Domain Hijacking — How It Happens and How to Prevent It

A domain hijack means someone other than you takes control of your domain — they change nameservers, redirect traffic to their site, intercept emails, and demand ransom or sell the domain. In 2026, almost every successful hijack happens because the registrar account had a weak password and no 2FA. The other vectors (DNS exploits, registry compromises) are extremely rare.

The good news: 30 minutes of setup makes you a hard target.

The 5 settings every domain owner should harden today

1. Enable 2FA on your registrar account

Use an authenticator app (Google Authenticator, Authy, 1Password, Bitwarden) — NOT SMS. SMS 2FA is vulnerable to SIM-swap attacks, which are increasingly common.

Where to find it:

• REXO HOST: Profile → Security → Two-factor authentication → Enable TOTP
• GoDaddy: Sign-in & security → Add 2-step verification
• Namecheap: Profile → Security → Two-factor authentication
• Cloudflare: My Profile → Authentication → Two-factor authentication

Save your recovery codes somewhere offline. If you lose your phone, the recovery codes are your only path back into the account.

2. Turn on Domain Lock (Transfer Lock)

Domain Lock prevents transfer-out attempts at the registry level. Even if someone gets into your account, they can't transfer the domain to another registrar without first disabling the lock — giving you an email notification and time to react.

Where:

• REXO HOST: Domains are unlocked by default; toggle on per-domain
• GoDaddy: Domain Settings → Transfer → Domain Lock → ON
• Namecheap: Domain List → Manage → "Lock" → ON
• Cloudflare: Domains → Configuration → Transfer Lock → ON

Best for high-value domains. For speculative domains you might want to transfer later, leave unlocked.

3. Harden the WHOIS contact email

Your WHOIS contact email is the recovery mechanism for domain ownership. If someone takes over that email, they can request password resets, get auth codes, and steal your domain.

Best practice:

• Use a dedicated email for domain-related notifications (domains@yourcompany.com, not you@gmail.com)
• Enable 2FA on that email account with a different secret than your registrar
• Don't share that email's credentials with anyone
• Don't use it for marketing signups (reduces phishing risk)

4. Use unique passwords (with a password manager)

If you reuse passwords, the day a website you signed up for in 2017 gets breached is the day someone tries that password against your registrar. They have automation that does this at scale.

Use Bitwarden, 1Password, KeePass, or Apple Passwords. Generate a unique 20+ character random password for the registrar. Same for the WHOIS email account.

5. Lock the registrar dashboard further (if available)

Some registrars offer additional protection layers:

• REXO HOST: SMS confirmation for nameserver changes (operator review)
• GoDaddy: "Two-step verification" for sensitive actions (extra TOTP prompt at change time)
• Namecheap: "Notice of Domain Lock" email on every change
• Cloudflare: Hardware key (YubiKey) support — strongest protection if you can use it

How hijacks actually happen — the realistic threat model

Threat 1: Credential stuffing (most common)

Attacker has a database of leaked email/password combos from prior breaches. Tries them against major registrars. Hits — often because the victim reused a password.

Defense: unique passwords + 2FA. Renders credential stuffing useless.

Threat 2: Phishing the registrar account

Attacker sends a fake "Your domain is expiring" email with a login link. Victim enters credentials at the fake site. Attacker uses them at the real site.

Defense: bookmark the real registrar URL. Never click links in unsolicited domain-related emails. Verify the URL bar before entering credentials.

Threat 3: Phishing the WHOIS contact email

Attacker compromises the email account on WHOIS. Uses "forgot password" at the registrar. Gets a reset link. New password, takes over account.

Defense: 2FA on WHOIS email. Dedicated email for WHOIS contact (not your daily inbox).

Threat 4: SIM swap (rare but devastating)

Attacker convinces your mobile carrier to port your number to their SIM. Receives your SMS 2FA codes. Uses them to take over the registrar account, then the email account.

Defense: TOTP/authenticator-app 2FA, not SMS. Enable "port-out lock" on your mobile carrier.

Threat 5: Insider attack at the registrar (extremely rare)

A registrar employee with admin access takes over a domain. Mostly happens at small / disreputable registrars; major ones have audit logs and segregation of duties.

Defense: pick a reputable registrar. Use registrars with bug-bounty programs and public security practices.

What to do if your domain is hijacked

Time-critical. Every hour gives the attacker more leverage.

Step 1 — Document the evidence

Screenshot the WHOIS lookup showing the new owner. Save the URL of any redirect. Note the time you discovered it.

Step 2 — Contact your registrar IMMEDIATELY

Call them, not just email. WhatsApp us at REXO HOST if it's a domain registered with us. Most registrars have a "domain dispute" process. They can freeze the domain if you can prove prior ownership.

Step 3 — Contact ICANN

If your registrar isn't responsive, ICANN has a Transfer Dispute Resolution Policy: icann.org/resources/pages/transfer-dispute-2012-02-25-en. File a dispute. Process takes weeks.

Step 4 — Law enforcement (for serious cases)

Domain hijacking is a federal crime in most countries. For high-value domains (worth >$10,000), file a report with FBI IC3 (US), CERT-In (India), or your local equivalent.

Step 5 — UDRP (last resort)

If the hijacker registered the domain in their name and you can't get it back through the registrar, file a UDRP (Uniform Domain-Name Dispute-Resolution Policy) complaint via WIPO. Costs ~$1,500. Takes 2-3 months. Works for trademark-based claims.

Frequently asked questions

Is REXO HOST secure?

We require 2FA for staff accessing customer data. We log every change to a domain (transfer, nameserver, contact). Nameserver changes go through human review. Account creation is rate-limited. Standard hardening; nothing exotic.

What if I lose access to my 2FA device?

If you saved your recovery codes (you should), use one to regain access. If you didn't, contact us — we have an out-of-band identity verification process (we'll need to confirm your identity through other means: payment records, original signup email).

Can someone hijack my domain via DNS exploits?

Theoretically — in 2008 there was a major BGP hijack of Pakistani YouTube. Practically, almost never happens at the registrar level for individual domains. The big risks are account compromise (above) and DNS configuration mistakes (you accidentally point the domain elsewhere).

Should I register defensive domains for my brand?

Yes. Register your brand on .com, .net, .org and any major TLD where confusion would cost you customers. ~₹1,300/year at REXO HOST for 3 TLDs. Cheaper than recovering one if a squatter grabs it.

Harden your account today

Login to REXO HOST → Profile → Security → enable 2FA. Then go through every other registrar account you have and do the same. 30 minutes; saves you a domain.