How a Domain Hijack Happens in 3 Steps

GuardHound Security Team March 21, 2026 12 min read

Table of Contents

  1. The Story: 72 Hours to Lose Everything
  2. Step 1: Reconnaissance
  3. Step 2: Transfer or DNS Takeover
  4. Step 3: Exploitation
  5. The Aftermath
  6. How to Prevent This
  7. How GuardHound Detects This Early
  8. Frequently Asked Questions

The Story: 72 Hours to Lose Everything

It took 72 hours for a small business to lose their domain — and three months to get it back.

Sarah runs a mid-sized e-commerce store. Her company has spent five years building a brand around their domain name. Thousands of customers have it bookmarked. Hundreds of backlinks point to it. Their entire email infrastructure — support tickets, invoices, password resets — runs through it.

On a Tuesday morning, Sarah's phone starts blowing up. Customers are emailing her personal Gmail saying the website looks "weird." Her team can't log into the admin panel. The company email has stopped working entirely.

Sarah's domain has been hijacked. And it happened in exactly three steps.

This isn't a hypothetical. This pattern plays out thousands of times a year against businesses of every size. Let's walk through exactly how it works — so you can make sure it doesn't happen to you.

Step 1: Reconnaissance

STEP 1

The Attacker Does Their Homework

Every domain hijack starts with research. The attacker isn't guessing — they're building a profile of your domain, your registrar, and you.

The first thing an attacker does is run a WHOIS lookup on the target domain. If WHOIS privacy isn't enabled, this single query hands them a goldmine: the domain owner's full name, email address, phone number, physical address, the registrar where the domain is registered, and when the domain expires.

In Sarah's case, she'd registered the domain years ago through a budget registrar and never enabled WHOIS privacy. Her personal email, her full name, and the registrar name were all public information.

Next, the attacker cross-references that information. They search for data breaches linked to Sarah's email address. They check social media for security questions she might have answered publicly — her mother's maiden name, the city she grew up in, her first pet. They look at the registrar's support process: Does it offer phone support? Live chat? How do they verify identity?

The attacker also checks the domain's DNS records. They note the nameservers, the mail provider, whether DNSSEC is enabled. They look for any weak links — maybe the DNS is managed through a separate provider with its own credentials, or maybe the domain is nearing expiration.

Key insight: The reconnaissance phase is silent. There are no alerts, no failed login attempts, nothing to trigger suspicion. The attacker is simply collecting publicly available information. This is why WHOIS privacy and minimizing your public exposure matter so much.

Step 2: Transfer or DNS Takeover

STEP 2

The Attacker Makes Their Move

Armed with research, the attacker now exploits the weakest link in the chain — whether that's the registrar's support team, the owner's email, or the DNS provider.

This is where the attack goes from passive to active. The attacker has multiple playbooks to choose from, and they'll pick whichever one gives them the easiest path in.

The Social Engineering Route

The most common approach. The attacker calls or emails the registrar's support team, posing as the domain owner. They use the information gathered in Step 1 to pass identity verification: "Hi, I'm Sarah, and I need to reset my account password. My email on file is sarah@... and the domain was registered on..."

Budget registrars with undertrained support staff are especially vulnerable. The attacker might claim they've lost access to their email and need to update it. Once they control the account email, they can reset the password, disable two-factor authentication (if it was even enabled), unlock the domain, and initiate a transfer.

The Credential Stuffing Route

If Sarah reused the same password across multiple services — and one of those services was breached — the attacker can simply log in to her registrar account directly. No social engineering required. They already have the keys.

This is devastatingly effective. A 2024 Verizon report found that over 80% of hacking-related breaches involve compromised credentials, and most people reuse passwords across services.

The Expired Domain Route

Sometimes the attack is even simpler. The domain owner's credit card on file expires. Auto-renewal fails silently. The domain enters a redemption period, then becomes available to the public. Attackers monitor high-value expiring domains using automated tools and snap them up the instant they drop.

The DNS Manipulation Route

Instead of transferring the domain entirely, the attacker might target the DNS configuration. If they can access the DNS management panel — either through the registrar or a third-party DNS provider like Cloudflare — they can change the nameservers to ones they control. This redirects all traffic without changing domain ownership.

In Sarah's case, the attacker used a combination of approaches. They found her password in a data breach, logged into her registrar account (which had no 2FA), changed the nameservers to point to their own infrastructure, and updated the account email to lock Sarah out.

The whole thing took less than fifteen minutes.

Step 3: Exploitation

STEP 3

The Attacker Cashes In

With control of the domain, the attacker moves fast to extract maximum value before anyone notices.

Now the attacker has control. The domain is pointing to their servers. Every visitor, every email, every API call that relies on that domain is now flowing through infrastructure the attacker controls.

Here's what typically happens next:

A convincing phishing site goes live. The attacker stands up a clone of the original website — same logo, same layout, same product pages. But the checkout form now sends credit card numbers to the attacker. Customers who visit the site see what looks like a perfectly normal store and have no reason to suspect anything is wrong.

Email gets intercepted. With control of the domain's MX records, the attacker can receive every email sent to any address at that domain. Password reset links. Customer inquiries. Invoices. Internal communications between team members. They can also send email from the domain, which means they can impersonate the business in conversations with customers, partners, and suppliers.

Credential theft at scale. The phishing site captures login credentials from returning customers who try to access their accounts. These credentials are often reused across other services, giving the attacker access to customers' email, banking, and social media accounts.

Ransom demands. Some attackers contact the domain owner directly: "Pay $50,000 in Bitcoin and we'll give your domain back." The victim, watching their business hemorrhage money and reputation by the hour, faces an impossible choice.

For Sarah, the attacker set up a phishing site that captured 2,300 customer credentials over three days before someone finally noticed. Her business email was being used to send invoices with fraudulent payment details to her wholesale clients.

The Aftermath

Getting a hijacked domain back is not a simple "call your registrar" situation. It's a grueling, expensive, and often months-long process.

$
Direct financial loss. Every hour the domain is down or compromised means lost revenue. For an e-commerce site doing $10,000/day, three days of downtime is $30,000 in lost sales alone — before counting the damage from fraud.
!
Legal liability. If customer data is stolen through a phishing site on your domain, you may face lawsuits, regulatory fines, and mandatory breach notifications. Under regulations like GDPR, the penalties can reach into the millions.
SEO devastation. Google may flag the domain as malicious, removing it from search results entirely. Even after recovery, rebuilding search rankings can take months. The domain's reputation score may never fully recover.
×
Customer trust destruction. Customers whose credentials were stolen will not come back. Negative press coverage and social media posts about the breach become permanent, searchable records that haunt the brand for years.
Recovery costs. ICANN dispute filings cost $1,500–$5,000. Legal representation for domain recovery runs $5,000–$50,000+. Forensics, customer notification, credit monitoring services, and PR crisis management add tens of thousands more.

Sarah eventually recovered her domain through a UDRP filing with ICANN — three months and $12,000 later. But 40% of her customer base never came back, and her Google rankings didn't fully recover for six months.

How to Prevent This

The good news: every step of this attack was preventable. Here's the checklist that would have stopped it:

1
Enable WHOIS privacy. This is your first line of defense. It hides your personal details from public WHOIS lookups, making reconnaissance dramatically harder. Most registrars offer this for free.
2
Use a unique, strong password for your registrar account. Never reuse a password from another service. Use a password manager to generate and store a random 20+ character password. If your registrar password appears in any data breach, change it immediately.
3
Enable two-factor authentication (2FA). Even if an attacker gets your password, 2FA stops them at the door. Use an authenticator app or hardware key — avoid SMS-based 2FA, which can be defeated through SIM swapping.
4
Turn on registrar lock. The clientTransferProhibited status code prevents your domain from being transferred without you explicitly unlocking it. Verify it's active by checking your WHOIS records.
5
Set up domain auto-renewal. Keep your payment information current. Set calendar reminders to verify renewal. A lapsed domain is the easiest target of all.
6
Monitor your domain continuously. Manual checks aren't enough. You need automated monitoring that alerts you the moment your WHOIS records, DNS settings, or SSL certificates change unexpectedly. This is exactly what GuardHound does.

How GuardHound Detects This Early

GuardHound is built to catch domain hijacking attempts before they become full-blown crises. Here's how:

WHOIS change detection. GuardHound monitors your domain's WHOIS records continuously. If the registrant name, email, nameservers, or any other registration detail changes without your authorization, you get an instant alert. In Sarah's scenario, she would have been notified within minutes of the attacker changing her DNS settings.

DNS monitoring. Changes to your A records, MX records, nameservers, or CNAME records are flagged immediately. This catches both full domain transfers and the more subtle DNS manipulation attacks where the attacker redirects traffic without changing ownership.

SSL certificate tracking. If an attacker takes over your domain and installs a new SSL certificate (which they need to serve HTTPS), GuardHound detects the certificate change. A new certificate on your domain that you didn't request is a major red flag.

Comprehensive domain health checks. Beyond hijacking, GuardHound scans for the full spectrum of domain security issues: email authentication (DMARC, SPF, DKIM), SSL configuration, open ports, and more. A single dashboard shows you everything about your domain's security posture.

Alerts that actually reach you. Email notifications fire instantly when changes are detected. Minutes matter during a hijacking attempt — the difference between catching it in 5 minutes vs. 5 days can be the difference between a quick DNS revert and a months-long legal battle.

Scan Your Domain Now — Free in 30 Seconds

Don't wait until your domain is hijacked to find out you were vulnerable. Run a free scan to check your WHOIS exposure, DNS configuration, and overall domain security.

Free Domain Scan → Check Your WHOIS Records

Frequently Asked Questions

How long does it take an attacker to hijack a domain?

A skilled attacker can complete a domain hijack in as little as a few hours. The reconnaissance phase may take days or weeks of passive information gathering, but once the attacker has what they need, the actual takeover — changing DNS records, resetting account credentials, or initiating a transfer — can happen in minutes. This speed is exactly why continuous monitoring matters: by the time you notice something is wrong through manual checks, the attacker may have already redirected your traffic, intercepted your email, and set up a phishing site.

Can domain hijacking happen even with registrar lock enabled?

Yes, but it's harder. Registrar lock (the clientTransferProhibited status) prevents unauthorized domain transfers, which is an essential protection. However, it doesn't protect against all attack vectors. An attacker who gains access to your registrar account can disable the lock before initiating a transfer. Social engineering attacks against registrar support staff can also bypass it. Think of registrar lock as one critical layer in a defense-in-depth strategy — it needs to be combined with strong passwords, 2FA, WHOIS privacy, and monitoring to be truly effective.

What should I do immediately if my domain is hijacked?

Time is your most valuable asset. First, contact your registrar's emergency support line immediately — don't wait for business hours. Tell them your domain has been hijacked and request an immediate freeze on all changes. Second, document everything: screenshot the changed WHOIS records, DNS settings, and any malicious content being served on your domain. Third, file a complaint with ICANN if the domain has been transferred to another registrar. Fourth, if significant business value or customer data is at stake, contact law enforcement and a lawyer who specializes in domain disputes. Finally, notify your customers through alternative channels (social media, direct email from a different domain) that your primary domain has been compromised.

How much does it cost to recover a hijacked domain?

Recovery costs vary enormously depending on complexity. A UDRP complaint through ICANN costs $1,500–$5,000 in filing fees alone, and you'll likely need legal counsel on top of that. If the case requires court proceedings, costs can reach $20,000–$100,000+. Some domain recovery specialists charge $5,000–$20,000 for complex cases involving international jurisdictions. Beyond direct recovery costs, factor in lost revenue during downtime, customer notification costs, potential regulatory fines, PR crisis management, and the long-term brand damage. Prevention is almost always cheaper than recovery — by orders of magnitude.

Does WHOIS privacy protect against domain hijacking?

WHOIS privacy is a valuable first line of defense, but it's not a silver bullet. It works by replacing your personal information in the public WHOIS database with proxy details, which makes it significantly harder for attackers to identify your registrar, gather personal information for social engineering, or find contact details to target with phishing. However, WHOIS privacy doesn't protect the registrar account itself. An attacker who obtains your credentials through a data breach or phishing can still log in and take control. Use WHOIS privacy as part of a layered approach that includes strong authentication, registrar lock, and continuous monitoring.

Related Guides & Tools

WHOIS Lookup Tool Check domain registration details Domain Health Check Full security audit for your domain What is Domain Hijacking? Complete prevention guide SSL Certificate Checker Check your certificate status 5 Domain Security Mistakes Common mistakes small businesses make The Cost of an Expired SSL A small business horror story