A large batch of mostly LLLL .com domain names has been stolen from its rightful owner, Norwegian domainer Rune Holte.
This post serves both as an alert to the list of stolen domains and a ping to the rightful owner, who’s quite probably unaware of the theft.
GMIX.com was offered for sale on DNForum by an 8-month old forum member, with no previous posts. GMIX.com is a 13-year old domain name that did not change hands until the beginning of August. 
In the sales thread, the seller claimed they held the domain for 11 years, whereas historic WHOIS at DomainTools shows that the domain was moved from Moniker to GoDaddy and then it changed ownership to a “John Martin” with a fake California address.
So how did the thieves do it?
GMIX.com – along with several other domains that we will list below – had a Norwegian .no email address as the registrant, admin and technical contacts.
The problem is, that domain was left to expire and drop; its holder, Rune Holte, was most likely unaware of this.
Apparently, the thieves noticed that GMIX.com was a “domain orphan” and they simply went ahead and re-registered its parent, akuttklinikken.no.
According to top WHOIS tool DomainTools, akuttklinikken.no was re-registered on 7/24/2012 – mere days before GMIX.com and other LLLL .com domains were moved away from their holding account.
Then, the thieves hosted akuttklinikken.no and re-enabled the admin email, rune@akuttklinikken.no which gave them access to the Moniker account containing GMIX.com and other domains.
That’s why it’s important to have two-way authentication available and enabled at all domain registrars!
Currently, the sales thread at DNForum was moved to the Legal & Issues section; pending further analysis. From our review, the seller is an Algerian residing in France, that tried to convince the forum members he’s in fact a Norwegian living in the US.
The following domain names are considered stolen:
GMIX.COM
QRNH.COM
BBRZ.COM
OJRQ.COM
RZOR.COM
CUVW.COM
OSXU.COM
VXFO.COM
UZPN.COM
PVWX.COM
XKBU.COM
QNCB.COM
NVDX.COM
SAXG.COM
XGSV.COM
OZGZ.COM
2-P.COM
Email addresses used by the thieves include frapayp@mail.com and debizet@gmail.com – the domains GMIX.com and 2-P.com are also being offered for sale on the Arab forum Traidnt by user sami2186.
The latter username turns up at Gaza-Hacker.com as part of the “Gaza Hacker Team” and a reference to the domain hacker.ps.
Thankfully, Norwegian domain investor Stian is currently attempting to locate the real owner of the stolen domains, Rune Holte.
