Subscribe to RSS Feed

08|03|2009 10:49 am EDT

BREAKING: First Ever Criminal Prosecution for Domain Name Theft Underway

by Adam Strong in Categories: Featured

barsOver the years hundreds of stories of domain name theft have been reported, most famous among them of course is the theft of Sex.com.  Even as recent as last week, reports of stolen domains sent a chilling reminder through the domain industry as valuable domains Before.com, Adios.com and others were stolen from Warren Weitzman. Until recently, there hasn’t been a case of a domain theft where the thief was caught and arrested. However, on July 30th, Daniel Goncalves was arrested at his home in Union, New Jersey and charged in a landmark case, the first criminal arrest for domain name theft in the United States.

In a similar fashion to the Sex.com theft, the events that led to Goncalves arrest involve a long back story, one that spans well over 2 years, and many players.  Although insiders familiar with this case contend that Goncalves has stolen other valuable domains, this case centers on the theft and subsequent sale of the domain name P2P.com.

The Victims
In 2005, internet entrepreneur and domain name investor Marc Ostrofsky and attorney Albert Angel along with his wife Lesli Angel partnered to purchase the domain name P2P.com for $160,000 from a Wisconsin company, Port to Print Inc. The domain industry was heating up in 2005, as was the emerging peer to peer music business and the co-owners of the domain name saw a great deal of potential with this investment and future development of the domain.

Ostrofsky is a well known investor in the domain space. His name was etched in domain name history with his 1999 sale of Business.com for $7.5 million and the multi-million dollar domain holding company,IREIT, that he helped form with investment backing from Howard Schulz and Ross Perot. Albert Angel is an attorney and former Justice Department prosecutor with a background in internet payment processing. Angel and Ostrofsky have known each other for over 25 years and have done business together in other ventures.

The Angels had already invested in a small portfolio of domain names including profreedom.com and drugoverdose.com (2 more domains reportedly stolen by Goncalves). As a nurse who dealt with teen drug abuse issues, Lesli Angel became interested in buying and building sites on domains in the late 90′s. Domains such as drugoverdose.com gave her a means to reach out to some of the same audience that she was already helping as a nurse.  As the domain space heated up, Angel continued buying domains and built up a portfolio of around 800 domain names.

The Accused
Daniel Goncalves, the 25 year old law firm computer technician arrested on Thursday, reportedly hacked in to the Angel’s AOL email account, used that information to retrieve the login details for the P2P.com from the Godaddy.com domain account. Goncalves performed an internal “domain push” transfer,which in effect transfered the domain name to another Godaddy account that he owned. Goncalves reportedly also falsified Paypal.com transaction records in an attempt to cover his trail and provide evidence that made it appear that he purchased the domain name for $1,500 from the Angels. The domain was listed in the name of Daniel Louvado during this time period (a bogus name consisting of Goncalves first name and his fiances last name).

In late 2006, Goncalves put the domain name P2P.com up for sale on eBay.com and on September 24, 2006 the eBay.com auction for the domain P2P.com closed in the amount of $111,000.  The Angels pointed out to DNN that from their investigations Goncalves already owned his own home with a new inground pool being installed (in New Jersey?), drove a Lotus and Mercedes and was frequently bragging about his travels.

The Baller
Caught in the middle of this and claiming to be a “good faith” purchaser is Mark Madsen, NBA basketball player with the LA Clippers. Madsen is reportedly also a domain name investor and was the buyer of the P2P.com domain name on eBay.com.  Domaintools.com Whois history shows that Madsen took ownership of the domain name on February 28, 2007. Current whois records for the domain show that the domain name is protected with whois privacy protection, but according to insiders familiar with the case the current owner is still Madsen.  Madsen has been investing in domain names for years and has been linked to the user name thecollins2 in some domain name forums and the company Woodside Technology Group.

The Gatekeepers?
Godaddy.com is the world’s largest domain name registrar. With over 30 million domains being managed, it’s safe to assume the registrar has been faced with a few cases of domain name theft.  The domain name P2P.com was registered with Godaddy.com and all evidence from whois history records points to the domain name being moved internally to a new account within Godaddy.  The domain name now uses Godaddy‘s whois privacy services to hide the ownership. According to the Angels, Godaddy stone-walled any efforts to investigate the theft and in a final passing of the buck, the Angels say that Godaddy told them that they should have been better defended against hackers and must bear the risk. It’s clear that the domain name was pushed between 2 accounts.  The Angels contend that subpoenaed Godaddy.com records reveal that the registrar knew that Goncalves was implicated in two other domain thefts at least one month prior to the P2P.com theft.

In many cases, intricate registrar contracts, safe-harbor laws and statutory exemptions protect domain name registrars from being held liable in domain theft cases. Cases like Kremen v. Cohen (Sex.com stolen) and  Solid Host v. Namecheap however have carved new paths in applying the law to cases involving registrars and domain name theft. The P2P.com civil and criminal cases will use these decisions and likely even lay new ground for future decisions.

The Professionals
Joshua Pelissero, a self-described legend in tracking domain thieves, was enlisted by the Angels to help unwind the events that happened after the domain theft and to find additional evidence of Goncalves online activities. Domain investor Richard Lau and expert witness from the Sex.com case,  Ellen Rony was also tapped to help uncover more information about the case. The Angels and more specifically Lesli Angel have been tracking Daniel Goncalves and building up evidence for over 2 years. With the help of Pelissero, Lau, and Rony the pieces of the puzzle began to fall together and the evidence began to become more clear. Angel told us “this business is not for the faint of heart. You have to know what you’re doing and be educated.” With these pros backing up their efforts, the Angels made a great deal of progress.

The Case
In the Spring of 2007, the Angels took their case to prosecutors in both New Jersey and Florida. The investigation proceeded in Florida since the Angels are Florida residence, meanwhile the New Jersey police, where the accused resides, put their case on hold.  Three months after taking the case, Florida prosecutors dropped it for “lack of evidence”.  The only recourse left for the Angels was to pursuit Goncalves through a civil action. They used the Freedom of Information Act to gather up the evidence from the Florida prosecutors investigations and continued in their vigilance, building up an even stronger civil case.

The civil suit against Daniel Goncalves and Mark Madsen was filed in November 2007 to retrieve the P2P.com domain name. After further discovery, the filing was amended in June of 2009 to include new defendents, Goncalves brother and wife (on RICO conspiracy grounds) and Godaddy.com (for negligence and contributory trademark infringement under Anti-Cyber Piracy statute). The civil suit is still ongoing but but as of Thursday Goncalves is also now facing criminal charges.

Months after the Florida prosecutors dropped the original investigation, Detective Sergeant John Gorman of the New Jersey State Police Cyber-Crimes Unit reviewed and reignited the P2P.com case, asking the couple if they would like to pursuit it further.  The Angels traveled to New Jersey and presented the mountains of evidence and findings that they had been accumulating over the last 2 years.  In May of 2009 the NJ District Attorney approved the indictment and on July 30th Goncalves was arrested at his home and his computers seized.

According to the P2P.com theft victims, this marks the first time in the US that a domain name theft has resulted in an arrest.  Detective Sergeant, John Gorman of the New Jersey Cyber-Crimes Unit is responsible for reviving this case. Without his push to move this case forward it’s likely another domain theft would have just been left to be handled through a civil case. Albert Angel told DNN “these hackers basically thumb their nose at the legal system.”  With the criminal prosecution moving forward, these cyber-criminals, who often taunt their victims with a brazen “what are you going to do about it” attitude, now may actually face the long-arm of the law.

So why are these thieves escaping justice and why aren’t we hearing more about these cases?
Simply put, Complications

Cases of domain name theft have not typically involved a criminal prosecution because of the complexities, financial restraints and sheer time and energy involved. If a domain name is stolen, the victim of the crime in most cases would need experience with the technical and legal intricies associated with the domain name system.  To move the case forward, they would also need a law enforcement professional who understands the case or is willing to take the time to learn. For example, the Angels told us that in their case they called their local law enforcement in Florida who sent a uniformed officer in a squad car to their home. The first thing you can imagine the officer asked was, “What’s a domain?”.

Additionally financial restraints play a major role. Often times the rightful owners of these domains simply can’t justify the thousands of dollars in legal fees necessary to handle a case like this. Domains that don’t have the sort of value that a domain like P2P.com has in the aftermarket may still contain a value that only the original owner can appreciate. Good luck convincing a law enforcement professional that your domain name is valuable under those circumstances. It’s likely that many small business owners faced with this situation would simply give up. Lesli Angel told DNN “we’re fortunate enough to be in a position where we can go after the criminals . . .what if you weren’t in our position though?”  Pelissero stated that most of the domains he has helped recover were owned by people who didn’t have the means, desire or knowledge to track down the thieves and get their domain name back.  “I had a domain stolen from me before, so I know what it’s like to have that happen. It’s horrible and I was only out $10,000″ said Pelissero. “This could happen to anyone and there really is no recourse especially for someone without financial means,” stated Angel.

Complicating the matter further is that domain names are globally traded assets and jurisdiction muddies the waters further. In this particular case, the domain name was stolen from a registrar headquartered in Arizona, the domain was owned by a Florida resident and the accused is a resident of New Jersey. Add to it that the domain registry is located in Virginia.   Frankly, the owners were lucky that this all took place on US soil. Imagine how much more complicated a case like this could become if involved international parties.

Attorney Paul Keating told DNN that most cases of domain theft recovery that he has dealt with have been complicated at best.  The real problem stems from the fact that domain names aren’t considered property. “The laws do not specifically identify domains as property. That has been the subject of various court decisions. Not all courts have issued consistent decisions. For example, bankruptcy courts have no difficulty treating domains as property. The IRS treats domains as a form of intellectual property and allows amortization along the lines of a trademark though over a shorter period,” Keating said.  Further complications come in to play when we look at the rulings in different states. “California is believed to treat them as property after the Sex.com case but that was a federal decision interpreting California law. The Eastern District of Virginia (where the Verisign registry is headquartered) clearly holds domains to be the subject of a license and thus not property. I have been involved in various state-level cases seeking recovery of stolen names or trying to specifically enforce a domain purchase agreement in California and the courts have always honored the claim.”

Albert Angel summed it up well “If your car is stolen and you demand its return from a subsequent purchaser for value, you recover your car in 50 states, on well-settled common law principles. Try to recover a stolen domain name, and you have a decent chance perhaps in one state (CA) but you have bought yourself an expensive, and legally uncertain lawsuit in most other states. Short of such laws being created on a Federal basis or by each State, any business owner could lose their domain name and website and never legally be able to retrieve it.  Federal laws are needed to protect every company and individual domain name owner.”

These complications and hurdles however seemed to be no match for the vigilant Albert and Lesli Angel. In fact when talking to the victims, one realizes that the hacker who stole the P2P.com domain from this group couldn’t have picked a worse target. I’m sure if Goncalves knew he was going to be facing the challenge of a team consisting of Ostrofsky, a well-known and connected player in the domain space, Albert Angel, an experienced attorney and Lesli Angel, a vigilant former nurse who told us she “just can’t stand to see anyone suffering”, he may have reconsidered some of his actions.

When asked what drove their continued vigilance in pursuing this case for over 2 years Lesli Angel told DNN “Besides wanting our domain back, we want to carve a path for others. Let’s face it the legal system has not caught up with the growth of the internet. We hope the outcome of this case paves the way and makes it easier for victims of this type of crime. These guys are thieves! Why are they not being arrested? Why are they continuing to get away with this?”

Goncalves is now out of jail after posting $60,000 bond.  He will be facing at least 2 court cases soon and this time it’s not just a civil suit.  The NJ prosecutors intend to push forward with the criminal case and press for a felony conviction.  DNN will be following the case closely and provide updates as we receive them.

So, what do you think about this case ?

  • Should a domain name registrar be held responsible for domains stolen from accounts ?
  • Do we need new laws that protect domains and classify them as a form of property with certain protections ?
  • Do we need reform in the current domain name registry contracts and ICANN policy which would also classify domains as property rather than a contract ?
  • Who will be the overseer and enforcer of these new rules ?
  • Lastly, What would you do if your most valuable domain name was stolen ?

Tags: , , , , , , , , , , , ,

  • Pingback: :: Prosecuting Domain Name Thieves Chris McElroy aka NameCritic :: Domain Name Disputes

  • Pingback: First Domain Thief Prosecuted - Web 2.0 Promotions

  • Pingback: Criminal Prosecution For Domain Hijacking | Geek News and Musings

  • Pingback: First Domain Thief Prosecuted | webmarketingexperts.com.au | webmarketingexperts.com.au |

  • Pingback: Criminal Prosecution For Domain Hijacking | Design Website Easy

  • John

    Here’s my take on it all. Domain names can NEVER be property because they have to be RENEWED or else they die.

    You CANNOT compare a domain name to a HOUSE or LAND because if you own LAND then it is not going anywhere if you don’t RENEW it next year.

    What if we lived in a WORLD where once you purchase a domain name it is YOURS forever? Of course, it would cost MUCH more than $10 per year or Network Solutions crazy $35 per year. Well, that would never happen because the REGISTRARS need to get THEIR money every year.

    Everyone and their brother is buying domains, MOST of which never do anything with it, atleast not on any kind of SUCCESSFUL scale. Why? Because it’s ONLY $10..

    Why are their so many useless parking page websites? Because they are only $10..

    Why oh why? Because it’s VIRTUAL baby! I can’t afford the life I live now but for $10 I can have a .com with 3 hyphens that makes no sense.

    Why have they SOLD so many .tels, .info’s, .booboo’s ? Because everyone wants a piece of this PIE that you can’t even put in your mouth. Because we are hoping for something VIRTUALLY that we cannot have in REALITY.

    What happens if someone owns a domain name then dies? Then their credit card that was set to auto-renew does NOT auto renew because the card is expired because of death.. All the years SPENT on building the site…down the drain and SCOOPED UP by someone that will put a parking page there and make 30 cents per click from Google. Just like that. No if’s ands or buts.

    DOMAINS ARE NOT REAL they are a figment of our imagiNETion.

    Domains need DEEDS and they need to be bought for life not for 365 day increments.

    And yes, I know you can buy them for up to 10 years but really who does that? You might EXPIRE BEFORE YOUR DOMAIN NAME DOES!!

    Domain Name Speculators are just that. They SPECULATE that they can place a worth on a location in cyberspace, the real final frontier. And who falls for this? People that USE AOL EMAIL ADDRESSES for important things like Domain Name registration!! For shame.. For “REAL”.. not virtually, for real!

    Now I am off to buy a hyphenated .info for $1.99 on special YAY!

  • Pingback: Criminal Prosecution For Domain Hijacking | Design Website Blog

  • Pingback: Anonymous

  • Pingback: You Get The . Info » Criminal Prosecution For Domain Hijacking – 1093th Edition

  • Pingback: Small Business Law Blog » Can someone steal my domain name?

  • http://i.m.fm/ Frank Michlick

    @Arlie: Thanks for the hint regarding the “share” plugin, we’ll upgrade it shortly and the new version does not use an application for twitter any more.

  • Know of him…

    John… the way I look at it is like this. Yes you have to renew a domain, but it can be property. Just like you may own land or a house, you have to pay taxes on it every year, and if its not totally owned yet, you have a mortgage. If you do not choose to do so, well we all know what happens there. The forclosure market is huge right now thanks to issues like this. So in my perspective, a domain renewal every year is like paying land and property tax on what you own, which you also must do every year. It is something you purchased, and you can get rid of it or sell it just like any other item you may have in your possession. I think the rules on this just need to be explained and set in stone in great detail. Unfortunately this individual thought he could get away with something and apparently believed he was smarter than everyone else. Well sometimes you bark up the wrong tree…and he will get whats coming. With those computers being seized, who knows what else they will find now. With all of this money rolling in, I wonder what kind of accounts it was put in and where they are. Being of Portuguese decent, I wonder if money was moved out of the US, and thus it can’t be touched, aka his expense account on vacations he “bragged” about. Massive tax evasion and all sorts of other little things will soon start to be added to the ever growing list of felonies. I would obviously hope they check his job record, wonder if he ever worked at or had a connection to a bank? I hope more details on this become leaked soon, this will be interesting to follow!

  • http://accuratespelling.com spenser

    In answer to the question:

    Should a domain name registrar be held responsible for domains stolen from accounts ?

    The answer is a resounding yes.

    Since a domain name cannot be physically transported out of the hands of the registrar for safekeeping, it’s safekeeping is in the hands of the registrar.

    This is analogous to securities left for safekeeping in a brokerage account. Not in a safety deposit box, but securities registered in street name and comingled with other customer securities.

    The brokerage is acting as custodian for the client, and it is well recognised that all financial institutions must act responsibly with respect to customer accounts.

    A domain name, being an accounting entry on some computer somewhere is no less an asset in safekeeping by a third party, in this case the registrar.

    In this particular case, it is especially troubling that it is suggested godaddy is not responsible even when it was wrongly transferred internally from customer a to customer b. In the brokerage example, that transfer would be revoked in a second.

    Why should domain registrars have any less responsibility in handling valuable assets?

  • Greg

    Spenser, your argument actually goes to support my point.

    If you electronically tell your brokerage service to sell your securities by logging into your account with your account username and password then they will do so. They will also move your account credit to another account if you’re logged in and you send that instruction.

    For example, if I lot into my personal trading account and sell shares, then take the proceeds from that sale and transfer the money into another account then not only does my brokerage do that, but they’re obligated to do so.

    I think everyone here needs to remember that Godaddy didn’t do anything wrong here. Goncalves was able to log into the rightful owner’s account because he had their user name and password (which were stolen from a third party).

    Maybe AOL owed them a duty of care re: the mail account, but Godaddy did what was required of them.

  • Pingback: First Arrest Made in Domain Theft - Black Hat Tactics

  • Pingback: SitePoint Podcast #22: Bing’s Boondoggles

  • Pingback: Domain Names Theft

  • Pingback: Twitted by cherylprolapse

  • Pingback: First Ever Criminal Prosecution for Domain Name Theft Underway - Web Admin Chat

  • Jeff

    Outstanding piece of reporting — well done!

  • Pingback: Domain Thief Faces First Ever Criminal Prosecution | Local Search Topics | TMP Directional Marketing

  • Pingback: El primer arresto por robar dominios en internet

  • Jeffery

    Some of these stolen domain names are worth millions of Dollar$, and it is the personal “property” of the owner. For the police, prosecutors, & judges to not go after and bring these thieves to justice, is not only dereliction of duty, but it’s down right criminal, and reeks of utter ineptitude. These domains have actual monetary value, and should be treated as property. Theft should be investigated, and prosecuted accordingly, based on the monetary values involved. Think of this, if somebody went to the homes of these ignorant, lazy, and down right useless “public servants”, and looted their homes, stole their identity, maxed out their credit, emptied their bank accounts, & drove off in their cars, what would happen? All that theft probably doesn’t even come close to the value of certain domain names right? Monetarily its actually “less” of a crime then the ones they aren’t prosecuting. But I guarantee there would be an investigation, and arrests, probably on a damn FEDERAL level. Why should domains be any different. Another thing I am curious about. You know how “Godaddy” owns/sells domains I guess? If you had the money, I mean, what is involved with creating/opening your own domain name site? Or “Registrar”? is it called? I would think that way you would be almost completely protected. I agree with
    *John August 5, 2009 @ 3:16 am EDT* about domains needing “deeds”. In lack of them though, would not my idea be as close to it as currently possible? Finally, what about buying domains for more then a year? Can it be done? Also do any domain companies (if not they SHOULD) have like…an automatic account renewal system, tied to you credit card? All in all something needs to be done. 10 years ago, maybe I could see this stuff going on, when the WWW was like the Wild Wild West. Untamed, full of unknowns, totally unregulated, etc, or automobiles at the turn of the century. Before traffic laws, and drivers license, etc But guess what. The internet is not new anymore, and like cars, it’s here to stay. And this domain problem needs to be regulated and protected and there is no excuse what-so-ever for theft going unchecked. It’s probably because the powers that be, don’t care because it’s not “their” money being lost, or business ruined. I bet if somebody stole IRS.com, or federalgovernment.com etc, it would be a different story though right? Then again, those are probably “.org or .gov” but you get my point. Maybe we all need to lobby for and demand stronger protective domain name legislation.

  • Pingback: Invaders Marketing Blog » Blog Archive » First Arrest Made in Domain Theft

  • http://level343.com/article_archive/ Gabriella

    Any “property” on the Net should be protected by the registrar’s. Make things simple, you buy the domain name through them they should ensure it’s safety. If the only options is legal recourse, or no budget we should continue to “self” police. This article is a fine example of how we can still control the Internet. Great article thanks!

  • Pingback: Domain Name Thief Sentenced to 5 years | Domain Name News (DNN)

  • Pingback: Expodomain.com » Domain Name Thief Sentenced to 5 years

  • Pingback: Servicios Web Gratis » Arrestado por robar dominios en internet (P2P.com)

  • Pingback: Dude, Seriously! What Were You Thinking? The legal panel at NamesCon | Domain Name Wire