WARNING: SEVERAL STOLEN NAMES, MUST READ!

[TheLegendaryJP]

I am back to running down thieves, never stopped but stumbled across a rather large operation a week ago and feel I need to share with the community. I am aware it may tip off the thief to a degree but unless the names are made public he is and will continue to sell them. He likes contacting domainers privately and using 4.CN. He also uses several rars and sometimes transfers ownership 1-2 times to make separation.

Back round: About 1+ weeks ago I was informed of a stolen 4 letter dot com (remain anon for now).

I was asked for my help in recovery of said name and have done so, in fact any day now it will be recovered. I have many people at RAR's to thank and will once back to rightful owners account.

As par the course when you discover 1 you unearth many more and this case is no different.

Most all these names were stolen in 2015 and up until recently (most seem to be from web.com rars/register.com/netsol but not always). I reverse searched the thief and discovered in 2015 he went from owning a dozen or so "garbage" names to suddenly trading in 3L dot com 4L dot com 4-5N dot com etc. Rather a huge upswing set off red flags. I placed several calls to their former owners and confirmed many are stolen. I also discovered a few are legit buys from drops and other places, likely with funds made from selling the stolen names. My advice at this point avoid buying anything from this person it is just too risky and they are a confirmed thief. It was also interesting to tie them to the theft of Ammar.com, google that story, name was recovered. I also noticed this thief was a member of Namepros until banned but no reason I can see was given.

If you have a good contact for 4.CN please notify them of these thefts and the names being listed on their site! Hopefully they will remove them and ban his account.

Names confirmed stolen are as follows, names I cannot confirm yet have a (?) beside them, waiting to be contacted.

1371.com STOLEN spoke to victim
XXXX.com STOLEN working to recover will unveil name once complete
VXL.com STOLEN?
AMMAR.com STOLEN and recovered
09931.com STOLEN?
ETTI.com STOLEN?
ETST.com STOLEN?
PJDO.com Apparent buy off drop
MMAZ.com STOLEN?
7576.com STOLEN? Hope not because it appears thief already resold
ESVV.com STOLEN?
39339.com STOLEN?
2517.com STOLEN?
LFQH.com STOLEN Spoke with victim
PZYA.com STOLEN?
RQEI.com STOLEN?
ZAWA.com STOLEN?
QURO.com STOLEN

Thieves info is as follows, he went from showing info to using privacy but the link to him is undeniable. He also seems to like to scatter where he transfers them too as well.


Registrant Name: STANISLAV KHRAMOV
Registrant Organization:
Registrant Street: METALLURGOV 7-7
Registrant City: MAGNITOGORSK
Registrant State/Province: CHE
Registrant Postal Code: 455023
Registrant Country: RU
Registrant Phone: +7.9124020000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]

Ammar.com which was I believe one of if not the first name he stole, notice the email contact, same guy as above but he changed that email out on his later thefts since that cover was blown. I believe he brute force the registrants password and switched out email to complete the theft.

Registrant Name: Mohammed Ali
Registrant Organization: Mohammed Ali
Registrant Street: Villa 24, Block 4, Al-Mutawakel Street
Registrant City: Kuwait City
Registrant State/Province: Da-aiyah
Registrant Postal Code: 13113
Registrant Country: KW
Registrant Phone: +965.22563033
Registrant Fax: +965.22563033
Registrant Email: [email protected]


Here was his namepros.com account I believe....God only knows if Poob.com was clean?
https://www.namepros.com/threads/poob-com.846270/

If you have any info on this guy please share.


UPDATE TO COME!

 

[TheLegendaryJP]

ETTI is coming up for auction on NameJet:

http://www.namejet.com/Pages/Auctions/BackorderDetails.aspx?domainname=etti.com

Looks like the thief renewed it.

Domain Name: ETTI.COM
Registrar: ALPNAMES LIMITED
Sponsoring Registrar IANA ID: 1857
Whois Server: whois.alpnames.com
Referral URL: http://www.alpnames.com
Name Server: NS1.4.CN
Name Server: NS2.4.CN
Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Updated Date: 25-aug-2016
Creation Date: 30-jan-1999
Expiration Date: 30-jan-2018

 

[TheLegendaryJP]

Thank you for the answers Eric, great help, glad np's member avoided buying that name.

 

[NYK]

Your post has been read by several Chinese domainers/community and

Eva Wang from DN.com will label these as stolen names in their database.

 

[Addison]

like a showcase thread for an extesion or niche.. except for stolen domains

Superb idea! I would follow it.

 

[WilsonM]

You guys are doing a public service. Hope that guy gets what he deserves.

 

[TheLegendaryJP]

To answer in short, no all transfers recorded, they cannot play with dates in whois. They can photo shop what they want but the recorded whois data, no.

As far as brute force your account, sure they can and they do, I am sure it is one of the ways our thief here works that and many other ways.

 

[Blueforever]

Terrible news. A stolen domain database would be ideal. Has anyone tried to put one up?

I have the perfect name if anyone wants to build it out
Stolen.domains

 

[Kenny]

Sold through GD.
Perhaps @Joe Styler could chime in here.

Peace,
Cyberian

 

[biggie]

Keep up the great work JP!

 

[TheLegendaryJP]

UPDATE:

Several of these names continue to be listed or offered for sale. My only advice to everyone is be careful what you buy. How many of these names resold since this thread 2 years ago I do not know but the risk is not worth the reward. Economically and ethically I advise to stay clear. My hope is any platform besides the 3 already mentioned continue to block/ban the sale of these names if the ownership still shows the thieves. Time does NOT heal a domain theft, it IS a hot potato.

 

[TheLegendaryJP]

Terrible news. A stolen domain database would be ideal. Has anyone tried to put one up?

No database I am aware of we just share as we come across them. My only fear is the Chinese are not reading these forums as much as they could to see what may be mentioned.

If you are in the domain community and know of this and other forums, do your do diligence and search the name, no reason to say you didn't know. Not sure if as many Chinese buyers pay attention to the forums in comparison to the number of buyers they have.

 

[TheLegendaryJP]

Excellent info John, thank you. I figured 7576.com did resell unfortunately but never to late to try and recover.

So Bassta new name to look out for associated with the thief.

https://domenforum/showthread.php?p=1381925#post1381925

I wonder if one of our Russian speaking members can join that forum and warn them in that thread, looks like offers are being made on the stolen names.

 

[JeremyK]

How is possible to stole domains? :O

 

[TheLegendaryJP]

I see someone in that Russian domain forum found this thread and posted a link, hopefully they all stay clear of the thief. They should because any names they buy and are recovered they will lose all their money.

https://domenforum/images/statusicon/post_old.gif 12.09.2016, 23:58

#1009
trader https://domenforum/images/misc/menu_open.gif

https://domenforum/customavatars/avatar1680_2.gif

Регистрация: 11.02.2006
Адрес: KIEV-LONDON
Сообщений: 2,211

Доменные сделки: 60
Реноме: 1455



https://domenforum/images/buttons/collapse_alt.gif Одобрения
Спасибо (Отдано): 56
Спасибо (Получено): 156


Сообщение от Bassta https://domenforum/images/buttons/viewpost.gif
А у меня есть 39339.com - у кого круче?)))
39339.com был украден?
https://www.namepros.com/threads/war...t-read.971376/

 

[campout]

ETTI is coming up for auction on NameJet:

http://www.namejet.com/Pages/Auctions/BackorderDetails.aspx?domainname=etti.com

 

[TheLegendaryJP]

Why, did you buy from him?

 

[stimpi777]

I am selling 2an2.com on go daddy - I always google a domain before I sell any domain. I found some newbie at Flippa had it for sale already. I pitched at fit. Flippa said:

Hey James,
Thanks for touching base with us on your domain.
Looks like the previous owner had an older listing for the domain on his account, I went ahead and canceled it so that you could upload it to yours.
Please let me know if you have any other questions or need help with anything else!
Thanks,

I google every domain and I an always looking at my NS.

 

[NYK]

I will share this thread in WeChat.. I think there r members fr 4.cn

 

[TheLegendaryJP]

I will share this thread in WeChat.. I think there r members fr 4.cn

Thank you NYK

 

[alcy]

Terrible news. A stolen domain database would be ideal. Has anyone tried to put one up?

a good thread about only that on namepros can be good enough for that.
it gets easily indexed into google searches etc.
like a showcase thread for an extesion or niche.. except for stolen domains

 

[WhoaDomain.com]

saw this on that domenforum dot net site. posted by mattNetsol.

Posted by Bassta https://domenforum/images/buttons/viewpost.gif
From 4N currently have:
1371.com
2517.com
7576.com month ago 2755.com sold for $ 48K


Stasik steal domains is bad. We have already filed a complaint with the Department To carry out the fight against computer crime, is now apply to the police in Magnitogorsk. Also, I believe the Federal Tax Service will be very interesting to look at your bank account, but that is a secondary matter.

Oh schuckz! he's in trouble now! they've brought in Magneto from X-men!

 

[TheLegendaryJP]

saw this on that domenforum dot net site. posted by mattNetsol.

Posted by Bassta https://domenforum/images/buttons/viewpost.gif
From 4N currently have:
1371.com
2517.com
7576.com month ago 2755.com sold for $ 48K


Stasik steal domains is bad. We have already filed a complaint with the Department To carry out the fight against computer crime, is now apply to the police in Magnitogorsk. Also, I believe the Federal Tax Service will be very interesting to look at your bank account, but that is a secondary matter.

Great stuff, my hope is they give him some Russian style justice, his brazenness is sickening.

 

[WhoaDomain.com]

Here's a thought and it's something I've asked on NP and never got a reply. After reading this thread. Anyone ever get the "Feeling" the you registered or bought a specific domain but since you have so many you can't keep track?

You read threads on NP about a niche you are following. Then you think hmmm what did I have in that niche? oh yea! I remember regging blahblahblahvr.com then you check it's not in your account. then you check the whois. and it's owned by someone else.

and you check the date. it was registered years before.

could these thieves like this guy brute force a domainers registrar account and cherry pick certain domains and take it out the account without and record even of a transfer? and then somehow "fudge" the whois data to make it look like it was registered years before?

maybe I'm just being paranoid but you can't be too paranoid these days. anything is possible. if they can hack the NSA. trust me they can hack anything if given enough motivation.

 

[TheLegendaryJP]

There is no doubt he is the thief, you do not buy 20+ stolen domains from 20 different people within 18 months and expect us to believe on top of that nearly improbable scenario you have no real proof of paying anyone because bitcoin.

One stolen name, maybe even a few from the same seller but not 20+ all owned by different people, this guys lies lack creativity and insult intelligence.

Keep in mind as he flips the stolen domains I have seen where he does buy with the ill gotten gains.

Any way appreciate the calls to the reg.ru rar and reporting this guy.

 

[dordomai]

I don't really see how this may help. If a thief wants to transfer a domain from your account, he will have to have an access to your email account to confirm it. Unless you indicate a different email for domain unlocking notification.

I meant you use a monitoring service that is not from the registrar and that uses a different email.

I think the best thing is to use several email aliases(WHOIS, contact, registrar, monitoring etc.) and have them forwarded to your main email address.

Personally I would avoid using your primary email address in WHOIS. You are making yourself a much easier target by giving a potential attacker this information.