Large batch of domains stolen from Norwegian domainer – How did they do it?
A large batch of mostly LLLL .com domain names has been stolen from its rightful owner, Norwegian domainer Rune Holte.
This post serves both as an alert to the list of stolen domains and a ping to the rightful owner, who’s quite probably unaware of the theft.
GMIX.com was offered for sale on DNForum by an 8-month old forum member, with no previous posts. GMIX.com is a 13-year old domain name that did not change hands until the beginning of August.
In the sales thread, the seller claimed they held the domain for 11 years, whereas historic WHOIS at DomainTools shows that the domain was moved from Moniker to GoDaddy and then it changed ownership to a “John Martin” with a fake California address.
So how did the thieves do it?
GMIX.com – along with several other domains that we will list below – had a Norwegian .no email address as the registrant, admin and technical contacts.
The problem is, that domain was left to expire and drop; its holder, Rune Holte, was most likely unaware of this.
Apparently, the thieves noticed that GMIX.com was a “domain orphan” and they simply went ahead and re-registered its parent, akuttklinikken.no.
According to top WHOIS tool DomainTools, akuttklinikken.no was re-registered on 7/24/2012 – mere days before GMIX.com and other LLLL .com domains were moved away from their holding account.
Then, the thieves hosted akuttklinikken.no and re-enabled the admin email, firstname.lastname@example.org which gave them access to the Moniker account containing GMIX.com and other domains.
That’s why it’s important to have two-way authentication available and enabled at all domain registrars!
Currently, the sales thread at DNForum was moved to the Legal & Issues section; pending further analysis. From our review, the seller is an Algerian residing in France, that tried to convince the forum members he’s in fact a Norwegian living in the US.
The following domain names are considered stolen:
Email addresses used by the thieves include email@example.com and firstname.lastname@example.org – the domains GMIX.com and 2-P.com are also being offered for sale on the Arab forum Traidnt by user sami2186.
The latter username turns up at Gaza-Hacker.com as part of the “Gaza Hacker Team” and a reference to the domain hacker.ps.
Thankfully, Norwegian domain investor Stian is currently attempting to locate the real owner of the stolen domains, Rune Holte.