advice If a domain marketplace sells a stolen domain, who's responsible?

[bhartzer]

If a domain marketplace sells a stolen domain name, should the buyer of that domain be reimbursed by the marketplace?

In this particular case, a stolen domain name was sold by a domain marketplace. The buyer of that stolen domain name wants his money back (rightfully so). Should the domain marketplace reimburse the buyer, as they sold a stolen domain?

The domain buyer won't turn over the domain back to the rightful owner unless they get paid for the domain. The buyer (current registrant who holds the stolen domain) has been provided evidence that the domain is stolen.

 

[bmugford]

It's a difficult situation. This is why during an actual escrow process in real estate, there is a title search. With domains it is harder to see who actually owns it, especially with recent WHOIS changes.

I would generally say the marketplace should refund the money. Some fraud is a cost of doing business.

It really depends though on how much due diligence was done between all parties.

Brad

 

[branding]

Should the domain marketplace reimburse the buyer, as they sold a stolen domain?

Yes. They don't charge commission for nothing.

That's from a moral perspective. Legally speaking, a different story, depending on where the buyer and marketplace reside.

Then there's also a difference between B2B and B2C purchases.

Long story short, consult a lawyer

 

[zomainhacks]

Yes, it should if it want be regarded as a safe marketplace for its customers.

 

[karmaco]

The buyer should be refunded. DAN has given refunds for this very reason. Once notably when GoDaddy (of course) wouldn’t and just took the name out of the buyers account.

 

[bhartzer]

Once notably when GoDaddy (of course) wouldn’t and just took the name out of the buyers account.

But in that case, did GoDaddy take the name out of the account and then refund the buyer?

 

[HotKey]

Where does the accountability to the thief (seller) come into this? Bad guy wins, good guys pay the price?

Maybe legal recourse is the only solution with the onus on the seller to give back funds and domain returned to original owner. In the interim, the marketplace has taken the steps to verify the sellers authenticity and thus has means to trace back to. So marketplace refunds to buyer, and pursues thief.

Or, is the onus on the original owner and the registrar to pursue the thief? Was this a hole in the registrar that allowed someone to come in, or a problem with the original owner and their account security? Was the stolen domain immediately reported so that it could be recovered?

I don't know if there's enough info to make an ultimate judgement.

 

[bhartzer]

Where does the accountability to the thief (seller) come into this? Bad guy wins, good guys pay the price?

Maybe legal recourse is the only solution with the onus on the seller to give back funds and domain returned to original owner. In the interim, the marketplace has taken the steps to verify the sellers authenticity and thus has means to trace back to. So marketplace refunds to buyer, and pursues thief.

Or, is the onus on the original owner and the registrar to pursue the thief? Was this a hole in the registrar that allowed someone to come in, or a problem with the original owner and their account security? Was the stolen domain immediately reported so that it could be recovered?

I don't know if there's enough info to make an ultimate judgement.

I agree, not enough info. So I'll tell you the back story on this. It's a unique one.

Domain owner purchases domain at a domain marketplace (legitimately) at Registrar A. He paid $XXXX for the domain, left it at that registrar and renewed it until 2025.

At some point, domain owner's email was hacked, and the hacker got into the Registrar A account. Registrar A knows about the hack, and admits it happened. However, they say they cannot do anything because their system was not hacked, the email was hacked.

The hacker went into the account and deleted the domain. Then the domain dropped, and a drop catching service picked up the domain, and auctioned it for $XXX.

The current registrant did not buy the domain 'in bad faith' from the expired domain drop catching service. It's clear that the domain name was renewed until 2025, according to whois history (anyone can see it), the Registrar A admits there was a hack, and the original domain owner has filed a police report about the hack (and the deletion of his domain name).

Current registrant is offering to return the domain name to the original domain owner. But wants to get paid for what he paid for the domain.

The question is whether or not the original domain owner should pay the current registrant for the domain, or should the drop catching service pay? Or should Registrar A be liable? Or no one? Does the current registrant lose his money because he bought the domain that shouldn't have dropped, and the account was hacked?

 

[inforg]

Buyer should be refunded by drop catch company. Domain returned to original registrant, and original owner and registrar A should pay some nominal fee to drop catcher (whatever a standard drop catch costs)

That is what would be right. What will really happen will be way messier. My guess - Either buyer or original registrant will get screwed and all the middlemen will fail to take responsibility.

 

[bmugford]

I agree, not enough info. So I'll tell you the back story on this. It's a unique one.

Domain owner purchases domain at a domain marketplace (legitimately) at Registrar A. He paid $XXXX for the domain, left it at that registrar and renewed it until 2025.

At some point, domain owner's email was hacked, and the hacker got into the Registrar A account. Registrar A knows about the hack, and admits it happened. However, they say they cannot do anything because their system was not hacked, the email was hacked.

The hacker went into the account and deleted the domain. Then the domain dropped, and a drop catching service picked up the domain, and auctioned it for $XXX.

The current registrant did not buy the domain 'in bad faith' from the expired domain drop catching service. It's clear that the domain name was renewed until 2025, according to whois history (anyone can see it), the Registrar A admits there was a hack, and the original domain owner has filed a police report about the hack (and the deletion of his domain name).

Current registrant is offering to return the domain name to the original domain owner. But wants to get paid for what he paid for the domain.

The question is whether or not the original domain owner should pay the current registrant for the domain, or should the drop catching service pay? Or should Registrar A be liable? Or no one? Does the current registrant lose his money because he bought the domain that shouldn't have dropped, and the account was hacked?

In the scenario you gave, it seems like the current owner is least at fault of all the parties. They did nothing but bid on a domain that was listed at auction. I don't see why they should take the loss.

Brad

 

[bmugford]

Current registrant is offering to return the domain name to the original domain owner. But wants to get paid for what he paid for the domain.

That seems more than reasonable to me. The current owner did nothing wrong and acquired the domain legitimately.

If the domain is valuable to the original registrant they should pay the fee, then take it up with the parties more responsible for what happened.

Brad

 

[bmugford]

The question is whether or not the original domain owner should pay the current registrant for the domain, or should the drop catching service pay? Or should Registrar A be liable? Or no one? Does the current registrant lose his money because he bought the domain that shouldn't have dropped, and the account was hacked?

I would say the fault is somewhere between the original registrant, registrar, and drop catcher.

It is not clear who is responsible, and in what percentage. This is likely something a court would have to decide.

However, in this case you are talking about small money. It would probably be an order of magnitude higher cost wise to even file a proper lawsuit.

Brad

 

[bmugford]

Buyer should be refunded by drop catch company. Domain returned to original registrant, and original owner and registrar A should pay some nominal fee to drop catcher (whatever a standard drop catch costs)

This is the most equitable solution as well IMO.

Though for it to happen, the drop catcher would have to agree, which I am skeptical of.

Brad

 

[karmaco]

But in that case, did GoDaddy take the name out of the account and then refund the buyer?

No they are GoDaddy and they don’t care about a loss for a buyer who is a domainer. Name was sold on DAN but held or transferred to GoDaddy.

Payout was in crypto to the thief. After GD took the name and said not our problem DAN refunded the buyer.

There is a thread here. It was about 2 to 3 years ago.

 

[HotKey]

That is interesting. Orchestrating the logistics on this is nothing short of fuzzy. The domain went through the process of it's deletion to registration cycle. There is no real backpedaling on this.

So the thief didn't get anything out of this really, not even a domain. They just deleted it. There's probably still more to the story than meets the eye but can only be answered by the original registrant. How often do we hear of random accounts being hacked only to have a domain deleted?

I don't think anyone could really be held accountable for the refund, nor should the domain be transferred back to the original owner other than by the goodwill of the buyer and a finders fee of sorts paid to them by the original owner on also their own goodwill gesture.

Everyone else (drop catch, registrar) was just doing their jobs. The registrar nor the drop catch can't be held to compensating whatever monies a deleted domain sold for. What if it was in the five, six figures? Obviously no one wants their email hacked, but I think a certain onus lies between the registrant and registrar to handle a situation quickly enough, together, to recover a misused asset on a hacked account before it's too late.

Was the registrar notified in enough time so that they may have frozen the asset from being deleted? And if so, is it even in their power to reverse a deletion once submitted? This would obviously be an extraordinary circumstance.

A unique situation, indeed. It's hard to say who's responsible other than the original registrant on this.

 

[bhartzer]

So the thief didn't get anything out of this really, not even a domain. They just deleted it.

We know the domain was deleted, we don't know if that was done so the hacker could then buy it wen it dropped, thus covering their tracks for having hacked into the domain registrar account. What we can look at is "what was the motivation of the hacker when they got into the registrar account, and why did they delete it?" If they had gotten into the account and transferred it to themselves, there would be some sort of traceable event, and they could be implicated somehow. If they deleted the domain and then bought it, they could then claim that they "legitimately" bought the domain.

The other issue here, though, is the fact that the domain owner renewed the domain name until 2025. There was SOME reason why a domain, renewed until 2025, suddenly drops. Should the drop catching service have checked the domain expiration and domain history (fairly easy to do), and not sold a domain that potentially had issues with it? The ownership history of a domain is out there for anyone to see.

>> It's hard to say who's responsible other than the original registrant on this.
I'm not so sure about that. Is the original registrant responsible for having his domain registrar account hacked and accessed without permission? What happened in this case is that the original registrant went to use the domain and it wasn't in his account.

 

[Embrand]

I don't know who is responsible, but these hackers/thieves are frighteningly creative. I have never heard of a case where they deliberately delete the domain in order to "legitimately" try to get it as a backorder.

 

[bhartzer]

I don't know who is responsible, but these hackers/thieves are frighteningly creative. I have never heard of a case where they deliberately delete the domain in order to "legitimately" try to get it as a backorder.

I hadn't seen a case like this until this case. if it's a valuable domain, then it seems that they would try "anything" to get ahold of the domain. And technically speaking, if the domain is deleted and they then buy it via a drop catching service, they could say that they bought the domain "legitimately".

 

[WNC HOLDINGS]

This is a very unfortunate situation indeed. It speaks to a need for a greater consensus on how to protect domain assets moving forward. Many believed 2-step authentication would be the silver bullet so-to-speak. It hasn’t been.

Yes, bad-actors are getting EXTREMELY creative. This is where companies, investors and end-users would benefit from being more creative with their asset-protection and use-strategy moving forward. Fight fire with fire if you will.

Hopefully everything can be sorted out to the benefit of the deserving parties.

Chris
WNC HOLDINGS

 

[iTesla]

I was watching one such domain it was renewed to 2025 unfortunately forgot the name, I was shocked when i found out new reg date and that I did not drop catch it.
Possible it had swap, verse or other word which i can't remember, looking for a screenshot with old date but can't find it.
They also should ask how the drop catcher knew the domain will drop? Cause I doubt he added it earlier to wait the remaining years so it will drop.

 

[biggie]

Hi

how was the domain able to be deleted, if regged until 2025?
also, did the account, receive a refund?

also, the current owner would have had to "backorder" the domain at the drop catcher, for them to get it.

an investigation would have to get the "number of bids" for that name from drop service, to see if more than 1 person ordered it, in order to rule out or implicate, the current owner in a scheme.

imo...

 

[bmugford]

Hi

how was the domain able to be deleted, if regged until 2025?
also, did the account, receive a refund?

also, the current owner would have had to "backorder" the domain at the drop catcher, for them to get it.

an investigation would have to get the "number of bids" for that name from drop service, to see if more than 1 person ordered it, in order to rule out or implicate, the current owner in a scheme.

imo...

Many, if not the vast majority of registrars have the ability to delete a domain early. There could be a legit reason like to settle a TM dispute.

With that said, every registrar should be required to do serious due diligence when one is requested, especially since it is so far outside the norm. They should be skeptical and make the registrant prove their identify and verify their intentions.

Brad

 

[bhartzer]

>> how was the domain able to be deleted, if regged until 2025?
It was deleted, someone went into the account and deleted it. That's all we know.

>> also, did the account, receive a refund?
The account did NOT receive a refund.

>> also, the current owner would have had to "backorder" the domain at the drop catcher, for them to get it.
Agreed, it seems suspicious.

>> an investigation would have to get the "number of bids" for that name from drop service, to see if more than 1 person ordered it, in order to rule out or implicate, the current owner in a scheme.
I have actually been able to get a list of those who bid, who won it, and their usernames.

>> With that said, every registrar should be required to do serious due diligence when one is requested, especially since it is so far outside the norm. They should be skeptical and make the registrant prove their identify and verify their intentions.
Yeah, well that never happened as far as I know. The registrar took the renewal until 2025 but allowed it to be deleted with no questions asked. Even after their customer had paid mid $XXXX for the name.

 

[enterscope]

Several years ago I purchased a 3 char on Flippa and received the domain in my account at Godaddy. I should have transferred it out or paid with credit card, but newbie mistake. 3 days later the domain vanished from my Godaddy account because apparently it was stolen.

I thought about suing because Godaddy's own TOS says they do not get involved in 3rd party domain disputes. In my opinion, it was negligence on the original owner's part and I should be reimbursed for my losses.

Either way, lesson learned.

 

[iTesla]

If this is the domain that I was watching, here are some points that i remember.
1.the domain was expiring this year did a WHOIS, I added it at SAV backorder in hope of drop catching.
2.the domain was renewed to 2025 did a WHOIS, I removed it from SAV backorder, not worth waiting.
3.after some time out of interest I check the WHOIS of the domain again, surprise for me it had new reg date and that it was drop catched, if not mistaken at DropCatch. The domain was deleted for sure, when it has so fast new reg date, because it becomes available fast, there is no pending delete period in such case.

If @bhartzer wants you can DM me the name, cause I not remember proper which one it was, total confidentiality applied, maybe I will find additional data.