Hackers Stole My Website…And we Pulled Off A $30000 Sting Operation To Get It Back

<!– –>

This post originally seemed on RamschackleGlam and is republished here by permission.

For several days not so prolonged ago, RamshackleGlam.com — the domain name that we have owned and operated given Mar of 2010 — did not go to me, yet rather to a male who goes by a name “bahbouh” on an auction website called Flippa, and who was attempting to sell off a site to a top bidder (with a “Buy It Now” cost of $30,000.00). He betrothed a leader my traffic, my files, and my data, and suggested that we was accessible “for hire” to continue essay posts (alternatively, he was peaceful to yield a leader with “high-quality articles” and “SEO advice” to contend a site’s trade post-sale).

I schooled that my site was stolen on a Saturday. Three days after we had it back, yet usually after a impasse of fifty or so employees of 6 opposite companies, middle-of-the-night conferences with lawyers, FBI intervention, and what amounted to a prick operation that substantially should have starred Sandra Bullock instead of…well…me.

Of march I’ve listened of temperament theft, and of cyber hacking, yet honestly, my opinion towards these things was unequivocally many “it could never occur to me.” And even if it did…I didn’t accurately know since it was such a outrageous deal. Couldn’t we usually explain to people what had happened, infer who we were, and arrange it all out? We live in such a rarely documented world, it seemed totally unfit to me that someone could indeed get divided with sanctimonious to be someone else with any genuine consequences over a few phone calls and some irritation.

It’s much, many worse — more threatening, some-more upsetting, and some-more formidable (if not impossible) to fix — than I’d ever imagined.

I found out about a hacking from my father. His crony Anthony (who runs a web growth and consulting association called ThoughtBox) had been surfing around on Flippa and had — in an impossibly propitious coincidence — noticed that my site was adult for auction, with what seemed to be a rarely questionable listing. Suddenly, we remembered a email we had gotten a day before — an email that we had overlooked as spam — from someone “interested in a purchase” of my “weblog.” we remembered a presentation from YouTube that someone had accessed my comment from a opposite location — a presentation we had ignored, presumption that we had logged in on a mobile device or that my father had incidentally logged into my comment instead of his own.

But even after we saw a listing, we didn’t panic: this seemed like something that could be bound with a integrate of emails. Except a auction site was located in Australia and didn’t seem to have a phone number, and when we sent an email with a scanned ID and explanation of tenure what we got behind was a form letter. And when we called HostMonster, a site we compensate to work my website, we detected that we was no longer a owners of my site: someone had used their email acknowledgment complement to sanction a send of my domain name into a private comment during GoDaddy (another web registrar use of whom I’m also a client).


If we have a business that depends on a URL, we know since this was such upsetting news: With control over my website’s domain name, a hacker would be means to take a site down, or route it elsewhere. Further, it was after accurate that a hacker had control over all of a site’s content, as well; he could have usually rerouted all I’ve ever combined to any plcae he wanted.

Ramshackle Glam might be “just” a lifestyle blog about things like parenting and conform and decor…but it’s also a site that I’ve spent 5 years of my life building, and a suspicion of it descending into a hands of someone with antagonistic vigilant was heartbreaking. we could switch to a new URL and trade a duplicate of my calm (which we do behind up), yet that would outcome in a detriment of a estimable volume of traffic. The website is my primary source of income, and with a house, two children, a book entrance out, and a husband in business school, this was not a joke. The detriment of my URL had a intensity to be harmful for my business and for my family in a unequivocally genuine way.


The events of a subsequent few days were complicated, so rather than go by them chronologically I’m going to explain how any trail we took finished adult panning out (I’m going into fact so that we can be as many assistance as probable to anyone who goes by this themselves).

1. we attempted to solve a conditions directly with GoDaddy and HostMonster. This did not work.

From Sunday by Tuesday, we spent many of a day (and many of a night) on a phone with GoDaddy, HostMonster, or both during a same time, and scarcely any chairman we spoke with gave me a same response: “Sorry, can’t assistance you.”

HostMonster confirmed that since they no longer tranquil a domain name, there was zero they could do. GoDaddy confirmed that since a comment was private and a chairman had performed tenure of a domain by a send from HostMonster, there was zero they could do.

What finally finished a difference: we cited ICANN’s process on Domain Name Dispute Resolution.* This got my box upgraded, yet it did not outcome in action.

Here’s why: a authorised dialect during HostMonster sensitive me that in sequence for them to trigger a send brawl that would outcome in GoDaddy releasing a domain behind to me, their “internal investigation” would have to spin adult justification that they had finished something wrong in releasing a site. In other words, they would have to acknowledge that they had screwed up…which would in spin open them adult to a lawsuit.

Needless to say, we never listened from a authorised dialect again. Despite a fact that everybody seemed transparent on a fact that we owned my website and that it had been eliminated yet my authorization, zero was going to be finished unless we instituted a time-consuming and dear lawsuit that, in any case, would not outcome in movement discerning adequate to save my domain name from being sold.

So that entrance came to an end.

2. we called a FBI. This was a vital step in a right direction.

The morning after we found out about a unapproved transfer, we also called a FBI. we felt stupid and thespian creation a phone call, yet a existence is that this is an ubiquitous cyber crime issue, and that’s FBI territory. And this is my business. It’s how we support my family, and it might be a “small matter” in a grand intrigue of things, yet it is not a tiny matter to me.

And let me tell you: of all a surprises I’ve had over a past week or so, many startling of all has been a FBI. They responded immediately, with follow-up phone calls and emails, an in-person talk with dual special agents during my possess home within 24 hours, and a follow-up revisit from dual agents yesterday. Beyond that, any and any representative we have interacted with over a past week has been, yet fail, compassionate, thoughtful, invested, respectful, and committed to action…in further to treating me not like a box number, yet like a human.

FBI Agents

What we approaching was to leave a summary with a ubiquitous mailbox and during some indicate accept a form letter; we positively did not design to see an active review non-stop immediately. I’m not going to write some-more about a review since it’s still ongoing (although we did ask for and accept accede to write about this), yet we consider it’s critical to contend how positively blown divided we have been by a FBI’s response.

3. we attempted to recover control by traffic directly with a “seller”. This worked, yet not yet substantial drama.

While all of a above was going on, we was also operative to recover control over a site directly from a particular who was perplexing to sell it.

I didn’t wish to hit a “seller” directly, since we felt that if he suspicion a “real” owners of a site was wakeful of a sale, he would try to extract some-more money. So we asked Anthony — the chairman who had found a strange listing, and who had an active comment with a certain story on Flippa — to DM “bahbouh” to see if he was meddlesome in a “private sale”. After some back-and-forth we reached an agreement, and it was motionless that a third-party money-transfer website (Escrow.com) would be used to make a sale: a income would usually be expelled to a seller on acknowledgment that a domain name had been transferred.

This seemed to be going uniformly until Tuesday night, when a seller unexpected demanded that a supports be expelled immediately (prior to receipt of a website). When we pushed back, he announced that he was offered it to someone else: “Sorry, bye.”

So here was my suspicion process: if we did not recover a income to a seller, we were guaranteed to not get a website. If we did recover a income to him, there was a probability that he would take a income and run, and also a probability that he would broach a site as promised. It wasn’t a play we wanted to take…but we didn’t see any option. And so we certified a hoop transfer.

I spent twenty mins sitting in front of a manikin GoDaddy comment we had combined to accept a domain name from a seller, watchful to see possibly we was out thousands of dollars and a domain name, or usually thousands of dollars.

And afterwards it came through.

I immediately eliminated a domain into a opposite comment and placed it (and all of my other domain names) on what amounted to lockdown. And afterwards we called a hoop send association and placed a stop on a payment.


RamshackleGlam.com is behind in my possession, interjection to a series of people who dedicated hours (in some cases days) out of their lives to doing whatever they could to assistance me. My other accounts — bank accounts, et cetera — have been secured. we don’t have my income behind yet, yet a male who stole my site from me doesn’t have it, either, and won’t be removing it, ever.

And that’s an finale I’m flattering damn anxious with.


Of march I’m indignant with a chairman or people who stole a site, yet that’s out of my hands. The reason I’m essay this post is to let people know that this unequivocally can happen — to anyone — and to offer suggestions for how to minimize a chances that it will occur to we (below), yet over that, I’m essay this post since this occurrence finished me very, unequivocally indignant during GoDaddy and HostMonster. And we wish we to know why.

No one during possibly association questioned my matter (supported by combined proof) that a website belonged to me. No one doubted that it had been eliminated yet my authority. And nonetheless we had to spend days — days during that a hacker could have finished probably anything he wanted — trying to strech one singular chairman who was means to do anything, since a support staff and supervisors we spoke with (who had to have numbered fifty or more) were totally uninformed as to how to hoop this conditions over saying, “Jeez, that sucks. Can’t assistance you.”

And once we reached people who could assistance me — who could literally make a singular phone call or pull a singular symbol and lapse my skill to me (or simply solidify it so that it could not be sole or destroyed) — they would not. They hid behind their authorised departments and refused to do anything, meaningful full good that their inaction would force me to possibly correlate with and compensate off a criminal, or remove an essential member of my business.

And hackers know that these companies will do this.

They rest on it.

There is a critical problem when a rapist craving not usually exists “despite” a company’s policies, yet indeed thrives as a approach outcome of that company’s prioritization of their possess interests over a confidence of a clients they allegedly “protect”. Do we know since companies like HostMonster and GoDaddy are focused on safeguarding themselves opposite lawsuits? Of march we do. But a fact is that they not usually do not “help” their customers, yet actively contribute to formulating situations that bluster tiny businesses and a families that they support.

And these companies know that when they stonewall clients whose skill has apparently been stolen that these clients will have no other chance than to compensate off criminals or watch their businesses — sometimes their unequivocally lives — collapse. They know that by station in a approach of evident movement they emanate a unequivocally sourroundings that these criminals count on to continue their business model. And they do nothing.

This has to change.


Support crew during hosting companies should be finished closely informed with ICANN regulations involving domain disputes, and should be means to trigger a devise of movement a first time a customer creates them wakeful of a situation, not after hours and hours of steady calls.

Further, a investiture of a TEAC** should outcome in an immediate solidify on a comment in brawl until a conditions has been resolved. This should not need an acknowledgment of blame on a partial of any parties; simply an confirmation that a brawl exists and an recognition that while a brawl exists a domain contingency be hold protected from sale or transfer.


1. Have a really, unequivocally good password, and change it often. Your cue should not enclose “real” difference (and really not some-more than one genuine word in evident proximity, like “whitecat” or “angrybird”), and should enclose collateral letters, numbers and symbols. The best passwords of all demeanour like sum nonsense.

2. If possible, use a apart mechanism (an aged one or a inexpensive one purchased for this purpose) for things like banking; if your family mechanism is a same one that we use for bank exchange we risk carrying your kids click on a bad couple that formula in a hacking.

3. Turn off your mechanism and personal inclination when they’re not in use.

4. Have antivirus program on your mechanism (but remember that pathogen scans usually locate 30–40% of viruses, so unfortunately a “clean” check doesn’t indispensably meant that you’re safe).

5. Purchase CyberRisk Insurance (it fundamentally protects businesses from cyber attacks and information breaches).


1. Begin holding clever records (and screenshots) immediately. Don’t undo any emails or other information; it could all be critical after on.

2. Immediately change all of your passwords (including — but not singular to — domain registrar, website hosting, website login information, email, bank accounts, wireless home electronics, and Apple ID) according to a manners settled below. we altered cave any few hours while this conditions was still adult in a air, and am stability to change them any few days for a time being.

3. Contact a registrar(s), citing a ICANN process below, and see if together we can arrive during a rapid resolution. Don’t be astounded if we find yourself using into passed ends.

4. Make certain to scrutinise about “filters” and “rules” that might have been placed on your email (basically, any kind of device that a hackers might have placed to brazen emails, et cetera).

5. Contact suitable law coercion (I contacted a FBI since it seemed to be an ubiquitous issue, and was during a unequivocally slightest an widespread emanate since Escrow.com is located in California, and I’m in New York).

Note: Every conditions is different, and we can’t wholeheartedly suggest a stairs that we took that eventually resulted in me convalescent control over my domain name mostly since they concerned interacting with criminals. Obviously that isn’t ideal, and can have indeterminate consequences. (Although my father says that he would like it to be famous that he thinks I’m a outrageous badass. While this is usually unequivocally distant from a truth, in this specific instance…I’ll take it.)

The End. (That was long. Thanks for reading.)

*** *** ***

*ICann.Org is a Internet Corporation for Assigned Names and Numbers (ICANN) is obliged for handling and coordinating a Domain Name System (DNS). ICANN’s process on Domain Name Dispute Resolution radically states that in a box of a domain dispute, a Losing Registrar (the registrar that confirmed possession of a domain name pre-transfer, as against to a “Winning Registrar”, who maintains possession of a domain name post-transfer). contingency immediately settle a Transfer Emergency Action Contact (“TEAC“) in an bid to get a round rolling in a instruction of fortitude right away). Once we had this information, my box was immediately upgraded.

**TEAC: A hit that is determined by ICANN and used by other registrars and ICANN if there is a need to fast residence issues with domain transfers between dual registrars. The hit contingency respond to inquiries within 4 hours, yet final fortitude might take longer.