# website monitoring
How to Respond When Your Domain Has Been Hijacked
Domain hijacking — where an attacker seizes control of your domain registration and redirects traffic to their infrastructure — is one of the most serious incidents a website owner can face. Recovery is possible, but speed matters enormously. Every hour your domain is under attacker control is an hour of potential data theft, credential harvesting, and brand damage.
This guide covers immediate actions, registrar escalation, and the formal recovery process.
Confirm It's Actually Hijacking
Before escalating, confirm what you're dealing with. Symptoms of hijacking include:
- Domain resolving to an unexpected IP or site
- Nameservers changed to an unfamiliar provider
- Registrar account access denied (password changed)
- WHOIS showing different registrant contact details
- Email delivery failing (MX records changed)
Run a quick DNS check:
dig NS yourdomain.com
dig A yourdomain.com
whois yourdomain.com | grep -E "Name Server|Registrant"
Compare the results against your known-good records. If nameservers have changed to an unrecognised provider, treat this as active hijacking.
Immediate Actions (First 30 Minutes)
1. Document Everything
Before changing anything, capture evidence:
- Screenshot WHOIS output showing the current state
- Screenshot your registrar account if you can still access it
- Record the current DNS records (A, NS, MX)
- Note the timestamp of when the issue was first detected
This documentation is critical for registrar disputes, ICANN complaints, and any legal proceedings.
2. Try to Regain Registrar Account Access
Attempt to log into your registrar account:
- Try password reset using your registered email
- If email access is also compromised, escalate immediately to registrar support
- Use any secondary authentication methods you set up (backup codes, authenticator app)
3. Contact Your Registrar's Abuse Team Directly
Do not use standard support tickets — find the registrar's abuse or security team contact. For major registrars:
- GoDaddy: [email protected] / security hotline
- Namecheap: [email protected]
- Google Domains / Squarespace Domains: abuse process via their security page
- Cloudflare Registrar: [email protected]
State clearly: "My domain has been hijacked. I believe unauthorised changes have been made to my registrar account. I need account access suspended and the transfer/changes reversed."
4. Request an Immediate Lock
Ask the registrar to apply a server hold (serverHold status) on the domain. This prevents further DNS propagation changes while the dispute is resolved.
Escalation Path
Registry-Level Dispute
If your registrar is unresponsive or the domain has been transferred to a different registrar, you need to escalate to the domain registry — the organisation that manages the TLD (.com is managed by Verisign, .co.uk by Nominet, etc.).
Each registry has its own dispute process for hijacking cases. Registries can apply holds and reversals that override registrar-level changes.
ICANN Complaint
For gTLDs (.com, .net, .org, etc.), file a complaint with ICANN via their complaint portal. ICANN has authority over accredited registrars and can intervene in cases of unauthorised transfers.
ICANN's Transfer Dispute Resolution Policy (TDRP) covers unauthorised domain transfers between registrars.
UDRP (If Domain Is Being Used for Abuse)
If the attacker is using your hijacked domain for phishing, the Uniform Domain-Name Dispute-Resolution Policy (UDRP) allows rights holders to reclaim domains being used in bad faith. This is slower than the above routes but available.
Recovering Email Access
If your email was hosted on the hijacked domain, you've likely lost access to that email too. This creates a chicken-and-egg problem — your registrar sends verification emails to an address you can't access.
Steps:
- Provide your registrar with alternative identity verification (billing records, historical WHOIS data, account creation records)
- If your email provider is separate from your domain (e.g., Google Workspace on your own domain), contact Google Workspace support directly with proof of account ownership
- Ensure all critical accounts (banking, other registrars, hosting) are moved to an email address on a domain you still control
Post-Recovery: Hardening Your Registrar Account
Once the domain is recovered:
- Enable registrar lock — prevents transfer without manual verification
- Enable two-factor authentication on your registrar account
- Update all contact email addresses to a secure account not associated with the hijacked domain
- Add domain monitoring — catch any future DNS changes immediately
See how to prevent domain hijacking for a full prevention checklist, and registrar lock vs transfer lock for understanding the different protection mechanisms.
Related Articles
More posts
What Is a Subdomain Takeover and How to Prevent It
A subdomain takeover lets an attacker claim your subdomain by exploiting dangling DNS records. Learn how it happens, real-world examples, and how DNS monitoring detects it.
Read moreWhat Is Mean Time to Detect (MTTD)?
Mean time to detect (MTTD) measures how long it takes to discover an incident after it starts. Reducing MTTD is one of the highest-leverage improvements in reliability engineering.
Read moreWhat Is Black Box Monitoring?
Black box monitoring tests your systems from the outside, the way users experience them — without access to internal code or infrastructure. Learn how it works and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.