What Is Domain Hijacking and How to Detect It

Domain hijacking — also called domain theft — is the unauthorised transfer of a domain name to a different registrar or owner without the legitimate owner's consent. The attacker gains control of your domain, and with it, your website, email, and online identity.

Unlike server breaches, which attack your infrastructure, domain hijacking attacks the naming layer above your infrastructure. Even if your servers are perfectly secure, a hijacked domain renders them unreachable — or worse, redirects your traffic to a malicious site while your brand takes the blame.

How Domain Hijacking Happens

Registrar Account Compromise

The most common vector. Attackers gain access to your domain registrar account (GoDaddy, Namecheap, Cloudflare, etc.) through phishing emails targeting domain administrators, credential stuffing using leaked passwords from other breaches, or social engineering registrar support staff.

Once inside, they change the registrant contact and initiate a transfer to a registrar they control.

Registrar-Level Social Engineering

Attackers impersonate the domain owner and convince registrar support to override security controls or release a transfer. This is less common now that registrars have improved identity verification, but it still occurs.

Expired Domain Hijacking

If you fail to renew a domain on time, it enters a redemption period and eventually becomes available for public registration. Competitors or squatters register it immediately. This is technically legal but devastating.

DNS Record Manipulation

A related but distinct attack — rather than transferring the domain, attackers compromise your DNS provider credentials and change your DNS records to redirect traffic. Your WHOIS still shows you as the owner, but users are sent elsewhere.

The Impact of Domain Hijacking

A hijacked domain can cause:

• Complete website outage — traffic goes nowhere or to attacker infrastructure
• Email interception — attackers read or redirect incoming email, including password resets for other services
• Brand damage — users see a parked page, phishing site, or malicious content instead of your service
• SEO damage — Google may flag your domain as compromised, resulting in deindexing
• Financial loss — SaaS companies, e-commerce sites, and API providers lose revenue immediately

Recovery can take days to weeks, even with proof of ownership, because domain transfers involve multiple parties and compliance periods.

How Monitoring Detects Domain Hijacking Early

WHOIS Monitoring

The fastest automated detection method. Your monitoring tool polls the WHOIS record for your domain on a schedule and alerts you when the registrant name, registrant email, registrar name, or nameservers change unexpectedly.

Legitimate WHOIS changes are rare. If your monitoring alerts you that the registrant contact changed, treat it as a confirmed incident until proven otherwise.

Domain Monitor includes WHOIS monitoring with alerting for registrar changes, making domain hijacking detectable within minutes rather than hours or days.

DNS Change Detection

Monitor your domain DNS records for unexpected changes:

• A records — the IP addresses your domain resolves to
• MX records — where your email is delivered
• NS records — which nameservers are authoritative for your domain

If your A record changes to an IP you do not recognise, or your NS records point to nameservers you did not configure, something has gone wrong. This can indicate nameserver hijacking or registrar compromise.

SSL Certificate Monitoring

Certificate transparency logs record every SSL certificate issued for a domain. Tools like crt.sh allow you to search these logs. Unexpected certificates issued to entities you do not recognise can indicate that an attacker has gained control of your domain.

Certificate Transparency monitoring is available through several security tools and provides early warning of fraudulent certificate issuance.

Domain Expiry Monitoring

Monitor your domain expiry date and alert well in advance of renewal. A 60-day warning followed by a 30-day and a 14-day alert gives you multiple opportunities to renew before the domain enters a vulnerable state.

Many domain hijacking incidents are opportunistic — attackers monitoring for expiring domains and registering them immediately upon expiry. Robust expiry monitoring eliminates this risk. See monitoring SSL certificate expiry for a similar approach applied to certificates.

Uptime Monitoring as a Last Resort

If your domain has been hijacked and DNS now resolves to attacker infrastructure, your uptime monitoring will detect this — either as a connection failure if the attacker has not set up any response, or as unexpected content if you use content verification.

An uptime monitor checking for a specific string in your homepage response will alert immediately when that string disappears. This is the final safety net.

Prevention: Hardening Against Domain Hijacking

Enable Registrar Lock

Every major registrar offers a domain lock feature, also called transfer lock or registrar lock. When enabled, outbound transfers are blocked until the lock is explicitly disabled. Disabling the lock typically requires 2FA or identity verification.

Enable this for all domains. It is the single most effective prevention measure.

Use Registrar-Level 2FA

Enable two-factor authentication on your domain registrar account. Use an authenticator app rather than SMS — SIM-swapping attacks can bypass SMS 2FA.

Use a Dedicated Domain Email

The email address associated with your domain registrar account is a high-value target. Use a dedicated email address not connected to your main domain for registrar communications. This prevents attackers who compromise your domain email from also accessing your registrar account.

Registry Lock for High-Value Domains

For critical domains, consider registry lock — a higher-security lock applied at the registry level rather than the registrar level. Registry locks require out-of-band verification, often a phone call, to release. This is typically a paid enterprise-level service.

Enable DNSSEC

DNSSEC cryptographically signs your DNS records, making it impossible for attackers to serve forged DNS responses. While it does not prevent domain transfer, it significantly raises the bar for DNS manipulation attacks.

Audit Registrar Account Access

Regularly review who has access to your registrar account, what API keys or tokens are active, and whether contact details are current and point to controlled inboxes.

What to Do If Your Domain Is Hijacked

If you discover your domain has been hijacked, act immediately:

1. Contact your registrar — report the unauthorised transfer and request an emergency suspension
2. File a UDRP complaint — the Uniform Domain Name Dispute Resolution Policy provides a legal mechanism for recovering hijacked domains
3. Contact ICANN — for .com, .net, .org domains, ICANN can intervene in documented cases of fraud
4. Gather evidence — WHOIS history, billing records, registration confirmation emails, screenshots of your site
5. Notify affected parties — email recipients, customers, and any service that depends on your domain for authentication or webhooks

Recovery is possible but takes time. Prevention through monitoring and registrar security is far preferable.

Combining Monitoring Layers

The strongest protection combines:

Layer	What It Catches
WHOIS monitoring	Registrant changes, registrar changes
DNS monitoring	A, MX, NS record changes
Domain expiry alerts	Lapsing registration
SSL cert transparency	Fraudulent certificate issuance
Uptime monitoring	Traffic redirection, DNS resolution failure

No single layer catches everything. Together they give you detection within minutes of any domain-level attack. See the website monitoring checklist for developers for a complete approach to monitoring across all layers.

---

WHOIS and DNS change monitoring catches domain hijacking within minutes. Set up domain monitoring at Domain Monitor.

Related Articles

• "What Is WHOIS Monitoring and Why Does It Matter?"
• Pretty Purchases Joins Our Website Monitoring Tool
• Track the Status of Your Domains with Domain Monitoring Tools