Assess my case

Step-by-step: reverse an unauthorized transfer of a .net domain

Step-by-step: reverse an unauthorized transfer of a .net domain. UDRP and ccTLD domain recovery and defense across .net. Email the firm to assess your case.

You log into your registrar account and discover that a .net domain you have owned for years is gone. The WHOIS record shows a new registrant. No authorization email was ever sent. Your account may have been compromised, or the registrar's transfer-approval process may have been manipulated. Either way, the clock is already running against you.

To reverse an unauthorized transfer of a .net domain, you must move along two parallel tracks simultaneously: an emergency registrar escalation to lock the domain and block further movement, and a formal recovery action – typically a UDRP complaint before WIPO – to compel a return of the name. A standard WIPO case runs approximately two months from filing, and the official filing fee starts at USD 1,500 for a single-member panel on a single domain. Evidence of account compromise, ownership history, and the absence of any authorization is what decides the outcome.

This guide walks each step in sequence, identifies the trap buried in each one, and explains when a court route may serve you better than arbitration.

Why .net domain theft creates an urgent, multi-track problem

An unauthorized transfer of a .net domain is not a simple dispute about registration rights. It is an account security incident, a contractual breach by one or more registrars, and a potential intellectual property violation – all at once. The domain remains subject to ICANN's Registrar Accreditation Agreement and the UDRP, which applies to all gTLDs including .net. That means the dispute-resolution machinery is available to you, but so is the possibility of a second unauthorized transfer before you can stop it.

In our practice, we see stolen domains moved through two or three registrars in rapid succession. Each hop resets the 60-day transfer lock under ICANN rules, and each hop is designed to make forensic tracing harder. Speed in the first 24 to 48 hours is not optional. What many domain owners do not realize is that the ICANN transfer-dispute resolution mechanism – a separate procedure from the UDRP – can run concurrently with a UDRP complaint when a registrar-to-registrar transfer is involved. Knowing which track leads where is the first decision you will make.

Step 1: Lock the domain and document the compromise before anything else

The first action is to contact your losing registrar – the one from whose account the domain was transferred – and request an emergency domain lock and transfer dispute. Do this within hours, not days. ICANN's transfer policy gives the losing registrar a short window in which it can challenge the transfer if the proper authorization procedures were not followed.

The trap: registrar support queues are slow, and "ticket opened" is not the same as "domain locked." Escalate immediately to the registrar's abuse or security team, not standard customer service. Request written confirmation that the domain has been placed on REGISTRAR-LOCK status with the receiving registrar. Ask for the full transfer authorization log – every email or token sent in connection with the transfer – and preserve it with timestamps. This log is exhibit one in any subsequent proceeding.

Simultaneously, document everything about the account compromise: password-reset emails you did not initiate, unfamiliar login IP addresses from the account activity log, any phishing communications, and any change to the WHOIS administrative email that preceded the transfer. In a recent matter involving a .net domain used in a financial-services brand (spring 2025), we found that the attacker had changed the administrative contact email 11 days before initiating the transfer request – a gap that was clearly visible in account logs but that the registrar had not flagged automatically.

Step 2: File a transfer dispute with ICANN or the registrar – and understand its limits

ICANN's inter-registrar transfer policy includes a dispute mechanism: the losing registrar may challenge a transfer that did not comply with the authorization requirements, typically within a defined challenge period. This is a fast, low-cost procedural route – but its remedy is limited. It can reverse a transfer that breached the policy mechanics. It cannot adjudicate bad faith, it cannot award you the domain if the current holder contests ownership, and it does not function once the domain has moved to a second or third registrar after the initial unauthorized hop.

The ICANN transfer dispute mechanism is therefore most useful when the theft was recent, the domain has not moved again, and the procedural breach is clear from the authorization logs. If any of those conditions are absent, it is a supplementary track, not the primary one. Do not wait for its outcome before preparing the UDRP complaint described in Step 3.

If you are at this stage and unsure whether the ICANN transfer dispute window is still open for your domain, contact info@cognomenlaw.com. We will assess the timeline and the authorization log to determine which track is still available.

Step 3: Prepare and file a UDRP complaint at WIPO

For a .net domain, the UDRP is the primary formal recovery mechanism. WIPO is the appropriate forum for most cases: it handles the large majority of UDRP proceedings globally and offers an expedited option for single-panel cases of up to five domains, delivering a decision in approximately one month. The standard single-panel filing fee at WIPO is USD 1,500 for one to five domains.

A theft-based UDRP complaint differs from a standard cybersquatting complaint in one important respect. The three elements of Paragraph 4(a) still apply – confusing similarity to your mark, no legitimate interest, and registration and use in bad faith – but in a theft scenario, the panel's analysis of elements two and three looks at the full factual record of account compromise rather than the holder's commercial purpose. Panels have consistently held that a party who acquires a domain through unauthorized means cannot have a legitimate interest in it, and that the method of acquisition itself constitutes bad faith registration.

The trap here is the word "mark." To satisfy element one, you need trademark rights – a registered mark, or common-law rights established through use. If your .net domain was a purely descriptive string with no associated trademark, element one becomes genuinely difficult. Address this early. Pull your trademark registration records, document your commercial use of the name, and assess whether the domain string is identical or confusingly similar to a mark you actually hold.

Build the complaint around three evidence pillars: (a) proof of your original registration and continuous ownership – the original registration confirmation email, billing history, historic WHOIS data, and any ICANN-archived registration records; (b) proof of unauthorized transfer – the account compromise evidence assembled in Step 1; and (c) proof of the current holder's bad faith – any demand for money, any use of the domain in a phishing or fraud scheme, or any pattern of similar domain acquisitions by the same party.

As you prepare the filing, choose between a single-member panel and a three-member panel. A single-member panel costs USD 1,500 at WIPO and typically decides within two months. A three-member panel costs USD 4,000 but is warranted when the factual record is dense, the domain is high-value, or you anticipate a contested response requiring broader deliberation. In theft matters, the facts are usually clearer, and a single-member panel is often appropriate.

What evidence actually decides the outcome?

Panels adjudicating unauthorized-transfer complaints are looking for the same thing any fact-finder looks for: a coherent timeline that the evidence supports and the opposing party cannot plausibly rebut. In our experience handling domain theft recovery, the complaints that succeed fastest are those that present a clear chronology of ownership, a documented moment of compromise, and a current holder with no plausible story of good-faith acquisition.

The strongest evidence set includes original registrar confirmation emails with timestamps, historic third-party WHOIS snapshots from web archive services (which panels treat as reliable secondary sources), bank or credit-card records showing annual renewal payments you made, and – where the domain was used commercially – screenshots of the associated website or email records sent from the domain. Supplement this with any communications from the unauthorized holder demanding payment or attempting to sell the domain back to you.

What weakens a complaint? Long gaps in ownership documentation, a domain registered in someone else's name even if you paid for it, prior transfers you initiated that muddy the chain of title, and any delay in filing after discovery. Panels have declined to infer bad faith from thin records. We regularly advise clients to gather the complete ownership dossier before filing, not after.

A note on default: if the unauthorized holder does not respond to the complaint, the panel decides on the record before it. Default is not an automatic win. The panel still evaluates the evidence independently. A sparse complaint that relies on the other side's silence will not survive a careful panel. Build the record as if the holder will contest every point.

When does a court route beat arbitration for .net theft?

The UDRP's remedies are limited to transfer or cancellation of the domain. No monetary damages, no costs award, no injunction. If the unauthorized transfer caused you quantifiable business losses – diverted sales, fraudulent invoices sent under your domain, customer data harvested through a cloned site – arbitration cannot make you whole. A US anticybersquatting action in federal court can reach damages and may support emergency injunctive relief freezing the domain pending judgment.

The decision between routes follows the facts. If you want the domain back and nothing else, and the holder is identifiable and the UDRP elements are met, arbitration is usually faster and significantly less expensive. If the holder is anonymous behind privacy services, has already monetized the domain fraudulently, or has moved the domain out of reach of a quick ICANN escalation, court provides subpoena power to unmask the registrant and broader remedies once it does. For cross-border situations – where the unauthorized holder is outside the United States and the domain has been parked at a registrar in a foreign jurisdiction – the UDRP remains the more practical first step, with court action handled by local litigation counsel in the relevant jurisdiction as a parallel or subsequent track.

A worked example helps here. In a matter involving a .net domain that had been transferred without authorization to a holder who immediately used it to distribute spoofed invoices to the original owner's customers (summer 2025), we filed a UDRP complaint at WIPO for the domain recovery and coordinated with local litigation counsel on a parallel injunction application in the relevant jurisdiction. The two tracks moved simultaneously: the UDRP delivered a transfer order in approximately seven weeks; the court order froze the associated email infrastructure while the UDRP ran. Neither track alone would have addressed both the domain and the ongoing fraud.

If you have already received a demand for payment from whoever holds your domain, or if the domain is being used to harm your customers, do not wait for the UDRP to run its course alone. Email info@cognomenlaw.com to weigh the parallel-track options for your situation.

Step 4: Manage the response period and the registrar-lock during the proceeding

Once a UDRP complaint is filed and the case commences, the domain is placed under a registrar lock by ICANN rules: it cannot be transferred, deleted, or modified during the proceeding. The respondent has 20 days from commencement to file a response. If no response is filed, the panel proceeds on the complainant's record. If a response is filed, the panel may – but is not required to – allow supplemental submissions.

The trap at this stage is complacency. A registrar lock during a UDRP proceeding prevents further transfer, but it does not prevent the current holder from continuing to use the domain – pointing it at a phishing site, sending emails from it, or using it in additional fraud. Monitor the domain's DNS activity throughout the proceeding and document any harmful use that occurs. That documentation supports both the bad-faith element of the pending complaint and any parallel court or law-enforcement action.

If the current holder files a response that raises a colorable legitimate-interest defense – for example, a claim that the domain was purchased in good faith on the secondary market without knowledge of the theft – consult on whether to request a three-member panel (the complainant can do so after the response is filed, with the cost implications described above). A three-member panel provides a broader deliberation and a stronger precedent if the case is disputed on the merits.

Step 5: Implement the transfer order and secure the domain after recovery

If the panel orders a transfer, there is a standard 10-business-day waiting period before the registrar implements it. This window allows the current holder to initiate court proceedings to suspend the order. Suspension is unusual in clear theft cases, but monitor for it. Once the waiting period passes without a court filing, the registrar transfers the domain to you.

Receiving the domain back is not the end of the process. It is the beginning of a hardening exercise. Immediately after transfer: change all account credentials at the receiving registrar; enable two-factor authentication if not already active; place the domain on REGISTRAR-LOCK to prevent further outbound transfers; and audit the domain's DNS records for any modifications made during the period of unauthorized control – malicious redirects, MX records pointing to attacker-controlled mail servers, or nameserver changes can persist even after the domain returns to you. In our practice, we advise clients to treat a recovered domain as a compromised asset and perform a full DNS and email-infrastructure audit before resuming normal operations.

Finally, consider filing a complaint with ICANN against the losing registrar if the transfer-authorization procedures were not properly followed. This does not affect your recovery, but it creates a record that may inform ICANN's oversight of that registrar's compliance and potentially support a costs argument if you pursue parallel court action.

Related at COGNOMEN

Frequently asked questions

How long does it take to reverse an unauthorized transfer of a .net domain?

The timeline depends on which track you use. An emergency registrar escalation can freeze the domain within days if acted on promptly. A UDRP complaint at WIPO typically resolves in approximately two months for a single-member panel; WIPO's expedited option for single-panel cases of up to five domains targets approximately one month. Court action is slower – from weeks to many months depending on jurisdiction and whether emergency injunctive relief is sought. The registrar escalation and the UDRP complaint can run simultaneously, and in theft cases both should begin immediately.

What does it cost to reverse an unauthorized transfer of a .net domain at WIPO?

WIPO's filing fee for a single domain, single-member panel is USD 1,500. A three-member panel costs USD 4,000. These are the official forum fees only; legal fees for preparing and filing the complaint are separate and depend on the complexity of the factual record. In straightforward theft cases, market rates for UDRP legal representation typically fall in the USD 3,000 – USD 7,000 range, separate from the forum fee. If the complaint is withdrawn or the case is terminated before a panel is appointed, WIPO provides a partial refund of the filing fee.

Do I need a lawyer to reverse an unauthorized transfer of a .net domain?

The UDRP does not require legal representation, and some complainants file without counsel. In unauthorized-transfer cases, however, the factual record is complex – account compromise logs, ownership chain documentation, forensic DNS evidence – and the complaint must present that record coherently against a three-element legal test. Panels have rejected technically meritorious theft claims where the evidence was poorly organized or the legal analysis was incomplete. We regularly see self-filed complaints fail on element one (trademark rights) or on bad-faith analysis, in cases where the underlying facts strongly favored the original owner.

Speak with Cognomen Law

For a scoped view of your domain matter, contact info@cognomenlaw.com. Discuss your matter

Related

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@cognomenlaw.com.