
Businesses and, increasingly, their attorneys come to Hartzer Consulting when something involving a website, a search ranking, or a domain name has gone wrong and the usual advisers cannot explain why. One matter we are asked about again and again has nothing to do with an anonymous attacker and everything to do with a relationship that soured. A company hires a web developer, designer, or agency. That vendor ends up in control of the company’s domain name. The engagement ends badly, and the vendor responds by treating the domain as a bargaining chip — locking the owner out and refusing to hand it back until a demand is satisfied.
We have advised on domain disputes for more than twenty years, and we have seen this particular scenario resolve successfully far more often than the panicked owner ever expects. When a client needs the domain actually recovered, we handle that work through our DNAccess service, which is dedicated to domain security, stolen-domain investigations, and recovery. But before any recovery begins, the value we add is analytical: helping the owner understand what has really happened, why the vendor’s position is weaker than it sounds, and what the evidence and the law say about who owns the domain. That understanding is what turns a frightening situation into a manageable one.
How a Trusted Vendor Ends Up Controlling Your Domain
The origin of these disputes is almost always mundane. When a website is first built, someone has to register the domain, and it is often easiest to let the person building the site handle it. The developer registers the domain — usually the exact-match domain built around the client’s own business name — and is recorded as the registrant in the WHOIS, the public database that identifies who holds a domain. Nobody objects, because at that point nobody has any reason to.
The arrangement only becomes visible when the relationship ends. Because the vendor holds the registrar login or the registrant listing, the vendor can quietly change the account password, alter the contact information, or move the domain somewhere the client cannot follow. Overnight, the business loses access to an asset it depends on. The site may go dark. Company email may stop flowing. Every routine task — renewing the domain, editing DNS, authorizing a transfer — now sits behind credentials the owner does not have. The vendor then attaches a price to the domain’s return.
The Mistake That Keeps Owners Paying Ransoms
The reason this tactic works as often as it does is that it exploits a confusion the vendor is happy to encourage. The owner is presented with a grievance about money — an unpaid invoice, an alleged balance, sometimes a contract clause the owner signed years earlier — and concludes that because there may be a debt, the vendor must have some claim on the domain. That conclusion is the error at the heart of nearly every one of these matters.
The single most useful thing we do for a client early on is to pull these two questions apart and keep them apart. The first question is whether the client owes the vendor anything, and if so how much. That is a contractual matter, decided by invoices, agreements, and payment records. The second question is who is entitled to own the domain built around the client’s business identity. That is decided by the WHOIS record and its history. The two questions have different answers, different forums, and different evidence, and a genuine debt — even a large one — creates no right whatsoever to seize the other side’s domain. Once an owner internalizes that distinction, the vendor’s leverage begins to dissolve, because the thing being held hostage was never the vendor’s to hold.
We have also seen how often the underlying debt is exaggerated or imaginary. In a recent matter, a vendor insisted a five-figure balance remained outstanding, while the owner held records showing every invoice had been paid, the last one through PayPal. The money story sounded authoritative until the payment trail was examined. It usually does.
What the Investigation Reveals
Because so much of our work sits at the intersection of consulting and forensic internet investigation, we approach a hijacked domain as an evidence problem, and the evidence tends to favor the legitimate owner decisively. The WHOIS history ordinarily documents an unbroken chain of ownership by the business, frequently going back many years, which establishes that the domain has always belonged to the company rather than the vendor. The transfer, registrar, and DNS records fix the moment control changed hands and how it was done. The financial records resolve the debt question on their own terms. And the vendor’s own messages — particularly the demand — often supply a written admission that the domain is being withheld until payment, which is among the most damaging things a hostage-taker can put in writing.
Assembling that record properly, early, and in a form that will stand up before a registrar, an arbitration panel, a court, or law enforcement is a discipline in itself, and it is where an experienced investigator earns their keep. It is also the foundation for every recovery route that follows.
What the Precedent Establishes
Vendors who hold domains for ransom frequently believe the outcome would favor them if the matter were ever formally tested, often because they have been told so, or because a contract seems to bless the practice. The published record does not support that belief. Reviewing the decisions of the two providers that resolve these disputes in the United States — WIPO (the World Intellectual Property Organization) and the Forum (formerly the National Arbitration Forum) — under the UDRP (Uniform Domain-Name Dispute-Resolution Policy, the ICANN arbitration system for domain ownership), we were unable to locate a single decision in which a developer who seized a client’s domain over nonpayment prevailed on the theory that a contract entitled him to keep it. The outcomes point the other way with notable consistency.
Consider *Alaska Health Fair, Inc. v. Chris Jacobson* (National Arbitration Forum, 2013). A developer who had lawfully come to hold his client’s domain retained it after payments stopped, even displaying a notice that the site was suspended over overdue invoices. The panel ordered the domain returned, reasoning that leveraging a client’s domain to extract a fee is bad-faith use, whatever the circumstances of the original registration.
The courts have reached further than arbitration can. In *DSPT International, Inc. v. Nahum*, 624 F.3d 1213 (9th Cir. 2010), an individual engaged to help develop a company’s website registered the domain in his own name, then withheld it while demanding payment of claimed commissions. A jury found him liable for bad-faith cybersquatting under the ACPA (the Anticybersquatting Consumer Protection Act, 15 U.S.C. § 1125(d)), the damages approached $152,000, and the Ninth Circuit affirmed, holding that “using a domain name to get leverage in a business dispute can establish a violation of the ACPA.”
Both rest on an even more basic proposition. In *Kremen v. Cohen*, 337 F.3d 1024 (9th Cir. 2003), the litigation over Sex.com, the Ninth Circuit recognized that a domain name is a form of property capable of being owned and of being wrongfully converted. If a domain is property, then taking one that belongs to another party and refusing to return it is not a shrewd application of a contract. It is the misappropriation of an asset.
Why the Contract Clause Does Not Do What Vendors Think
The clause that reads, in effect, “the client agrees the developer may keep the domain until paid” is the centerpiece of most vendors’ confidence and the source of much of the owner’s fear. On examination it accomplishes far less than either side assumes.
A contract is capable of creating an obligation to pay. It is not capable of transferring ownership of the client’s own domain to the vendor, and it cannot lawfully license the vendor to seize and retain that domain as a means of collecting. A vendor who is genuinely owed money has proper channels for recovering it — a demand, collections, small-claims court, civil litigation — none of which depend on controlling the client’s domain. Courts decline to enforce contractual terms that purport to authorize the self-help taking of property the party never owned. In practice, the clause frequently works against the vendor, because it demonstrates that the domain was taken deliberately and held for payment, which is precisely the conduct panels and courts condemn.
When the Matter Crosses Into Criminal Territory
Owners are often surprised to learn that an unauthorized domain transfer is not purely a civil affair. Depending on how it was carried out, it can expose the person who did it to criminal liability, which is why involving law enforcement is a legitimate option and not merely a pressure tactic.
We are consultants and investigators, not attorneys, and none of this is legal advice. The relevant landscape, however, is worth knowing. Unauthorized domain transfers are frequently analyzed under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which addresses access to a protected computer without authorization or in excess of authorization — potentially relevant when someone uses registrar credentials they were not permitted to use in order to move a domain. Federal wire fraud, 18 U.S.C. § 1343, covers schemes to obtain money or property through electronic communications, and a domain hijacking is executed entirely through such systems. The ACPA supplies a civil cause of action, with statutory damages in appropriate cases. And state computer-crime, theft, and extortion statutes may apply as well; conditioning the return of property on payment of a disputed or nonexistent sum can, in the right facts, look like extortion under state law.
Whether any specific statute is implicated depends on how the taking occurred, which is one more reason a careful investigative record matters. The essential point for an owner is that the law regards an unauthorized domain transfer as the taking of property and permits it to be reported as such.
How We Help — and How Recovery Happens Through DNAccess
Our role in these matters is twofold. As consultants, we help the owner and, where relevant, their counsel understand the situation clearly: what the WHOIS history proves, why the debt and the domain are separate, which recovery routes fit the facts, and how strong the client’s position actually is. When the dispute proceeds to litigation, we are also engaged as expert witnesses on domain names, WHOIS and DNS history, and internet investigations, translating technical facts into evidence a court can weigh.
The recovery itself we handle through our DNAccess service. That work follows a deliberate sequence: preserving the WHOIS, transfer, DNS, financial, and communication records; reconstructing the ownership chain and the timeline of the taking; engaging the registrar, which maintains dispute and account-recovery procedures and is frequently the fastest path to restoring control before a domain moves further; preparing and pursuing a UDRP complaint where the domain matches the client’s business name or mark; coordinating with counsel on ACPA and conversion claims where the losses justify them; and supporting referrals to law enforcement and the FBI’s Internet Crime Complaint Center (IC3) where the facts warrant. At every stage we keep the debt dispute separated from the domain, so the vendor cannot use the one to justify holding the other.
Preventing It in the First Place
The least expensive version of this problem is the one that never happens, and the safeguards are neither complicated nor costly. Register your domains yourself, in the company’s name, in a company-controlled account at a reputable registrar, using a company email address. Keep the registrar account under company control and give vendors only the delegated access they need to do the work, rather than making them the account holder. Enable two-factor authentication and a registrar lock, and add a registry lock for domains the business cannot afford to lose. Watch your WHOIS and registration status so that any unauthorized change surfaces quickly. State ownership plainly in every vendor agreement: the company owns the domain, the vendor is granted access to perform work, and control returns to the company on request. And keep your invoices and payment records, because the financial trail and the WHOIS history are what ultimately decide these disputes.
If a vendor is holding your domain right now, resist the instinct to pay a ransom you may not owe, and do not assume the domain is gone. Preserve everything, keep the money question separate from the ownership question, and move promptly, because timing affects which recovery options remain open. This is exactly the kind of problem we are built to solve — analytically at Hartzer Consulting, and operationally through our DNAccess service — and we are glad to help owners either recover a domain that has been taken or protect one before anything happens to it.
Hartzer Consulting advises businesses and attorneys on SEO, digital marketing, domain names, and internet investigations, and provides expert witness services in these areas. Domain recovery and stolen-domain investigations are handled through our DNAccess service. We are not a law firm, and this article is not legal advice. If you are involved in a domain dispute, consult a qualified attorney about your specific situation.