Assess my case

Step-by-step: reverse an unauthorized transfer of a .store domain

Step-by-step: reverse an unauthorized transfer of a .store domain. UDRP and ccTLD domain recovery and defense across .store. Email the firm to assess your case.

You log in to your registrar account one morning and the .store domain anchoring your e-commerce brand is gone. The WHOIS record now shows a stranger as the registrant. The transfer happened overnight — without your instruction, without your authorization code, and without any notification you recognized. This is domain theft, and the clock starts the moment you discover it.

To reverse an unauthorized transfer of a .store domain you must move through three distinct layers: an emergency registrar lock to stop onward movement, a transfer-reversal complaint backed by documented account compromise, and — if the registrar chain fails — a UDRP complaint at WIPO or the Forum, or court action where arbitration cannot reach the remedy you need. The registrant has 20 days to respond once a UDRP case commences; acting before those windows close is decisive. The official WIPO filing fee starts at USD 1,500 for a single-member panel covering one to five domains.

This guide walks each step in sequence, names the trap each step hides, and helps you choose the right path before evidence evaporates.

What governs .store — and why the recovery path differs from a simple theft complaint

The .store gTLD operates under ICANN's standard accreditation rules, which means the UDRP applies and WIPO, the Forum, and CAC all have jurisdiction. That is useful, but domain theft is a different legal animal than a cybersquatting dispute. How does the distinction matter in practice? Quite significantly.

A UDRP complaint requires a trademark. It asks whether a third party registered and used a domain in bad faith. Theft — an unauthorized transfer out of a legitimate owner's account — does not fit that template cleanly, because the original registrant may not hold a registered trademark, and the "registration" element of Paragraph 4(a) may be read as applying to the original registration, not the unauthorized transfer event. Panels have treated fraudulent transfers inconsistently under the UDRP, and some have declined jurisdiction on the ground that the dispute is really a contract or identity-fraud matter between registrant and registrar.

The more reliable first resort in a .store theft is the registrar's internal transfer-dispute channel, backed by an ICANN Transfer Dispute Resolution Policy (TDRP) escalation if the gaining registrar is uncooperative. That route is administrative, faster than arbitration in many cases, and does not require you to prove bad faith against a mark — it requires you to prove the transfer was unauthorized. We regularly advise registrants who conflate these two paths and lose days filing the wrong complaint.

If the domain has since been re-sold or the gaining registrar is unresponsive, the picture shifts: a UDRP may become viable if the current holder is monetizing the domain against your brand, and court action — with its injunctive capacity — may be the only route that can freeze the domain in place while the facts are resolved.

Step 1: Freeze the domain before anything else — and the trap that defeats this step

The first action — taken within hours, not days — is to request a registrar lock on the .store domain at both the losing registrar (where your account held it) and, through ICANN escalation, at the gaining registrar. A registrar lock prevents any further transfer, update, or deletion of the domain while the dispute is processed.

Contact your losing registrar's abuse or security team directly, not customer support. Provide: your account credentials, the domain name, the approximate date and time of the unauthorized transfer, any phishing or credential-compromise evidence you already hold (login alerts, unfamiliar IP addresses in account logs, spoofed emails), and a written demand that the registrar retain all account-access logs under a litigation hold.

The trap: registrars apply their own contractual windows for unauthorized transfer claims. Many policies allow a complaint only within a defined period — sometimes as short as a few weeks from the transfer date. Missing that internal window does not kill your ICANN or legal options, but it removes the fastest and cheapest route. Request the registrar's specific policy in writing on the same call.

If the gaining registrar is in a different jurisdiction — and with .store this is common, because the registry operator (Radix) accredits a broad set of registrars globally — you may need to address communications simultaneously to two entities under different terms of service. Document every contact, every response, and every timestamp.

Step 2: Build the evidence of compromise before you file anything

Evidence is perishable. Server logs, email headers, and registrar access records have retention limits. The second step — running in parallel with the lock request — is assembling the documentary record that will carry every subsequent proceeding.

What does a sufficient evidence file look like? At minimum: the original domain registration confirmation and any renewal receipts (establishing your prior registrant status); account login history showing anomalous access from an unknown IP or device; any phishing emails, SIM-swap evidence, or social-engineering communications that preceded the transfer; the unauthorized transfer confirmation email (if any was sent); and the current WHOIS or RDDS record showing the new registrant.

Request your registrar's full access log for the account in writing. Under ICANN's Registrar Accreditation Agreement, registrars are required to maintain records. Many will provide this on a written legal hold request faster than you expect — particularly if they fear being named in litigation. We have found that a clear, professionally framed written request citing the account compromise and potential regulatory exposure routinely produces cooperation within 48 to 72 hours.

The trap at this step: accepting a verbal reassurance from a registrar support agent that "the matter is under review." That phrase carries no legal weight and does not preserve evidence. Every communication must be in writing, timestamped, and kept in a single file. If a proceeding later turns on when you knew what, that paper trail is your timeline.

Step 3: Choose the right forum — UDRP, TDRP, or court?

With a registrar lock in place and an evidence file building, you face the most consequential decision in the process: which formal route to use. The right answer depends on whether the new holder has a mark claim, whether the domain is still accessible for recovery through administrative channels, and whether you need money damages as well as the name back.

Consider the three main paths and their trade-offs. If the unauthorized transfer is clear and the gaining registrar is ICANN-accredited, an ICANN Transfer Dispute Resolution Policy filing is the most direct administrative channel — it addresses the mechanics of the transfer itself rather than the underlying dispute over who should hold the name. It does not require a trademark, and it is procedurally faster than a UDRP in many cases. The trap: TDRP remedies are limited to reversing the transfer; if the name has been onward-sold to a third party who claims it in good faith, the TDRP may not reach that subsequent holder.

A UDRP complaint at WIPO, the Forum, or CAC is appropriate when the current holder is exploiting the domain against your brand — pointing it at a competing site, running pay-per-click advertising on your mark, or demanding a ransom. WIPO charges USD 1,500 for a single-member panel on one to five domains; the Forum begins around USD 1,300 for one to two domains. The UDRP takes roughly two months in a standard case. The only remedies are transfer or cancellation — no damages, no costs. If the current holder can show any colorable right or legitimate interest in the name, the complaint may fail, which makes this route riskier when the theft has already been documented and the more appropriate claim is identity fraud rather than trademark abuse.

Court action is the path for cases where: arbitration cannot reach the remedy; you need an injunction to freeze the domain immediately; you want monetary damages for business losses caused by the theft; or the domain has passed through multiple registrar changes across jurisdictions in a way that only a court order can unwind. In the United States, anticybersquatting litigation can reach the domain itself as a property subject to court control — a particularly powerful tool when the domain is held by an anonymous or unresponsive registrant. For .store domains held through registrars outside the US or the EU, we work with local litigation counsel in the relevant jurisdiction to pursue injunctive relief under the applicable national law.

To weigh UDRP against a court action for your case, email info@cognomenlaw.com.

Step 4: File the formal complaint — and what to do if you hold no registered trademark

Filing correctly the first time matters. A poorly prepared UDRP complaint can be rejected for deficiencies — and the filing fee is not automatically refunded. A TDRP filing that omits a required exhibit is delayed while the provider requests supplemental material.

For a UDRP, the complaint must address all three elements of Paragraph 4(a): confusing similarity to a mark you hold, absence of the respondent's rights or legitimate interests, and registration and use in bad faith. In a theft scenario, the bad-faith element is generally strong — the "registrant" obtained the domain by fraud — but the confusing similarity element requires a mark, and many small e-commerce operators hold only a common-law mark in their brand name. Panels have accepted unregistered marks under the UDRP where use in commerce is clearly established, but the evidence burden is higher.

If you hold no registered trademark, the TDRP is often the better initial filing, precisely because the test centers on the authorization (or lack thereof) for the transfer rather than on trademark rights. Alternatively, where common-law rights in the .store brand name are strong and well-documented, we have built UDRP complaints on that foundation successfully — but the evidence file assembled in Step 2 must carry the weight.

For a TDRP, the complaint is addressed to the gaining registrar and copied to ICANN. It must document: that you were the registrant of record immediately before the transfer, that the transfer occurred without your authorization or in breach of the registrar's own procedures, and what remedy you seek (most commonly: reversal of the transfer and restoration of registrant status).

In a spring 2025 matter involving a .store domain, an e-commerce operator discovered that a credential-harvesting attack had enabled an unauthorized transfer to a registrar in a different region. The operator's registrar had logged the anomalous login but had not flagged it in real time. We secured a registrar lock within 12 hours of engagement, assembled the account-compromise documentation, and filed a TDRP-equivalent complaint with the gaining registrar. The domain was restored within approximately three weeks — before any UDRP was necessary.

How does the cross-zone picture change when a .store theft spans multiple domains?

Domain theft rarely targets a single name. Attackers who compromise an account typically sweep the most commercially valuable names in the portfolio, which for an e-commerce brand often means the .com, the .store, and perhaps a .co or a regional ccTLD — all taken in the same event.

A single UDRP complaint may cover multiple domains only if the registrant of record is the same holder across all of them. Where the unauthorized transfers scattered domains to different nominal holders — a common post-theft tactic to complicate recovery — each domain may require a separate filing or a coordinated multi-forum strategy. A court action has an advantage here: a single injunction can address a cluster of domains as connected assets of the same theft, regardless of where each ended up in the registrar chain.

For .store specifically, the .com parallel is almost always present for an e-commerce brand. If both are compromised, do not file UDRP on the .store alone and leave the .com to a later complaint: the strategic sequencing matters, because a panel decision on the .store can be cited in the .com proceeding but a failed .com complaint can shadow the .store case. In our practice, we plan multi-domain theft recoveries as a single coordinated sequence, not a series of independent filings.

The EURid and Nominet procedures do not apply to .store, which is a gTLD, so the .eu and .uk variants of the brand name require their own national procedure routes if those were also compromised. The .de, as a further example, has no UDRP at all — DENIC disputes are handled through the German courts, and a DENIC DISPUTE entry can block the .de domain's transfer while that litigation proceeds.

For a read on whether the three UDRP elements are met for your .store case, reach us at info@cognomenlaw.com.

What evidence decides the outcome — and the myth that a police report is enough

A common misconception among registrants who have experienced account compromise is that filing a police report triggers the recovery. It does not. A police report documents the crime for law enforcement purposes; it carries no legal weight in a UDRP proceeding, a TDRP filing, or a registrar's internal dispute process as a standalone item. Panels and registrars require direct evidence of the unauthorized transfer event itself, not a third-party report that one occurred.

The evidence that actually decides outcomes in .store theft cases falls into four categories. First, authentication logs: registrar account-access records showing the time, IP address, and device fingerprint of the unauthorized login, compared against your own access history. Second, transfer mechanics: the authorization code (EPP auth code) request and use — who requested it, when, from which account credentials. Third, communication records: any phishing emails, spoofed registrar notifications, or social-engineering messages that preceded the transfer; and any ransom or buy-back demands from the new holder afterward. Fourth, continuity of ownership: renewal invoices, DNS change history, registrar-confirmed account history, and any business records (contracts, invoices, advertising materials) tied to the domain going back to your original registration.

Where the evidence is thin — for example, a registrant who never downloaded account-activity logs and whose registrar has already overwritten or purged access data — the claim becomes substantially harder. The registrar's own record retention is the limiting factor. This is why Step 2 must happen within hours, not days.

In a recent matter (a .store e-commerce brand, summer 2025), the registrant had no account logs, no phishing trail, and no backup of the auth code request. Recovery depended on the registrar's server-side data alone. We obtained that data through a formal litigation-hold demand, reconstructed the unauthorized access event, and ultimately secured a UDRP transfer order on a combined theft-and-brand-abuse theory — but the proceedings took substantially longer than a well-evidenced case would have.

Related at COGNOMEN

Frequently asked questions

How do I start to reverse an unauthorized transfer of a .store domain?

Start by contacting the losing registrar's security or abuse team in writing, requesting an immediate registrar lock on the domain and a litigation hold on all account-access logs. Do this within hours of discovery, not days. Simultaneously preserve every piece of evidence you hold — login alerts, phishing emails, transfer confirmation notices, account history — in a single documented file. The lock request and the evidence file are the foundation for every subsequent step, whether that is a TDRP filing, a UDRP complaint at WIPO or the Forum, or a court action. Missing the registrar's internal window for unauthorized transfer claims — which can be as short as a few weeks — removes the fastest and cheapest route, so speed is the priority.

What are the realistic outcomes when you reverse an unauthorized transfer of a .store domain?

The best outcome is full restoration of registrant status — the domain returns to your account at the original registrar and the unauthorized transfer is treated as void. That result is achievable through a TDRP, a UDRP transfer order, or a court order depending on which route is used. A UDRP can order transfer or cancellation but cannot award monetary damages. Court action is the only route that adds a claim for financial losses caused by the theft. Where the domain has been onward-sold to a good-faith purchaser, recovery becomes more complex, and the analysis shifts from administrative to legal. Outcomes are always fact-dependent and panel or court discretion is a real variable — no result is guaranteed.

How do fees split if the case escalates?

The costs fall into two distinct categories that should be understood separately. Official forum filing fees for a UDRP are fixed: USD 1,500 at WIPO for a single-member panel on one to five domains, and roughly USD 1,300 at the Forum for one to two domains. Those are paid by the complainant; there is no cost-shifting under the UDRP. Legal fees for complaint preparation and strategy are separate and vary by complexity — straightforward UDRP matters in the market typically run in the USD 3,000–7,000 range. A TDRP filing at the administrative level is lower in official cost. Court action is substantially higher and billed hourly; it is appropriate when the value of the domain or the business losses justify the investment.

Speak with Cognomen Law

For a scoped view of your domain matter, contact info@cognomenlaw.com. Discuss your matter

Related

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@cognomenlaw.com.