Back to blog
Infrastructure

What Is Domain Hijacking? How It Works and How to Prevent It

Domain hijacking is when an attacker takes control of your domain name without your consent. It can knock your site offline, redirect your users to malicious pages, and intercept your email. Here's how it happens and how to stop it.

Theo Cummings · April 20, 2026 · 10 min read

In January 2020, a popular cryptocurrency exchange lost control of its domain for several hours. Attackers rerouted the domain to a phishing page, intercepted login credentials from thousands of users, and drained wallets before the team even knew what was happening. The exchange had no domain monitoring configured. Nobody noticed the DNS records had changed.

Domain hijacking doesn't require breaching your servers. Attackers target the domain registrar - the system that translates your domain name into the IP addresses your servers run on. When they control that, they control everything built on top: your website, your email, your subdomains, your SSL certificates.

What Domain Hijacking Is

Domain hijacking occurs when an attacker gains unauthorized control of a domain name and redirects it to infrastructure they control. The owner's servers are untouched. The attacker works at the DNS layer, above the application.

From the outside, a hijacked domain looks identical to a legitimate one. Users see the same URL. Browsers show HTTPS. The only difference is where the traffic goes.

The window between when a hijack succeeds and when the owner detects it averages over four hours, according to CISA incident data. In high-traffic domains, four hours of redirected traffic is enough to cause serious harm.

How Domain Hijacking Happens

Registrar account compromise

The most common attack vector. An attacker gains access to your domain registrar account (GoDaddy, Namecheap, Cloudflare Registrar, etc.) and changes the nameservers or DNS records to point at infrastructure they control.

They get registrar access through:

  • Phishing - a convincing fake email from "your registrar" asking you to verify account details
  • Credential stuffing - trying username/password combinations leaked from other data breaches
  • SIM swapping - hijacking your phone number to receive SMS 2FA codes, then resetting your registrar password
  • Social engineering - calling registrar support and convincing them to transfer account ownership

Expired domain squatting

When a domain expires and nobody renews it, it goes through a grace period, then a redemption period, then drops back into the available pool. Attackers use automated tools to monitor for expiring high-value domains and register them the instant they become available.

If your domain expires because a credit card failed or a registrar email went to spam, an attacker can register it before you do. At that point, they own it - and you have limited legal recourse in most jurisdictions.

DNS record modification

An attacker with access to your DNS management panel can change individual records without touching the domain registration itself. They modify:

  • A records - pointing your root domain to their IP
  • MX records - redirecting your email to a server they control
  • CNAME records - redirecting subdomains (e.g., mail.yourdomain.com, api.yourdomain.com)
  • NS records - pointing your entire domain to nameservers they control

MX record changes are particularly dangerous. They can intercept your email silently, including password reset emails for other services.

Transfer authorization theft

Domain transfers require an authorization code (also called an EPP code or auth code). This code is supposed to be secret, but attackers obtain it by:

  • Compromising the registrar account
  • Social engineering registrar support
  • Intercepting the authorization email if your registrar account email is also compromised

Once they have the auth code, they can transfer your domain to a different registrar they control, making recovery much harder.

BGP hijacking (advanced)

Border Gateway Protocol is the routing protocol that directs internet traffic. In a BGP hijack, attackers announce fraudulent routing paths that redirect traffic to their infrastructure at the network level - without touching your DNS records at all. This is harder to execute but also harder to detect. It affects IP blocks, not individual domains, and typically requires either a compromised ISP or a sophisticated attacker.

Real-World Examples

YearTargetMethodImpact
2019Brazilian banksDNS hijacking via registrar compromise5 hours of redirected traffic, credentials harvested
2020Cryptocurrency exchangeRegistrar account phishingPhishing page deployed, wallets drained
2021NIC.ir (Iran TLD)Registrar system compromiseMultiple government sites hijacked
2022Web3 platformsDNS record modification via Cloudflare breachFrontends redirected to drainers
2024SaaS platformsExpired subdomain takeoverCustomer data exposed via orphaned DNS records

The Consequences

User-facing

Your website serves whatever the attacker wants: phishing pages, malware, cryptocurrency drainers, fake login forms collecting credentials. Users have no way to know they're not on your real site - the URL is correct and HTTPS is active (attackers obtain their own SSL certificates for your domain after hijacking it).

Email interception

Changed MX records mean the attacker receives your email. This includes:

  • Customer inquiries with sensitive information
  • Password reset emails for services linked to your domain email
  • Internal communications if your company email runs on the domain
  • Vendor invoices that can be intercepted for business email compromise attacks

SEO damage

Search engines crawl the hijacked site. If it serves spam, malware, or redirects, Google deindexes the domain. Recovering lost rankings takes months after reclaiming the domain.

SSL certificate issuance

Certificate Authorities issue SSL certificates based on domain validation - proving you control the domain. An attacker who controls your DNS records can pass domain validation and obtain a legitimate certificate for your domain. Tools like Certificate Transparency logs (crt.sh) exist specifically to let domain owners detect unauthorized certificate issuance.

How to Protect Your Domain

1. Enable domain lock (Registry Lock)

Domain registrars offer a "transfer lock" or "registrar lock" that prevents unauthorized transfers. Enable it. Some registrars also offer Registry Lock - a higher-security lock administered through the domain registry itself (not just the registrar), which requires out-of-band verification to modify.

Most registrars enable transfer lock by default, but verify yours is on.

2. Use strong registrar account security

  • Enable multi-factor authentication (TOTP-based or hardware key, not SMS)
  • Use a dedicated email address for your registrar account that isn't published publicly
  • Use a strong, unique password stored in a password manager
  • Remove team members who no longer need access

SMS-based 2FA is better than no 2FA, but SIM swapping makes it vulnerable. Hardware keys (YubiKey) or authenticator apps are more resistant.

3. Set up DNS monitoring

DNS record changes are the early warning signal of a domain hijack. If your A records or MX records change unexpectedly, you need to know within minutes - not hours.

Manual monitoring (logging in to check periodically) doesn't work. The time between record change and detection is too long for manual processes.

Automated DNS monitoring tools check your DNS records on a schedule and alert you when anything changes. Vantaj's DNS monitoring checks your records every 1-5 minutes and sends an immediate alert if an A record, CNAME, MX record, or nameserver changes unexpectedly.

4. Enable DNSSEC

DNS Security Extensions (DNSSEC) adds cryptographic signatures to DNS records. A DNSSEC-validating resolver rejects responses that aren't signed with the correct keys, making DNS spoofing and certain hijacking techniques much harder.

DNSSEC doesn't protect against registrar account compromise, but it prevents attackers from injecting fraudulent DNS responses that bypass your actual DNS records.

5. Use DMARC, DKIM, and SPF

These email authentication standards don't prevent domain hijacking, but they limit what attackers can do with your domain if they're trying to send email impersonating you - and they're worth having regardless.

DMARC with p=reject tells receiving mail servers to reject emails that fail DKIM or SPF validation. An attacker who changes your MX records to receive your email won't be able to send authenticated email from your domain.

6. Monitor certificate transparency logs

Every SSL certificate issued for your domain gets logged in public Certificate Transparency logs. Tools like Facebook's Certificate Transparency Monitoring or crt.sh alert you when a certificate is issued for your domain.

If you see a certificate issued by Let's Encrypt for yourdomain.com and you didn't request it, that's an active hijack in progress.

7. Set auto-renewal with updated payment details

Expired domains are the simplest vector. Make sure:

  • Auto-renewal is enabled on every domain you own
  • Payment methods are current
  • Renewal confirmation emails go to a monitored inbox, not a personal inbox that might be abandoned

Add domain renewal dates to your calendar as a secondary reminder. Registrar emails go to spam. Calendar reminders don't.

8. Keep WHOIS contact information current

Registrars send important security and renewal communications to the email address in your WHOIS record. If that address is outdated - a former employee's inbox, a defunct email alias - you won't receive them.

Audit your WHOIS data annually.

What to Do If Your Domain Gets Hijacked

Act immediately. Every minute of delay is more user harm.

  1. Contact your registrar's security team - not standard support. Most major registrars have a dedicated abuse/security line. Explain the hijacking and request emergency lock.
  2. Document everything - screenshots of DNS records, WHOIS data, any notification emails. You'll need this for dispute resolution and potentially for law enforcement.
  3. Check if the transfer was initiated - if an attacker started a domain transfer to a different registrar, there's typically a 5-day window to cancel the transfer. Act before it completes.
  4. Change all passwords - your registrar account was compromised. Change the password and revoke all sessions. Change the password on the email account linked to the registrar.
  5. Notify your users - if the hijacked domain served phishing content or collected credentials, your users need to know to change their passwords. Delayed disclosure makes the harm worse.
  6. File a UDRP complaint if the domain was transferred - the Uniform Domain-Name Dispute-Resolution Policy is the standard mechanism for recovering hijacked domains from uncooperative registrars.
  7. Report to CISA (US) or your national cybersecurity agency - domain hijacking that affects critical infrastructure is reportable. They can sometimes facilitate faster recovery.

Detection: The Timeline That Matters

Time since hijackWhat happens
0-5 minDNS change propagates to some resolvers
5-30 minMost resolvers cache the new records
30 min - 4 hrsUsers start hitting the attacker's infrastructure
4 hrs (avg)Owner detects the hijack without monitoring
4 hrs+Significant user harm has occurred

With DNS monitoring that alerts on record changes, detection happens in minutes, not hours. That window is the difference between catching a hijack before users are exposed and cleaning up after a credential breach.