week(s) hope to report another name has been recovered.

There is no debate here and secondly he never even uses the excuse he bought them from a thief unknowingly as an excuse, he is very smart and incredibly sloppy at the same time because he doesn't care, he is highly immoral.

No doubt Stanislav is a thief, none, zero, zilch, nada, zippo, he's a thief!
 
1
•••
Believe me there is no doubt he is the thief, he goofed up on names that he stole where he didn't move them twice (he likes to do this often) to try and cover his tracks or lie about origins. Secondly several rar's now know his IP address and it matches the IP that has illegally accessed the victims of his crime. You cannot see an IP access a victims account and two registrars later be the same IP and not be the thief! He thinks he is smart but the evidence of your tracks are clear online, he IS the thief, no doubt. And in the coming week(s) hope to report another name has been recovered.

There is no debate here and secondly he never even uses the excuse he bought them from a thief unknowingly as an excuse, he is very smart and incredibly sloppy at the same time because he doesn't care, he is highly immoral.

No doubt Stanislav is a thief, none, zero, zilch, nada, zippo, he's a thief!

Thanks for more details! With the IP information you mentioned it's getting much more clear. I will definitely contact the administrator of the Russian forum and post your info there. Also call the reg.ru and the owner. (a bit later)
 
1
•••
Specially registered here to answer your questions idiots on:
1. Yes, I actually bought these domains in Russian forum, I bought a one person, and the payment is directly spent on the credit card. In Russia we can do so, we have the concept of escrow
2. These domains are held by me at least half a year and what do you think I am a complete idiot just put my data in domains whois? No. During all this time, no complaints for a single domain is not reported
3.
About domain 1371.com:
I bought it in November 2015, I do not remember. I first moved to its registrar name.kom, there allegedly received a complaint from the owner:
I can answer the following, firstly I met with the owner first sells the domain, and then after a while says that the domain registrar allegedly was stolen and asked to return the domain back. If the buyer from another country and even more so if it is not paid through escrow is not possible to prove the purchase, ie the seller return the domain, and it remains with the money and the domain.

I wrote about this to the manager Name.com, And he said that if the seller can prove that the domain name really was stolen from him and not what he sold it, I agree to return to his domain. The man could not prove anything, and then provide any documents.

Here is a screenshot of correspondence with the Department of Abuse Name.com:
2gRZN.jpg


You idiots, you have created an artificial problem and now clucking over it. None of these domains has not been a single complaint, all the time. And yes, I am always ready to return to the legal owner of the domain, if it does prove that the domain was stolen, not the fact that he sold it and wants to return back.

And yes, no registrar will not block domains, without evidence or a court decision. Do you now there is no evidence on any domain !!!

If there is - show. So far, all that you say and then prove that I am a thief, all these words without evidence!

You say that you know the IP address, and they are the same? We first prove that it is my IP address and what I went and stole these domains! Be able to work with facts and not with words, and do not believe what you are trying to prove the words! So far, all that you have - it's just empty words!
 
0
•••
I don't really see how this may help. If a thief wants to transfer a domain from your account, he will have to have an access to your email account to confirm it. Unless you indicate a different email for domain unlocking notification.

I meant you use a monitoring service that is not from the registrar and that uses a different email.

I think the best thing is to use several email aliases(WHOIS, contact, registrar, monitoring etc.) and have them forwarded to your main email address.

Personally I would avoid using your primary email address in WHOIS. You are making yourself a much easier target by giving a potential attacker this information.
 
Last edited:
2
•••
Terrible news. A stolen domain database would be ideal. Has anyone tried to put one up?
I have the perfect name if anyone wants to build it out
Stolen.domains
 
3
•••
Back