What is Domain Hijacking?

Domain hijacking (also called domain theft) is the unauthorized takeover of a domain name at the registrar level. Rather than tampering with individual records, the attacker gains control of the registration itself — through the registrar account or an unauthorized transfer — and becomes the effective owner of the name, along with the website and email that depend on it.

It is worth separating this from DNS hijacking. DNS hijacking subverts how your domain resolves so traffic is redirected, but the domain still belongs to you. Domain hijacking takes the domain out of your hands entirely, which usually makes recovery slower and more painful.

Most hijackings come down to control of the registrar account or the transfer process:

• Registrar account compromise — the attacker logs into your registrar using a phished, reused, or breached password and changes the registrant details or nameservers from the inside.
• Social engineering — the attacker impersonates the owner to registrar support, persuading staff to reset credentials or approve a change without proper verification.
• Unauthorized EPP transfer — using a stolen authorization (EPP) code, the attacker initiates a transfer of the domain to a registrar they control. Once the transfer completes it can be hard to reverse.
• Expired-domain snatching — a domain that lapses because a renewal was missed can be picked up the moment it drops, sometimes by automated back-ordering services.

• Total loss of web presence — the attacker can repoint nameservers and serve their own content, or take your site offline entirely.
• Email interception — control of the domain means control of its mail records, so inbound email and password resets can be diverted.
• Brand and trust damage — a hijacked domain may be used for phishing or fraud carried out under your name.
• Slow, costly recovery — reclaiming a transferred domain can involve registrar disputes or formal recovery processes that take days or weeks.

• Lock the domain — enable the registrar transfer lock (clientTransferProhibited) so no transfer can proceed without you unlocking it first. ZoneWatcher's domain lock monitor alerts you if that lock is ever removed.
• Secure the account — enforce two-factor authentication and a strong, unique password on the registrar login, and protect the email address tied to the account just as carefully.
• Guard the renewal date — enable auto-renew and watch the expiry so the domain never lapses. The WHOIS expiry monitor warns you well before a domain is due to expire.
• Protect the EPP code — treat the transfer authorization code as a secret, and rotate it if you suspect it has leaked.

This fits into the wider checklist in DNS security best practices.

The most dangerous window is the gap between a domain being taken and anyone noticing. Continuous monitoring shrinks that gap. Domain registration monitoring tracks the lock state, transfer status, expiry date, and nameservers on your domains and alerts you the moment any of them change — giving you a chance to intervene with your registrar before a transfer completes.