How do I get my stolen domain back? Support #2574086

In June on this year a Cloudflare account requested me to point my domain to his Cloudflare DNS.

He mentioned that I should direct my domain from the business who has been managing my domain for the past four years, to the above mention DNS.

He did not explain that in doing that he will take ownership of my domain. He just mentioned it was for ease of making the website.

The user abused of his technical knowledge to gain full access to my domain and take hold of my website.

I paid him for the making of my website, which he never completed, now that I requested my money back he has placed an infamous photo on my website as a way to harass and sabotage my business.

Not only has this abusive and intrusive action caused serious damage to my business image it has made me question cloudflares security measures as I have yet to receive a resolution to this matter even though I am a paying customer.

1 Like

I am sorry to hear that it is such an unpleasant situation that brings you to the Cloudflare Community. I will help as much as I am able to.

You mentioned that you were asked to point to Cloudflare DNS. Can you confirm if that is something that you did with your existing domain registrar, such as GoDaddy, NameCheap, or other similar providers? What I am trying to determine her is whether you transferred your domain registration to the Cloudflare registrar, or if you are simply using Cloudfare DNS.

If you still have access to your domain registration at your registrar, you can update the nameservers to ones other than those controlled by the third-party you referenced.

If you are able to share the domain name, Community members can look up information for. If you prefer not to disclose it, I understand. You are working through a difficult situation.


Thank you for your thoughtful message. Yes I did this through wix who owned my domain for the past five years. But wix can no longer do anything because they confirmed that Cloudflare owns my domain now. The contradiction here is that Cloudflare owns my domain registration yet they are the ones asking for the registration information. I do not have the registrar account since this is the first time I am setting up an account with Cloudflare due to the hacking of my domain by a Cloudflare user. Cloudflare has my domain registrar information they need to provide this information for me to resolve this issue. This system doesnt allow me to post domain name but I have a dot com domain name: tonaua. The hacker has the domain dot com also 231e and sitiowebcr his ip addresses point to Cloudflare.

Anything anybody can do to help I would appreciate.


I wish I could tell you that you are not in a difficult situation and that there is an easy solution available for you. Unfortunately you are in a position where the only choices you have are going to be hard decisions between no attractive options.

The only option that doesn’t involve lawyers or law enforcement is the one where you decide the domain isn’t worth the expense, and you just walk away from it and pick out a new domain name. Depending on how much your lawyer charges, fees could easily run into tens of thousands.

While you can attempt to involve law enforcement, I expect you will be disappointed with how that plays out. Your damages are unlikely to cross the threshold required for an investigation.

If any Cloudflare staff or Community members know of an alternative that doesn’t involve the use of a lawyer to prove ownership of the disputed domain, hopefully they will share it. Otherwise, the only option I know of that involves a chance of recovering the domain name is to lawyer up, preferably with one experienced in intellectual property and technology law.

I am genuinely sorry that find yourself in this position and I wish I could present more appealing forecast.

1 Like

Thnks for your insight, I will follow up with the authorities as what the vendor did is totally ilegal. I may even sue him if necessary, however, I Cloudflare should I have contacted other webhosting businesses and according to them, what I did which is change the nameserver on my domain registrar was a totally normal activity. How or why did my domain end up in Cloudflare as my new registar is something that cf needs to resolve, as they are supposed to be an online security company. They cannot allow just anyone to take ownership of my domain without proper verification first. I will also have authorities contact Cloudflare directly as they need to respond to my case and not ignore me just because I do not have a 4 K a month subscription. I am paying them a monthly fee still and they need to respond.

In the process of “changing the nameservers” this person fooled you into approving transfer of the domain registration to him. His assumption is that it won’t be worth it to you to pursue him through legal channels.

You should investigate the WIPO UDRP process, which is designed to resolve domain name disputes. If you have documents that back up your claim, this should be relatively simple, but might cost you $1,500.


The first thing you should do is confirm some information by checking the domain name in ICANN Lookup

What is displayed there? e.g who is the registrar of record? and what name servers are showing?

Do you have an active Cloudflare subscription in a Cloudflare account with this domain?

Hi Kyle-k, Everything points to the account being registered on Cloudflare. They appear as the registrar and the name servers there belong to Cloudflare.

The domain hijacker asked me to change my name server so he can work on my website (the reason I hired him). I don’t yet understand how transfer of my domain happened when all I did was change the nameserver on my end. I never gave Cloudflare permision for anything else, in fact I didn’t even own a Cloudflare account when this happened.

In order for the domain to be transferred, an auth code must have been generated at the old registrar and input in the Cloudflare account after the nameservers were changed.

To be honest in this medium here we’re never going to really be able to spend enough time with you to figure it out.

But essentially anything is possible given that you delegated name servers to someone that you thought you could trust and it’s quite possible that they have hijacked your domain name as a result.

Yeah this is some good information as well and was actually what I was going to inform you of next.

The transfer process involves a code that you have to give to the gaining registrar in this case Cloudflare referred to as a “EPP Code” sometimes also called a “Domain Password”.

This plus the domain name allows anyone to start the transfer process, once the transfer is started emails are sent letting you know that there’s a transfer in process and that you need to approve the transfer or it will be completed in a certain amount of days.

I will check your correspondence with your registrar of choice the one that you used originally to see if you have any such emails and talk to them you should also check to see if the domain name is in the 60 day transfer hold by using the ICANN Lookup tool that I provided earlier by checking the various status codes listed there.

You should be in touch with your previous registrar as well as Cloudflare if this ticket with support is not proceeding forward you should probably reach out to the email for the registrar listed when you did that lookup and contact Cloudflare legal.

Explain what’s happening right now stay calm and coolheaded and provide any evidence on correspondence that you have to your registrar and Cloudflare from this third party.

Now: insight to some things that may have gone completely wrong and allowed this to happen. When you re-delegated the name servers and your DNS control to this third-party.

They pretty much controlled the domain name in regards to web and email traffic. If you use domain name based email and have your previous registrar account using that email password reset and off we go. Into this malicious third-party’s hands.

There’s other scenarios as well we’re controlling email could’ve been used to allow for hijacking of the domain.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.