Large batch of domains stolen from Norwegian domainer – How did they do it?

Directnic

A large batch of mostly LLLL .com domain names has been stolen from its rightful owner, Norwegian domainer Rune Holte.

This post serves both as an alert to the list of stolen domains and a ping to the rightful owner, who’s quite probably unaware of the theft.

GMIX.com was offered for sale on DNForum by an 8-month old forum member, with no previous posts. GMIX.com is a 13-year old domain name that did not change hands until the beginning of August.

In the sales thread, the seller claimed they held the domain for 11 years, whereas historic WHOIS at DomainTools shows that the domain was moved from Moniker to GoDaddy and then it changed ownership to a “John Martin” with a fake California address.

So how did the thieves do it?

GMIX.com – along with several other domains that we will list below – had a Norwegian .no email address as the registrant, admin and technical contacts.

The problem is, that domain was left to expire and drop; its holder, Rune Holte, was most likely unaware of this.

Apparently, the thieves noticed that GMIX.com was a “domain orphan” and they simply went ahead and re-registered its parent, akuttklinikken.no.

According to top WHOIS tool DomainTools, akuttklinikken.no was re-registered on 7/24/2012 – mere days before GMIX.com and other LLLL .com domains were moved away from their holding account.

Then, the thieves hosted akuttklinikken.no and re-enabled the admin email, rune@akuttklinikken.no which gave them access to the Moniker account containing GMIX.com and other domains.

That’s why it’s important to have two-way authentication available and enabled at all domain registrars!

Currently, the sales thread at DNForum was moved to the Legal & Issues section; pending further analysis. From our review, the seller is an Algerian residing in France, that tried to convince the forum members he’s in fact a Norwegian living in the US.

The following domain names are considered stolen:

GMIX.COM
QRNH.COM
BBRZ.COM
OJRQ.COM
RZOR.COM
CUVW.COM
OSXU.COM
VXFO.COM
UZPN.COM
PVWX.COM
XKBU.COM
QNCB.COM
NVDX.COM
SAXG.COM
XGSV.COM
OZGZ.COM
2-P.COM

Email addresses used by the thieves include frapayp@mail.com and debizet@gmail.com – the domains GMIX.com and 2-P.com are also being offered for sale on the Arab forum Traidnt by user sami2186.

The latter username turns up at Gaza-Hacker.com as part of the “Gaza Hacker Team” and a reference to the domain hacker.ps.

Thankfully, Norwegian domain investor Stian is currently attempting to locate the real owner of the stolen domains, Rune Holte.


Facebooktwittergoogle_plusredditpinterestlinkedinmail
Copyright © 2017 DomainGang.com · All Rights Reserved.

Comments

15 Responses to “Large batch of domains stolen from Norwegian domainer – How did they do it?”
  1. What a S.O.B. I saw this thread and boy, the Domainers of the world are lucky to have you folks dong what you do. It is refreshing to see strangers helping each other out in this industry. Now, who do we now in France that can track the mofo down and tar and feather him?

  2. Lucius "Gunz" Fabrice says:

    Vincent Jacques – You’re welcome. All these domains were confirmed stolen after talking to their rightful owner in Norway.

    We need to get Francois send les flics!

  3. Kate says:

    Nah the flics is too good for those thieves 🙂

    Tar and feathers please 🙂

  4. WsTv says:

    I am quite sure i have seen these at namepros as well …………….what a shocker

  5. jayjay says:

    Judging by the sales page layout for both Gmix and 2-p.com it seems that the would be thief tried to hack/steal TCS.com,
    see screen shot:
    http://techslang.blogspot.com/2010/02/explaining-hacking-of-tcs-official.html

    (found from the keywords on the salespages)
    see:
    http://www.google.com/search?q=This+domaine+name+is+for+sale+Please+contact+us+for+further+informations.++Ce+nom+de+domaine+est+a+vendre+Merci+de+nous+contacter+pour+obtenir+de+plus+amples+informations&filter=0

    Seems like we need the French foreign legions arsenal to nab this bad boy! 🙂

  6. Lucius "Gunz" Fabrice says:

    jayjay – Thanks for sharing those findings.

  7. Bikhiyal says:

    The Domain 2-p.com is now been offered at ebay by someone, if this helps.
    The auction ends in 6 days, so if anything should be done, it should be done fast:

    http://www.ebay.com/itm/2-P-com-Sold-1400-sedo-LL-com-N-L-2-3-4-Character-letter-LLLL-com-Domain-name-/111069586328?pt=Domain_Names&hash=item19dc436398

  8. Bikhiyal says:

    update: also SAXG.com is offered by the same guy at ebay

    http://www.ebay.com/itm/Saxg-com-9-Yrs-Aged-Pronounceable-4-FOUR-letter-Brandable-LLLL-com-Domain-name-/121086376415?pt=Domain_Names&hash=item1c314f79df

    Could also be that this guy bought the names from the Thief without knowing that the names were stolen. Don’t know what happened meanwhile.

  9. DomainGang says:

    Bikhiyal – Thanks for pointing that out.

  10. Bob says:

    I bought these domains through Godaddy Auctions. …I called GoDaddy.com. They advised me since all the transactions are verified and gone through right channels..that’s is through Godaddy. Godaddy sold these domains from the rightful owners to me. I am legally and fully protected by godaddy and as there is no illegal activity here. So I advice you or anyone who want to talk please call (480) 505-8877 Godaddy customer support. They advised to directly call godaddy legal and Godaddy support anytime.

  11. Guy says:

    wow
    small world
    I actually owned 2-p/com about 5 years ago
    sold on the forum I think, can’t remember
    hope rightful owner gets back

  12. DomainGang says:

    Bob – Unfortunately that disclaimer won’t change the status of the domains, as they still belong to someone else. Good to see that you took the eBay auction down, that’s a good start.

    Guy – I can confirm that, indeed you’re right.

  13. Bogdan says:

    Hi DomainGang,
    Please find below the confirmation of my legal domain GMIX.COM purchase.
    Let me know if you need any further information.
    Regards,
    Bogdan Shevchuk

    Dear Bogdan Shevchuk,

    Congratulations! You have placed the winning bid for Item Number 102720014, GMIX.com, in the amount of $800.00.

    To complete your purchase by 04/22/2013 02:12 PM:
    Click here and log in if prompted.
    Select GMIX.com and click the “Pay for this domain” link.

    Remember that in accordance with the legal agreement you acknowledged at the time of your bid (Universal Terms of Service, UTOS), we will start a change of registrant and renewal immediately upon payment. Once renewed, the name cannot be transferred away for 60 days.

    If you have any questions, Customer Support is available 24 hours a day, 7 days a week:

    – Email: auctions@godaddy.com
    – Phone: (480) 505-8892
    – Online Support

    Sincerely,
    Go Daddy Auctions Team

  14. DomainGang says:

    Hello Bogdan – GoDaddy sold you stolen property, as it has been well documented.

    You should contact the person that the domain belongs to and arrange for its return: Rune Holte / runeholte@me.com

  15. Troy Asher says:

    Would It be correct, in legal terminology, to state that godaddy.com has “knowingly sold” stolen property and that Bogdan Shevchuk has “knowingly bought” stolen property ?

Leave a Reply

Your email address will not be published. Required fields are marked *

 characters available