Soo.com stolen domain name - Currently on GoDaddy auctions

[fogfever]

The whois history looked strange so I contacted the owner Gregory Soo. He did not list the domain for sale. The domain was stolen from his Network Solutions account. Who can I talk to at Godaddy to get them to cancel this auction?

 

[Chris Hydrick]

The whois history looked strange so I contacted the owner Gregory Soo. He did not list the domain for sale. The domain was stolen from his Network Solutions account.

How did you contact him, and did he offer any additional information?

Great question. I'm wondering the same thing as well. Especially after @bhartzer said he also talked with the owner, and was told/reported conflicting information.

We just spoke with the owner Gregory Soo and he has told us that the domain name (SOO.com) is not a stolen domain name.

@bhartzer -- Same question, what form of communication did you contact Gregory Soo with?

And how did you/DNProtect confirm you were communicating with the real Gregory Soo and not an imposter attempting to manipulate you/DNProtect into vouching for/removing the alleged stolen status of (Soo.com) from DNProtect's "stolen domain database"?

However, if you look at the WHOIS record for the email address of the SOO domain, there is an email address using makaera.com, as the domain owner. And that domain expired. Did the current owner of SOO purchase makaera.com, set up the email address, and then take control of the SOO domain? Something doesn't add up here.

Did you mention any of the above to the owner Gregory Soo when he told you the domain (SOO.com) was not a stolen domain?

vir/.com and montreal/.com - it seems that admin email doesn't have 2FA. The tech email is using 2FA but it is not a smart idea to use user@gmail > another@gmail.

Yes, all very strange. At first I wondered if the gmails were added after losing access to Makaera.com and their historically used [email protected] email address when Makaera.com expired on August 22nd, 2021 and was re-registered on November 10th, 2021.

Shortly after wondering why the gmails were added, I noticed Whoxy.com historical WHOIS entries cached the change in WHOIS emails for Montreal.com from [email protected] to [email protected] sometime around August 21st, 2020 and October 22nd, 2020. eg over a year before Makaera.com expired, and 3+ years after the registrant company was listed as a dissolved status in Canadian business registries.

This August 2020 to October 2020 timeframe also matches up (Vir.com, Soo.com, Montreal.com) with nameserver changes away from long time used sophia.soo.com/rosedelima.vir.com nameservers to the first appearances of ns1/ns2.hostpapa.com nameservers.

All four below domains consistently held nameservers of sophia.soo.com / rosedelima.vir.com since at least 2008, with little to no nameserver changes until ns1.hostpapa.com/ns2.hostpapa.com was added to the following domains on the following dates:

Vir.com: August 23rd, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.

Montreal.com: September 15th, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.

Soo.com: September 15th, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.

Makaera.com: June 18th, 2021 domain nameserver changed to ns1.hostpapa.com/ns2.hostpapa.com. ***Reminder, Makaera.com expired two months later, on August 21st, 2021***

In addition to the nameservers for Montreal.com and Soo.com appearing to have changed to ns1/ns2.hostpapa.com on September 15th, 2020, MX records were also changed on September 15h, 2020 for not only Soo.com and Montreal.com, but also for Makaera.com.

Vir.com had changed mx records in the aforementioned August 23rd, 2020 nameserver change date.

Historical MX Records:

Vir.com

Montreal.com

Soo.com

Makaera.com

If anybody can get in touch with the real Gregory Soo / Makaera Vir 2000, these questions might help add some clarity:

1. Who owns the (at least) three valuable domains (Vir.com, Soo.com, Montreal.com) connected to or previously connected to [email protected]?
   
   WHOIS shows Makaera Vir 2000 Inc as the registrant, however Canadian business filings seem to show the corporation (which was formed in 1997) had dissolved nearly 20 years later in January 2017. Benjamin Soo, Gregory Soo, Karl Soo, and May Soo were all listed as directors.
   
   
2. Were the 2020/2021 nameserver changes away from sophia.soo.com / rosedelima.vir.com to ns1/ns2.hostpapa.com authorized or unauthorized?
   
   
3. If the HostPapa nameserver changes were authorized, is it possible/has Gregory Soo checked to see if their HostPapa account was compromised after the authorized change?
   
   
4. If the HostPapa nameserver changes were not authorized, what was the assumed hacker doing changing the nameservers for Vir.com, Montreal.com, and Soo.com, 10 months prior to changing the nameserver of Makaera.com and 14 months before Makaera.com was dropped and re-registered.... is it possible a hacker gained access to the network solutions account in at least 2020, prior to Makaera.com dropping, thus making the new registrant of Makaera.com unrelated to this alleged theft?
   
   Note: The new November 2021 registrant <[email protected]> of Makaera.com has over 38k domains according to Whoxy.com. Which unless a fake email was used, this doesn't seem to be the type of burner email address typically used in these type of thefts, hence why I question if the obvious first registrant of interest (eg the registrant who as of November 2021 had potential access to [email protected] email addresses) is even a registrant of interest at all, or if it's just some domainer who registered the Makaera.com due to its early 1994 WHOIS creation date, or some other metric.
   
   
   

 

[Chris Hydrick]

vir/.com and montreal/.com - it seems that admin email doesn't have 2FA. The tech email is using 2FA but it is not a smart idea to use user@gmail > another@gmail.

I ran out of screenshots in my last post, but wanted to post again to include a screenshot of historical DomainIQ WHOIS entries for Vir.com comparing a January 19th, 2022 entry to a June 22nd, 2021 entry.

 

[bhartzer]

>> Did you speak with the alleged thief, and he said the name wasnt stolen?
An email to the former registrant's email addresses, there was a response within minutes (which is odd, because that typically doesn't happen in my experience). The respondent was very quick to say "not stolen". It was odd, but not to say that they just happened to be using their email at the time.

 

[bhartzer]

Our understanding is that Danny Sullivan 'caught' makaera when it expired. He then sold the domain to someone else.

I would also like to add that makaera had its name servers changed to Host Gator when the name was presumably sold by Danny Sullivan and thus went under privacy.

 

[Paul]

The account attempting to sell soo[.]com on NamePros, @Gregory1, has been closed as a duplicate of @elmo514. @elmo514 has a history of creating duplicate accounts, some of which were used for questionable purposes.

 

[Paul]

The name we have attached to @elmo514 does not match any of the names that appear in the WHOIS history for soo[.]com.

 

[Chris Hydrick]

Not sure how, or if this is even related, just noticed PlutoPatrol.com looks to have recently (2 days ago) left the long time used sophia.soo.com nameservers, and switched to ztomy name servers.

...

 

[Chris Hydrick]

The account attempting to sell soo[.]com on NamePros, @Gregory1, has been closed as a duplicate of @elmo514. @elmo514 has a history of creating duplicate accounts, some of which were used for questionable purposes.

@Paul -- Does @elmo514 have sufficient nP privileges to post in this thread?

We can see @elmo514 was recently viewing this thread, and can't help but wonder what type of contribution(s) that member could add to this thread. Curious if elmo is not posting because elmo has nothing to add, or if elmo's restrictions prohibit that member from commenting in this thread.

 

[Paul]

@Paul -- Does @elmo514 have sufficient nP privileges to post in this thread?

Yes.

NamePros will be requiring both proof of identity and proof of ownership before @elmo514 is able to continue selling domains. @Gregory1 will remain closed as a duplicate account. @elmo514 is forbidden from opening additional accounts even if they pay for a gold membership.

I do not know whether they are Gregory Soo or whether they have legitimately purchased the domains in question from Gregory Soo; I just know they have been using multiple names on NamePros and have repeatedly violated our Terms of Service.

 

[Chris Hydrick]

An email to the former registrant's email addresses, there was a response within minutes (which is odd, because that typically doesn't happen in my experience). The respondent was very quick to say "not stolen". It was odd, but not to say that they just happened to be using their email at the time.

Have you had any more contact, besides the "not stolen" response?

I read on another website cached in search engines for "soo.com reported stolen" that you said were in contact with 'the real owner' and that 'other domains are involved'. Thus, I'm not fully up to speed with your/DNProtect's position on the status of this domain.

Eg.

(1) Have you/DnProtect confirmed you are in contact with the real owner'?

(2A) is the domain 'not stolen' as you reported from the email response? OR (2B) are multiple domains involved, and thus, Soo.com (and what other domains?) are in fact stolen?

Our understanding is that Danny Sullivan 'caught' makaera when it expired. He then sold the domain to someone else.

Did you/DnProtect confirm this with Danny9?

I would also like to add that makaera had its name servers changed to Host Gator when the name was presumably sold by Danny Sullivan and thus went under privacy.

Very notable point!

 

[bhartzer]

To answer your questions, @Chris Hydrick, there has been quite a bit of back and forth with a few people involved with this, most of it 'offline'. I'm pretty confident that the domain name was stolen.

>> Did you/DnProtect confirm this with Danny9
The domain name ownership history does show that Danny caught the domain; the domain was then sold to another party (I have confirmed this with another source).