Domain seized

[boker]

Looks like one of my domains was used in some kind of cyber attacks or something like that. The domain oreux in king, was a hand reg from a year ago and I wanted to transfer it to another registrar. The transfer failed because the domain was locked. I've double checked with my registrar, and everything showed fine in the control panel, domain unlocked and the nameservers where ns1.undeveloped.com, but when I did a whois check, the domain was transfer prohibited and the nameservers were something like:
SC-C.SINKHOLE.SHADOWSERVER.ORG
Looks like the domain was used in some kind of cyber attack and they have seized around 800.000 domains. Nobody has told me anything about it and I still have access to everything in the control panel, the only issue is that control panel doesn't have control over everything. Couple of months ago everything was fine, so looks like they have changed the nameservers in the last months. So be aware, you could own some of the 800.000 domains seized. I have found a link here about it: https://www.europol.europa.eu/newsr...k-dismantled-in-international-cyber-operation
I will wait and see if I can do something about this transfer to epik.

 

[Internet.Domains]

Just to stay on track.

1. The domain in the OP was one of the 800,000 that was sinkholed by DOJ/Homeland Security. These are sinkholed @ ShadowServer. These domains are linked to a malware outbreak, both in the past and expected in the future. This thread is mainly about this seizure.

2. The newly mentioned seizure was conducted by ICE for copyright violations. Those domains are stored separately and have no affiliation with the malware domains that were seized.

I suppose this thread could be joined discussing both seizures, but the circumstances are much different. The 800,000 malware seized domains seem to be a complete mystery, with many questions and little answers. The latter ICE seizure is well documented.

 

[jmcc]

Just to stay on track.

1. The domain in the OP was one of the 800,000 that was sinkholed by DOJ/Homeland Security. These are sinkholed @ ShadowServer.

The problem is that Shadowserver is only hosting 60,221 CNOBI domain names as of 01/January/2019. There was one domain name that had moved out to BODIS.COM so it might have been an accidental sinkholing of a rereg. It is possible to knock a domain name out of the zonefiles by removing its nameserver entries. That, rather than moving to a shinkhole may be more efficient and can be done at a registry or registrar level.

This is the NGT breakdown (9,538) by gTLD for Shadowserver:

| XYZ | 5806 |
| SPACE | 2316 |
| ONLINE | 433 |
| SITE | 215 |
| TECH | 205 |
| BID | 202 |
| TOP | 107 |
| WEBSITE | 106 |
| RENT | 100 |
| WIN | 23 |
| CLICK | 7 |
| CLUB | 7 |
| TRADE | 2 |
| LAND | 1 |
| BIKE | 1 |
| EMAIL | 1 |
| TODAY | 1 |
| SUPPORT | 1 |
| HOST | 1 |
| PRESS | 1 |
| WORK | 1 |
| DOWNLOAD | 1 |


Regards...jmcc

 

[jmcc]

These seems to be the paragraphs that are creating the ICE confusion:
"WASHINGTON – More than 1 million copyright-infringing website domain names selling counterfeit automotive parts, electrical components, personal care items and other fake goods were criminally and civilly seized in the past year through the combined efforts of law-enforcement agencies across the world, high-profile industry representatives and anti-counterfeiting associations."

The 1.21 million domain names seems to be over the period of a year rather than in one single operation.

"Roughly 33,600 website domain names were criminally seized in a collaborative effort between ICE’s Homeland Security Investigations (HSI), Europol, Interpol and police agencies from 26 different countries. Industry partners participating in the operation were fully responsible for civilly seizing 1.21 million domain names and shutting down 2.2 million erroneous ecommerce links featured on social media platforms and third-party marketplaces."

The number of sites seized in a joint operation is much lower (33K6). It is, as Internet.Domains pointed out above, separate from the malware sinkholing.

Regards...jmcc

 

[Rob Monster]

Just had a lovely call with the US DOJ contact in Pittsburgh. They are fast-tracking their review of Oreux.com and hopefully the domain can be released to Epik per the registrant's intentions.

During the call we also discussed the appeal process. The DOJ contact was also familiar with Epik's role in recovering Gab.com from a separate deplatforming action that was presumably not DOJ-led.

Next week I am scheduled to have a call with Benedict Addis of the Registrar of Last Resort. These guys all know each other and have worked together for some time.

Hopefully the DOJ will confirm what I believe and that is that the domain Oreux.com was not being used for nefarious purposes and was wrongfully included in the bulk takedown. The 2018 registrant had the domain parked at Undeveloped which can be verified here:

https://web.archive.org/web/20180801000000*/oreux.com

Going forward, the DOJ contact did authorize me to contact him directly in the event of future cases of wrongful takedown by ShadowServer. I call that progress as rapid takedown also needs rapid remediation in the case of wrongful seizure as I am 99% sure was the case here.

 

[boker]

Just had a lovely call with the US DOJ contact in Pittsburgh. They are fast-tracking their review of Oreux.com and hopefully the domain can be released to Epik per the registrant's intentions.

During the call we also discussed the appeal process. The DOJ contact was also familiar with Epik's role in recovering Gab.com from a separate deplatforming action that was presumably not DOJ-led.

Next week I am scheduled to have a call with Benedict Addis of the Registrar of Last Resort. These guys all know each other and have worked together for some time.

Hopefully the DOJ will confirm what I believe and that is that the domain Oreux.com was not being used for nefarious purposes and was wrongfully included in the bulk takedown. The 2018 registrant had the domain parked at Undeveloped which can be verified here:

https://web.archive.org/web/20180801000000*/oreux.com

Going forward, the DOJ contact did authorize me to contact him directly in the event of future cases of wrongful takedown by ShadowServer. I call that progress as rapid takedown also needs rapid remediation in the case of wrongful seizure as I am 99% sure was the case here.

Thanks to @Rob Monster looks like there is a chance to recover the domain, if they will unlocked by 11 january, when is due to expire. It's not about the value, it's about the idea that there are still some chances to recover a domain, even if was forceful taken down.

 

[Rob Monster]

Thanks to @Rob Monster looks like there is a chance to recover the domain, if they will unlocked by 11 january, when is due to expire. It's not about the value, it's about the idea that there are still some chances to recover a domain, even if was forceful taken down.

I talked to the DOJ again just now. The domain is apparently part of the Avalanche network and programmed to do whatever it does between now and November 2019. They intend to keep the domain sinkholed until then. The domain is basically unusable in the meantime and there is no compensation.

Of note, he also said they are not expecting to do more of these bulk takedown operations. I thought was an interesting thing to say without being prompted. My guess is that the Registrar of Last Resort is going to be doing that dirty-work going forward but he did not say thats specifically. Will talk to RoLR CEO next week.

 

[GeorgeK]

I talked to the DOJ again just now. The domain is apparently part of the Avalanche network and programmed to do whatever it does between now and November 2019. They intend to keep the domain sinkholed until then. The domain is basically unusable in the meantime and there is no compensation.

This is nonsensical. Suppose another botnet is created, which programs domains like Google.com, Sex.com, Music.com, Amazon.com, Games.com, X.com, AA.com, AB.com, AC.com, etc. into the "network" --- are they going to seize and sinkhole those too?

 

[Internet.Domains]

This is nonsensical. Suppose another botnet is created, which programs domains like Google.com, Sex.com, Music.com, Amazon.com, Games.com, X.com, AA.com, AB.com, AC.com, etc. into the "network" --- are they going to seize and sinkhole those too?

That's the concern. The Avalanche network has malware currently laying dormant and is expected to launch sometime in the future. Where? Nobody knows. This according to cybersecurity and hacker blogs.

That's why it's important to understand everything possible about the protocols and procedures for everything pertaining.