How to Gather Evidence of Domain Theft

When a domain is stolen, swift action is essential, but so is the careful and methodical collection of evidence. Domain theft, or domain hijacking, typically involves unauthorized changes to domain ownership or control, often through phishing, credential compromise, or registrar manipulation. In order to recover a stolen domain—whether through registrar intervention, ICANN dispute resolution, or legal channels—evidence is critical. It not only substantiates the claim of theft but also helps establish a clear timeline of events, the legitimacy of ownership, and the malicious nature of the transfer or alteration. Knowing how to gather and present this evidence can be the determining factor in a successful recovery effort.

The process of collecting evidence should begin the moment domain theft is suspected. The first item to secure is historical WHOIS data. WHOIS records provide key details about a domain’s registration, including the registrant’s name, email, phone number, organization, and the registrar managing the domain. Since GDPR regulations have masked much of this data in current WHOIS lookups, obtaining historical WHOIS snapshots becomes vital. Tools like DomainTools, WhoisXML API, and HosterStats can provide archived WHOIS records showing past ownership details. These records are crucial for proving that your organization or identity was listed as the domain’s owner prior to the hijacking. Screenshots of these historical records, along with metadata such as the date and source of the lookup, should be saved and cataloged.

Alongside WHOIS history, domain owners should preserve all registrar-related correspondence. This includes welcome emails, payment receipts, renewal confirmations, support tickets, and any communication regarding domain status or changes. These documents often contain the registration date, account holder’s name, and domain management credentials—evidence that ties the domain directly to the rightful owner. Email headers should be preserved intact, as they can validate the authenticity of the communication. If domain theft was preceded by suspicious messages such as fake renewal notices or phishing emails impersonating a registrar, these should also be retained. They may contain links, sender information, or message patterns that reveal how the attack was initiated.

Another vital source of evidence is registrar account access history. Most reputable registrars provide a log of login attempts, IP addresses, device fingerprints, or change logs within the control panel. If an unauthorized party accessed the account, these logs can reveal anomalous activity—such as login attempts from unusual IP addresses, changes to DNS records, or modifications to contact information. Take screenshots of this data, and if the interface allows, export the logs for forensic analysis. Time-stamped evidence of suspicious access is particularly persuasive when demonstrating to a registrar or dispute resolution provider that a breach occurred.

Website content and functionality at the time of the hijack can also be key. If the domain was associated with an active website, it’s important to document what the site looked like prior to the theft. This can be accomplished using archived pages from services like the Wayback Machine or locally stored backups. If the site was taken offline or replaced with foreign content, screenshots or downloaded copies of the altered site should also be preserved. These materials can serve as a visual indicator of the change in control and may be used to demonstrate harm to brand reputation, user trust, or business operations.

DNS records before and after the hijack provide further evidence. Domain owners should maintain a record of authoritative DNS settings, including A, MX, CNAME, NS, and TXT records. When DNS is changed by an attacker, these configurations are often overwritten to redirect traffic, capture email, or deface the website. If available, request logs or snapshots from your DNS provider or hosting platform. If DNSSEC was in use, check for key rollovers or failures, which may indicate tampering. The timing of these changes can be correlated with login activity and WHOIS modifications to construct a clear timeline of the hijack.

Payment records and billing history associated with the domain should also be included. Credit card statements, PayPal receipts, and invoices from the registrar can serve as proof of financial ownership and regular upkeep of the domain. These records demonstrate a pattern of legitimate control and responsibility for the domain, reinforcing the claim that the transfer was unauthorized. When providing these documents, redact sensitive information unrelated to the domain to avoid unnecessary exposure of personal data.

It’s also useful to collect evidence of your broader relationship to the domain. If the domain was used for a business or brand, gather proof such as trademark registrations, business licenses, advertising materials, email communications with customers or vendors using that domain, and any content hosted there. These materials establish that you have a vested and documented interest in the domain and its use, which can be especially important in disputes where legal ownership is challenged. Social media posts or public mentions linking your brand to the domain also help support your claim.

All collected evidence should be organized chronologically and backed up in multiple formats. Create a central repository of documents, screenshots, logs, and correspondence, and ensure copies are stored securely both locally and in the cloud. Use timestamping tools or digital signatures if necessary to establish the authenticity of files. If the situation escalates to legal proceedings or a UDRP complaint, your legal representative or dispute resolution provider will require clear and well-documented proof of your claim. The better your documentation, the stronger your position will be.

In parallel to gathering evidence, it is essential to maintain ongoing communication with the registrar. Notify them as soon as possible, submit your supporting materials, and request that the domain be locked to prevent further changes. Be clear, professional, and assertive in your communication, providing case references and offering additional documents if needed. Many registrars have internal escalation channels for domain theft, and a cooperative registrar can take emergency steps to halt damage or initiate recovery.

In conclusion, recovering a hijacked domain is heavily dependent on the strength and clarity of the evidence presented. Proving that a domain has been stolen requires a combination of technical records, account history, transactional proof, and usage documentation. The more detailed and organized the evidence, the more likely it is that the domain can be restored through registrar support, ICANN processes, or legal action. Domain owners who proactively keep records, monitor activity, and respond quickly to signs of tampering place themselves in the best possible position to reclaim their digital property when faced with the serious threat of domain theft.

When a domain is stolen, swift action is essential, but so is the careful and methodical collection of evidence. Domain theft, or domain hijacking, typically involves unauthorized changes to domain ownership or control, often through phishing, credential compromise, or registrar manipulation. In order to recover a stolen domain—whether through registrar intervention, ICANN dispute resolution, or…