Held for Ransom: Recovering a Domain Name a Web Developer Refuses to Release

When a web developer hijacks your domain

At DNAccess, a large share of the recovery cases that come to us do not begin with a sophisticated hacker in another country. They begin with a vendor the business already knew and trusted — a web developer, a designer, a marketing agency, or a freelancer who built the website and, somewhere along the way, ended up holding the keys to the company’s domain name. When the working relationship breaks down, usually over money, that vendor stops being a partner and starts being an obstacle: the domain is moved into an account the business cannot access, the website goes dark or stays frozen, and the owner is told the domain will be released only when a payment demand is met.

We handle this category of matter often enough that we can describe the pattern in our sleep. What surprises most business owners is not that it happened to them, but how clearly the law and the dispute-resolution system come down on the side of the rightful owner — and how recoverable these domains usually are once the situation is approached correctly. This article explains what this kind of domain hijacking actually is, why the “you still owe me money” justification does not hold up, and the specific paths we use to get a client’s domain back.

What “Ransoming a Domain” Really Means

The scenario has a deceptively ordinary beginning. A business hires someone to build a website. As a convenience, that person registers the domain name — typically the exact-match domain built around the company’s own name — and is listed as the registrant of record in the WHOIS (the public registration record that identifies who controls a domain). For as long as everyone is getting along, no one thinks about it.

The problem surfaces when there is a falling-out. The vendor, still holding the registrar account or the registrant listing, changes the account credentials, updates the contact details, or transfers the domain to a registrar or account the client cannot reach. From that moment the business is locked out of one of its most important assets. Email may stop. The website may be replaced with a payment notice. Renewal, DNS changes, and transfers all sit behind a login the owner does not have.

This is not a gray area of “who technically registered it.” In substance, it is the taking of property that belongs to the business and the use of that property as leverage. In our field, the plain word for it is hijacking, and when it is paired with a payment demand, it is a ransom.

Why Owners Feel Stuck — and Why They Usually Are Not

The reason these cases are so effective at intimidating owners is that the vendor almost always has a story. Sometimes the story is an unpaid invoice. Sometimes it is a signed agreement containing a clause that says the vendor may retain the domain until the client pays. Frequently the amount claimed is disputed, inflated, or — as in a matter we reviewed recently — already paid in full, with the final payment sitting in a PayPal record the vendor conveniently ignores.

The owner hears “you signed this” or “you owe me,” assumes the vendor must have some right to the domain, and either pays a ransom that may not be owed or gives up on a domain that is rightfully theirs. Both reactions are usually mistakes. The vendor’s story about money and the question of who owns the domain are two entirely different things, and the dispute system is built to keep them apart.

The Evidence That Decides These Cases

Domain recovery is, at its core, an evidence exercise, and the good news for legitimate owners is that the evidence almost always favors them. When we take one of these matters, the first thing we do is assemble the record that establishes ownership and reconstructs what happened.

The WHOIS history is the backbone. It typically shows a continuous chain of registration tied to the business, often stretching back years, which establishes that the domain has always belonged to the company rather than the vendor. The transfer and DNS records show precisely when and how control was moved, which matters both for registrar disputes and for any criminal referral. The payment trail — invoices, contracts, bank records, and PayPal receipts — resolves the money question independently of the domain, and often demonstrates that the alleged debt does not exist. And the communications, including the demand itself, frequently contain the vendor’s own admission that the domain is being withheld until payment, which is powerful evidence of bad faith.

Assembling this record early is far more persuasive than reconstructing it later, and it is the single most valuable thing an owner can do the moment they realize their domain has been taken.

What the Record Consistently Shows: Ransoming a Domain Does Not Work

Vendors who do this often believe, sincerely, that they will prevail if the matter is ever formally challenged. In our experience, and in the published record, they are wrong. We reviewed the decisions of the two providers that handle domain disputes in the United States — WIPO (the World Intellectual Property Organization) and the Forum (formerly the National Arbitration Forum) — under the UDRP (Uniform Domain-Name Dispute-Resolution Policy, the arbitration process ICANN uses to resolve domain ownership). We were specifically looking for a case in which a developer who seized a client’s domain over nonpayment came out ahead on the theory that a contract let him keep it.

We could not find one. The published outcomes run the other direction with striking consistency, and a few decisions illustrate why.

In *Alaska Health Fair, Inc. v. Chris Jacobson* (National Arbitration Forum, 2013), a developer who had legitimately come to hold his client’s domain kept it after the business stopped paying, even posting a notice that the site was paused over overdue invoices. The panel ordered the domain returned, holding that using a client’s domain as leverage for a fee is bad-faith use — regardless of how the developer first obtained it.

The courts have gone further than the arbitration panels can. In *DSPT International, Inc. v. Nahum*, 624 F.3d 1213 (9th Cir. 2010), a man hired to help build a company’s website registered the domain in his own name and later withheld it while demanding payment of claimed commissions. A jury found him liable for bad-faith cybersquatting under the ACPA (the Anticybersquatting Consumer Protection Act, 15 U.S.C. § 1125(d)), the award reached roughly $152,000, and the Ninth Circuit affirmed, stating directly that “using a domain name to get leverage in a business dispute can establish a violation of the ACPA.”

Underneath both sits the principle that makes recovery possible in the first place. In *Kremen v. Cohen*, 337 F.3d 1024 (9th Cir. 2003) — the well-known Sex.com case — the Ninth Circuit confirmed that a domain name is property that can be owned and can be the subject of a conversion claim. Once a domain is recognized as property, taking one that belongs to someone else and refusing to give it back is not a clever contractual maneuver. It is the wrongful exercise of control over another party’s asset.

The Contract Clause Is Not the Shield Vendors Think It Is

The single most common defense we encounter is the signed agreement: “the client agreed that I could keep the domain until I was paid.” Owners find this clause intimidating, and vendors treat it as a trump card. It is neither.

A contract can establish that money is owed. It cannot manufacture ownership of an asset that belongs to the other party, and it cannot authorize self-help seizure of that asset as a collection device. A vendor who is genuinely owed money has legitimate ways to pursue it — a demand, a collections process, small-claims court, civil litigation. None of those remedies require, or justify, holding the client’s domain. Courts do not enforce a contractual license to take and keep property the vendor was never entitled to own. The clause, in practice, tends to help the owner more than the vendor, because it documents that the vendor took the domain deliberately and intended to hold it for payment.

This Is Not Only a Dispute — It Can Be a Crime

Business owners are often relieved, and vendors often unsettled, to learn that unauthorized transfer of a domain name is not confined to the civil arena. Depending on how the taking was carried out, it can carry criminal exposure, which is why a police report and a referral to law enforcement are legitimate tools rather than empty threats.

We are a domain security and recovery firm, not a law firm, and nothing here is legal advice. But the framework is worth understanding. Domain theft is frequently examined under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which addresses accessing a protected computer without authorization or beyond authorized access — conduct that can be implicated when someone uses registrar credentials they have no authority to use in order to move a domain. Federal wire fraud, 18 U.S.C. § 1343, reaches schemes to obtain money or property through electronic communications, and domain hijacking is carried out entirely through internet-connected systems. On the civil side, the ACPA provides a direct claim, with statutory damages available in appropriate cases. And most states maintain their own computer-crime, theft, and extortion statutes, under which conditioning the return of property on payment of a disputed or nonexistent debt can, in the right circumstances, resemble extortion.

Whether a given statute applies always turns on the specific facts and on how the transfer was accomplished. The practical point for an owner is that the law treats an unauthorized domain transfer as the taking of property — and it can be reported and pursued as such.

The DNAccess Recovery Playbook

Every recovery is different, but the sequence we follow is consistent, and it is designed to keep the money question and the ownership question separate so the vendor’s leverage evaporates.

We begin by preserving evidence — the current WHOIS, the full WHOIS history, DNS and transfer records, and every communication and payment record — because a well-documented file is what makes every later step faster. We reconstruct the ownership chain and the timeline of the taking, which frequently exposes exactly when unauthorized control occurred. We engage the registrar, because registrars maintain dispute and account-recovery procedures, and where a domain has not yet moved away, or where registrant details were changed without authorization, the registrar is often the fastest route to restoring control. Where the domain corresponds to the client’s business name or mark, we prepare and pursue a UDRP complaint, which is faster and less costly than litigation and which, as the record shows, strongly favors the rightful owner in these fact patterns. Where losses warrant it, we coordinate with counsel on civil claims under the ACPA and for conversion, and we support referrals to law enforcement and the FBI’s Internet Crime Complaint Center (IC3) when the facts justify a criminal complaint. Throughout, we keep the debt dispute walled off from the domain, so the vendor cannot use one to hold the other.

Preventing the Next One: Domain Governance

Recovery is what we do when prevention has already failed, and the far cheaper path is to make sure a vendor is never in a position to hold your domain in the first place. The controls are straightforward, and we help clients put them in place across entire portfolios.

  • Register domains in the company’s own name, in a company-controlled account at a reputable registrar, using a company email address rather than a vendor’s.
  • Treat the registrar account as a core corporate asset: keep the credentials in the company’s control and grant vendors delegated access to do their work, rather than making the vendor the account holder.
  • Lock the assets down with two-factor authentication and a registrar lock, and for high-value or business-critical domains, a registry lock, which requires manual, out-of-band verification before any transfer can occur.
  • Monitor your WHOIS and registration status so that an unauthorized change is detected in hours, not months.
  • Put ownership in writing in every vendor agreement: the company owns the domain, the vendor is granted access to perform work, and control returns to the company on demand.
  • Preserve invoices, contracts, and payment records, because the payment trail settles the money question and the WHOIS history settles the ownership question.

If Your Domain Is Being Held Right Now

If you are reading this because a developer, former developer, or agency is refusing to release your domain, do not pay a ransom on the assumption that you have no other option, and do not conclude that the domain is lost. Preserve everything, keep the money dispute separate from the domain in all of your communications, and get the recovery process moving quickly, because time affects which options remain available — particularly the ability to reverse a transfer before the domain moves further away.

This is precisely the kind of matter DNAccess exists to handle. We investigate stolen and hijacked domains, reconstruct the ownership record, work with registrars and counsel, and recover domains for their rightful owners. If your domain has been taken, or if you want to protect a portfolio before anything happens to it, we can help.

*DNAccess provides domain security, domain recovery, and stolen-domain investigation services. We are not a law firm, and this article is not legal advice. If you are involved in a domain dispute, consult a qualified attorney regarding your specific situation.*