Where does the accountability to the thief (seller) come into this? Bad guy wins, good guys pay the price?
Maybe legal recourse is the only solution with the onus on the seller to give back funds and domain returned to original owner. In the interim, the marketplace has taken the steps to verify the sellers authenticity and thus has means to trace back to. So marketplace refunds to buyer, and pursues thief.
Or, is the onus on the original owner and the registrar to pursue the thief? Was this a hole in the registrar that allowed someone to come in, or a problem with the original owner and their account security? Was the stolen domain immediately reported so that it could be recovered?
I don't know if there's enough info to make an ultimate judgement.
I agree, not enough info. So I'll tell you the back story on this. It's a unique one.
Domain owner purchases domain at a domain marketplace (legitimately) at Registrar A. He paid $XXXX for the domain, left it at that registrar and renewed it until 2025.
At some point, domain owner's email was hacked, and the hacker got into the Registrar A account. Registrar A knows about the hack, and admits it happened. However, they say they cannot do anything because their system was not hacked, the email was hacked.
The hacker went into the account and deleted the domain. Then the domain dropped, and a drop catching service picked up the domain, and auctioned it for $XXX.
The current registrant did not buy the domain 'in bad faith' from the expired domain drop catching service. It's clear that the domain name was renewed until 2025, according to whois history (anyone can see it), the Registrar A admits there was a hack, and the original domain owner has filed a police report about the hack (and the deletion of his domain name).
Current registrant is offering to return the domain name to the original domain owner. But wants to get paid for what he paid for the domain.
The question is whether or not the original domain owner should pay the current registrant for the domain, or should the drop catching service pay? Or should Registrar A be liable? Or no one? Does the current registrant lose his money because he bought the domain that shouldn't have dropped, and the account was hacked?