Assess my case

How to recover a stolen .cloud domain under the applicable domain rule

How to recover a stolen .cloud domain under the applicable domain rule. UDRP and ccTLD domain recovery and defense across .cloud. Email the firm to assess your…

A cloud-services company wakes up to find its primary .cloud domain pointing at a foreign IP address it does not control. Outbound email is bouncing. Customer portals are unreachable. Someone has compromised the registrar account and transferred the domain out — quietly, without authorization. The technical disruption is immediate. The legal path to recover a stolen .cloud domain begins the moment you document what happened.

The .cloud domain is a generic top-level domain (gTLD) administered by the registry operator Aruba PEC S.p.A. Because .cloud is an ICANN-accredited gTLD, the Uniform Domain Name Dispute Resolution Policy (UDRP) applies where the dispute involves a third party who registered or received the domain in bad faith. For theft — meaning unauthorized account compromise and transfer — the faster first move is a registrar escalation and a formal lock request, escalated to ICANN if the registrar does not cooperate; UDRP at WIPO remains available where the receiving party's conduct meets the bad-faith test. A WIPO single-member filing fee of USD 1,500 applies where you proceed under the UDRP.

This page covers the governing procedures for .cloud, the registrar-lock mechanics, when a court route is the better fit, and the evidence that decides outcomes — so you can choose a route and act.

What rules govern a stolen .cloud domain dispute?

The .cloud gTLD is bound by the ICANN UDRP and the ICANN Transfer Policy, giving a legitimate owner two distinct levers. The UDRP at WIPO or another accredited provider addresses bad-faith registration or use by a third party. The ICANN Transfer Policy and its associated registrar obligations address the mechanics of unauthorized transfers — moves made without the genuine registrant's consent. Both may be relevant in the same theft scenario.

When a .cloud domain is stolen, the thief typically compromises the registrar account, alters the WHOIS/RDDS contact data, unlocks the domain, obtains an authorization code, and pushes it to a new registrar where the thief becomes the apparent registrant of record. This is different from a classic cybersquatting scenario, where a stranger independently registers a name that resembles a brand. Theft involves an account that was legitimately yours. That distinction matters for which mechanism you use first.

Panels have consistently held that a registrant who acquires a domain through an unauthorized transfer cannot claim legitimate interests under Paragraph 4(c) of the UDRP. Where the bad-faith element is met — particularly where the thief attempts to monetize, sell, or ransom the domain — a UDRP complaint remains a viable path. We regularly advise registrants who discover a compromise within hours of the transfer to pursue the registrar escalation route in parallel with UDRP preparation, so neither track is delayed.

How does the registrar-lock and transfer-reversal process work for .cloud?

The registrar escalation route is the fastest first step when the transfer has just occurred. Under ICANN's Transfer Policy, a registrar that received a domain via a transfer that was not authorized by the genuine registrant is obligated to cooperate with an investigation and, in some circumstances, to reverse or lock the registration pending resolution. The practical steps run in a defined order.

First, file an unauthorized-transfer complaint with the registrar of record at the time the theft was detected — the "gaining" registrar. Provide documentation of your prior registrant status: historical WHOIS records, registration confirmation emails, payment receipts, and any technical evidence tying the domain to your infrastructure (SSL certificates, DNS records, MX records, server logs). Second, file a parallel complaint with the "losing" registrar, documenting that no legitimate transfer request was authorized. Third, if neither registrar cooperates within a reasonable period, escalate to ICANN's compliance function, which can apply pressure on accredited registrars who breach the Transfer Policy.

Where the domain has already migrated to a new account and the thief is actively using or offering it for sale, time is critical. In a recent matter (a .cloud domain serving a SaaS platform, spring 2025), we secured a registrar lock within four days of the initial escalation, preventing onward transfer to a second gaining registrar while UDRP preparation continued. A five-figure ransom demand had been received by the client within 36 hours of the theft — the lock cut off that leverage before any payment was made.

If your .cloud domain has just been taken from your account without authorization, the first 48 hours matter most. To assess the registrar-lock strategy and the UDRP route simultaneously, contact info@cognomenlaw.com.

When should UDRP at WIPO be the primary route for recovering a .cloud domain?

A WIPO UDRP filing is the primary route when the domain has moved to a third party who is now holding it, offering it for sale, or using it in a way that exploits your trademark rights, and the registrar escalation alone has not restored control. WIPO is the dominant forum for .cloud disputes, handling the large majority of gTLD complaints alongside the Forum. A single-member WIPO panel for up to five domains costs USD 1,500 in filing fees, with a decision typically delivered within about two months of commencement.

To succeed at WIPO under the UDRP, you must satisfy all three elements of Paragraph 4(a): the domain is confusingly similar to a trademark or service mark in which you hold rights; the respondent has no rights or legitimate interests in the domain; and the domain was registered and is being used in bad faith. In a theft scenario, the third element is the one most squarely on point — panels have consistently found bad faith where the registration history shows an unauthorized acquisition, a ransom demand, or immediate monetization after the transfer.

The weakness of UDRP for pure theft cases is timing. The UDRP process was designed for cybersquatting, not account compromise. If the thief has already transferred the domain to a fourth or fifth registrar, or if the domain is being used to facilitate fraud against your customers, the two-month UDRP timeline may be too slow. That is where a court action — or a combination of both — becomes relevant.

When does a court action beat UDRP for .cloud domain theft?

A court action is the right choice when urgency demands a remedy faster than any arbitration process can deliver. The UDRP offers transfer or cancellation — and nothing else. No interim injunction, no damages, no discovery. If your .cloud domain is actively being used to impersonate your company, intercept customer payments, or distribute malware, a UDRP complaint's two-month timeline is structurally inadequate.

US anticybersquatting litigation (a federal court action) allows a court to issue a temporary restraining order that can freeze the domain at the registry level within days of filing. It also opens the door to damages. The trade-off is cost and jurisdiction: court proceedings are substantially more expensive than a UDRP filing, and jurisdiction must be established, which typically requires connecting the defendant or the registry to the chosen forum. We work with local litigation counsel in the relevant jurisdiction for court actions where the dispute requires foreign proceedings.

The decision matrix is not either/or. In our practice, we frequently run a registrar escalation, a UDRP complaint, and a court filing in parallel — using each tool for what it does best. The escalation secures the lock; the UDRP provides a cost-efficient transfer remedy; the court action provides the injunction and the damages claim where the harm is severe enough to justify the cost. The right combination depends on the scope of the theft, the identity of the gaining registrar, and whether your trademark rights give you a clean three-element UDRP case.

A second scenario where court beats UDRP: the thief is a known competitor rather than an anonymous account hijacker. Where the identity is established, and where the registrant has assets in a jurisdiction that can be reached, a court action is the only process that produces a damages remedy. UDRP panels cannot award money, and an RDNH finding — even if obtained by the wrongdoer — carries no monetary consequence.

If you are weighing a UDRP filing against an immediate court application for your stolen .cloud domain, email info@cognomenlaw.com for an assessment of which route fits the facts.

What evidence decides the outcome of a .cloud domain recovery?

Evidence decides every .cloud domain theft case. The three categories that matter most are proof of prior ownership, proof of unauthorized transfer, and proof of bad faith by the current holder.

Proof of prior ownership is built from documentation that predates the theft: the original domain registration confirmation email, WHOIS records captured before the compromise (Wayback Machine captures or RDDS history are useful here), payment receipts from the original registrar, and any business records tying your organization to the domain — contracts with service providers, SSL certificate histories, and DNS zone file records showing your infrastructure behind the domain. This evidence establishes that you were the legitimate registrant.

Proof of unauthorized transfer typically comes from registrar logs (requested through the registrar's compliance or fraud team), email headers showing the account-access notification sent to an address you no longer control, and a timeline reconstruction demonstrating that the transfer request came from an IP address or device inconsistent with your normal access pattern. In practice, this evidence is rarely complete at the outset — which is why speed matters. Logs are retained for limited periods.

Proof of bad faith by the current holder covers ransom demands (preserve every communication verbatim, including metadata), evidence of the domain being offered for sale, evidence of monetization (pay-per-click parking, phishing pages), and any evidence of a pattern — other domains taken from other registrants by the same actor. Panels have consistently found bad faith where a domain is offered for sale at a price exceeding the cost of registration, particularly where the offer followed a transparent compromise of someone else's account.

One point that surprises brand owners: you do not need a registered trademark to file a UDRP complaint. Unregistered or common-law trademark rights — established through commercial use of a name in connection with goods or services — can satisfy the first UDRP element. In a theft scenario, the name in question is almost always the company's operating brand, which typically carries common-law rights even without a registration. We assess the trademark foundation early, because the strength of that element shapes every other aspect of the filing strategy.

Costs, timelines, and forum choices for a .cloud dispute

Three routes, three cost structures. The registrar-escalation route costs nothing in filing fees — it is a procedural right under the ICANN Transfer Policy — though it requires careful documentation and, typically, legal counsel to frame the demand correctly and escalate efficiently. UDRP at WIPO costs USD 1,500 for a single-member panel covering up to five domains, with a decision normally within two months. If the respondent elects a three-member panel (which they can do by paying the differential), the fee rises to USD 4,000 for that panel. Court action for a US anticybersquatting claim is substantially more expensive, with legal fees driven by the complexity of the litigation — but it opens the door to preliminary injunctive relief and damages.

Legal fees are a separate line. A UDRP complaint for a single domain in a straightforward case typically falls in the USD 3,000 – 7,000 range for counsel, separate from the forum fee. A contested case, a three-panel request, or supplemental filings add to that figure. A court action scales well beyond those ranges.

Timeline comparison: registrar escalation can produce a lock in days if the registrar cooperates; ICANN escalation takes longer. A WIPO UDRP decision arrives in approximately two months for a standard case. Court proceedings vary by jurisdiction and congestion — a temporary restraining order can issue in days, but a final judgment takes months to years.

In our practice, the forum choice for a .cloud theft matter comes down to three questions: How fast do you need a remedy? Do you have a clean three-element UDRP case? And does the scale of harm justify the cost of litigation? Honest answers to those three questions determine the route.

Cross-zone considerations: what if the same actor holds other domains?

Domain theft rarely stays in one zone. An actor who compromises a .cloud domain frequently holds the same name in .com, .net, or other gTLDs, either from the same theft or by prior registration. The UDRP allows a single complaint to cover multiple domains where the registrant is the same holder. If your stolen .cloud domain and a companion .com were both transferred to the same account, a single WIPO filing can address both — at the same USD 1,500 filing fee for up to five domains under the same panel.

If the actor also holds a national ccTLD variant, a separate filing under that ccTLD's governing procedure is required. A .de domain, for example, is not subject to the UDRP; that dispute runs through the German courts, with a DENIC DISPUTE entry to block transfer during litigation. A .eu domain goes through the ADR.eu procedure at the Czech Arbitration Court. In our cross-zone practice, we identify all affected domains in the initial assessment, map the governing procedure for each, and sequence the filings to minimize gaps — because an unaddressed zone is a standing threat.

In a second recent matter (a .cloud and .com pair, autumn 2024), the same actor had taken both domains in a coordinated account-compromise attack. We filed a combined WIPO complaint for the .com and .cloud under a single docket, and within the same engagement secured registrar locks on both before the decision issued. The domains were returned without the ransom being paid.

Defending a wrongful recovery claim: what if the complaint is aimed at you?

Not every "stolen domain" claim is accurate. A legitimate .cloud domain owner — particularly a domain investor who acquired the name in the open market — may face a UDRP complaint framed as a theft or bad-faith registration claim when the underlying facts do not support it. If you are the registrant and the complaint does not meet the three-element test, you have 20 days from commencement to file a response.

A well-built response documents the chain of legitimate acquisition: the purchase history, the consideration paid, the length of registration, any commercial use, and any pre-complaint communication with the complainant that establishes notice but not bad faith. Where a complainant has filed without legitimate trademark rights, filed knowing the domain was acquired in good faith, or filed primarily to extract a below-market sale, the panel may issue a finding of Reverse Domain Name Hijacking (RDNH). This finding is reputational — it carries no monetary penalty — but it is a public finding in a published decision that a complaint was brought in bad faith.

The common myth about UDRP defense is that a default — failing to respond — is sometimes a safe choice, because "if I don't engage, they can't find against me." That is wrong. A default does not prevent a panel from transferring the domain. Panels routinely enter transfer orders on a default where the complaint is well-pleaded. Silence is not a defense.

Related at COGNOMEN

Frequently asked questions

When should I recover a stolen .cloud domain?

Act immediately upon discovering the unauthorized transfer. Log retention at registrars is time-limited, and a domain held in a new account can be transferred again. The first 48 hours determine whether a registrar lock is achievable before the domain moves further. Begin the registrar escalation at the same time you consult counsel on UDRP or court options — the two tracks run in parallel and neither should wait for the other.

What happens if the other side ignores the case?

A default — where the respondent files no response to a UDRP complaint — does not protect the respondent. Panels decide on the record presented by the complainant. Where the complaint is well-pleaded and the three elements are supported by evidence, panels consistently grant transfer on default. A non-responding registrar in an escalation dispute faces ICANN compliance action. Ignoring the matter does not suspend or delay the remedy.

How is WIPO different from a national court for .cloud?

WIPO under the UDRP delivers a decision in approximately two months and costs USD 1,500 in filing fees for a single-member panel, but can only order transfer or cancellation — no damages, no injunction, no discovery. A national court can issue a temporary restraining order in days, reach damages, and compel production of evidence, but at substantially higher cost and over a longer timeline. The two routes serve different urgency and remedy profiles; in serious theft cases, we often run both simultaneously.

Speak with Cognomen Law

For a scoped view of your domain matter, contact info@cognomenlaw.com. Discuss your matter

Related

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@cognomenlaw.com.