Cybercriminal takes ‘get rich click!’ advice too far

United States of America
Cybercriminal Daniel Goncalves has had the dubious honour of becoming the first person to receive a prison term for domain name theft. On July 22 2011 he was sentenced to five years in prison by the New Jersey State Superior Court after pleading guilty in a plea bargain arrangement that spared him a possible 15-year sentence. Goncalves had stolen the domain name ‘’, estimated to be worth between $160,000 and $200,000 at the time of the theft, and sold it via eBay for over $100,000 in a plot worthy of an airport novel.  
The domain name ‘’, which stands for ‘peer to peer’, was transferred in 2005 to LLC, a company formed by web entrepreneur and New York Times bestselling book writer Marc Ostrofsky, author of “Get Rich Click!, The Ultimate Guide To Making Money Online”, and the husband and wife domain name investment team Albert and Lesli Angel. Ostrofsky is listed in the “Guinness Book of World Records” for having bought the domain name ‘’ for $150,000 in 1995 and then selling it in 1999 for a world record $7.5 million. Lesli Angel, a nurse involved in teen drug abuse matters, holds an investment portfolio, along with her attorney husband, of over 1,000 domain names, including ‘’ (which was also allegedly stolen by Goncalves, but now appears to be back in her portfolio) and ‘’.
Daniel Goncalves, a 25-year old law firm computer technician, apparently hacked into the Angels' email account in order to retrieve the login and password details for the GoDaddy account in which ‘’ was held. Goncalves then did an internal push of the domain name into an account he controlled, changing the registrant name to Dan Louvado in May 2006, and even going so far as falsifying emails to make it appear that he had bought the domain name via Paypal. He then attempted to transfer the domain name away from GoDaddy to another registrar, but was caught out by the 60-day registry lock. Nine days after the lock was lifted, Goncalves managed to move the domain name to a different registrar. He then waited out a new 60-day registry lock before listing the domain name for sale on eBay in September 2006. It was purchased by Mark ‘Mad Dog’ Madsen, an NBA basketball player, who was oblivious to the fact that the domain name was stolen, for $111,211.
It took a full year to realise that the domain name had been stolen, and it came to light only when a domainer brought certain irregularities on the ‘ website to the attention of the company. However, at the time, it seems that Godaddy did not send out emails notifying such changes, so the Angels would have had no notification whatsoever of any change in the domain name.
Once the theft was discovered, Lesli Angel spent the next couple of years meticulously building up a case against Goncalves with the help of Joshua Pelissero, a domainer with a special interest in hunting down domain name thieves who goes by the moniker of the ‘Legendary JP’. Once they had amassed enough evidence, in addition to filing a civil suit against both Goncalves and Madsen in November 2007, they took their case to the New Jersey Cyber Crimes Unit, which initiated an investigation in October 2008. On July 30 2009 Goncalves was arrested at his home and had his computers seized, and on December 13 2009 he pleaded guilty in the criminal proceedings to theft, theft by deception and computer theft.'s civil litigation suit against Goncalves and his company EliteHost LLC is ongoing; however, Mark Madsen, who counterclaimed against for malicious use of process and tortious interference and also cross-claimed against Goncalves for breach of contract, fraud and indemnification, was excluded from the case after he settled with, returned the domain name to them and assigned his claims against Goncalves to them.
The case sets an important legal precedent in the United States as, in certain states, such as California, a domain name is considered to be similar to a piece of real estate - meaning that, if it is stolen, the owner may have a remedy to have it returned (even though this may be a long and costly process). However, most other states, including New York and New Jersey, where the crime took place, have previously considered a domain name to be intellectual property, making legal action more difficult. In addition, tackling domain name theft requires specialised knowledge of the domain name system on the part of police officers and lawyers, which is usually not the case.
In spite of additional security measures being implemented by some registrars, domain name theft appears to be an ongoing problem and even a simple search on the internet will bring up detailed guides to hijacking domain names. The problem was last studied in detail by the Security and Stability Advisory Committee of the Internet Corporation for Assigned Names and Numbers (ICANN) in its 2005 report “Domain Name Hijacking: Incidents, Threats, Risks, and Remedial Actions”. The report enumerated 10 findings, the ninth of which stated as follows:
"The Inter-Registrar Transfer Policy incorporates formal dispute mechanisms. These were not designed to prevent incidents requiring immediate and coordinated technical assistance across registrars. Specifically, there are no provisions to resolve an urgent restoration of domain name registration information and DNS configuration."
Since then, an ICANN's Inter-Registrar Transfer Policy (IRTP) Policy Development Process Working Group went on to recommend, in its report of May 2011 to the GNSO Council, that registrars should be obliged to create a Transfer Emergency Action Contact, who would be required to provide a human (rather than automated) response to alerts within four hours. This contact would facilitate communications between registrars in emergency situations and, if necessary, reverse domain name transfers. The report proposes that the conversation between these emergency contacts be monitored by ICANN and that failure to respond to a notification could result in reversal of the transfer and even loss of ICANN accreditation by the registrar at fault.
The creation of a Transfer Emergency Action Contact, along with the raft of other preventative measures recommended in the Working Group's report, would go a long way to bolstering the security of the domain name system and would help to avoid costly legal wrangles, such as those over ‘’ and the infamous ‘’ case. As such, we can only hope that they are implemented as soon as possible. In the meantime, companies would be well advised to minimise the risk of domain name theft by using registrars with solid security procedures and making sure that contact email addresses used to register domain names are kept up to date and regularly monitored.
David Taylor, Cindy Mikul and Jane Seager, Hogan Lovells LLP, Paris

Get unlimited access to all WTR content