PanicStation.org
UK USA
us Technology & digital loss domain hijacking • stolen domain name • unauthorized domain transfer • transfer out scam • change of registrant • registrant info changed • whois changed unexpectedly • registrar account compromised • domain ownership changed • nameservers changed • dns records changed • auth code stolen • epp code leaked • domain lock issue • email takeover risk • website redirecting • business email compromised • phishing from my domain • regain control of domain • icann transfer problem

What to do if…
your domain registrar shows a transfer or ownership change you did not request

Short answer

Act fast: contact your registrar immediately, report an unauthorized transfer / unauthorized change of registrant, and request an immediate lock/hold (where available) while you secure the email and accounts that control the domain.

Do not do these things

  • Don’t ignore registrar emails or assume it’s “just a WHOIS privacy change.”
  • Don’t keep reusing the same password or attempting repeated logins if you suspect the account was accessed—switch to password reset + support escalation.
  • Don’t delete alerts, receipts, old registration emails, or support tickets—those are your proof.
  • Don’t pay unsolicited “domain recovery” messages or send money to “release” your domain.
  • Don’t repeatedly change DNS settings while ownership/control is disputed (it can make recovery harder).

What to do now

  1. Contact your registrar’s security/abuse team and escalate immediately.

    • Use the phrases: “unauthorized transfer” and/or “unauthorized change of registrant.”
    • Ask them to confirm: what exactly changed (registrar, registrant contact, nameservers, auth/EPP code) and when.

  2. Request the strongest locks/holds they can apply right now.

    • Ask for: domain lock/transfer lock, account lock, and any temporary hold options they support.
    • Ask what stop/cancel/reversal options exist for your specific TLD and what evidence they need to act.

  3. Lock down the “control points” attackers usually used to steal domains.

    • Change passwords for: your registrar account, the email address used as the domain contact, and any DNS/hosting accounts.
    • Turn on MFA everywhere you can.
    • In your email account, check for forwarding rules, new mailbox delegates, and changes to recovery email/phone.

  4. Preserve evidence and create a timeline you can hand to the registrar.

    • Save screenshots/PDFs of: registrar change notices, account activity logs, WHOIS/registration info, invoices/receipts, and older ownership/renewal confirmations.
    • Record dates/times, ticket numbers, and any reference IDs your registrar provides.

  5. Check for active misuse (so you can prevent harm while recovery is in progress).

    • Verify whether nameservers changed and whether key DNS records changed (especially MX records for email).
    • If your domain is being used for phishing or your site/email is redirecting, alert staff/customers through an alternate trusted channel (a different domain you control, a verified social account, or a customer portal notice).

  6. If it’s a common gTLD and the registrar is unresponsive, use ICANN compliance channels (as a backstop).

    • ICANN generally can’t directly restore ownership when illegal access occurred, but compliance complaints can help when transfer/registrant-change rules weren’t followed.
    • File the appropriate ICANN Contractual Compliance complaint if you believe policy obligations were violated or you can’t reach the registrar.

  7. Report as cybercrime if there’s fraud, extortion, or business impact.

    • File a report with the FBI’s Internet Crime Complaint Center (IC3), especially if money was demanded, accounts were hacked, or customers were targeted.

What can wait

  • You don’t need to decide today about lawsuits, rebranding, or switching registrars.
  • You don’t need to rebuild your whole security program right now—focus on email, registrar access, and DNS control first.
  • You don’t need to post publicly unless there’s evidence of active harm (phishing, impersonation, payment diversion).

Important reassurance

Unauthorized transfers and registrant changes are a common kind of cyber-enabled fraud. Fast escalation to the registrar plus clear documentation often improves outcomes compared with trying to “fix it quietly.”

Scope note

This is first-step guidance to stop further damage, preserve evidence, and trigger the fastest recovery paths. Later steps may require specialist technical or legal help depending on the domain, registrar, and harm caused.

Important note

This is general information, not legal advice. Domain recovery procedures vary by registrar and top-level domain; follow your registrar’s security escalation process and keep records to support your ownership claim.

Additional Resources
Support us