BREAKING: First Ever Criminal Prosecution for Domain Name Theft Underway
by Adam Strong
Over the years hundreds of stories of domain name theft have been reported, most famous among them of course is the theft of Sex.com. Even as recent as last week, reports of stolen domains sent a chilling reminder through the domain industry as valuable domains Before.com, Adios.com and others were stolen from Warren Weitzman. Until recently, there hasn’t been a case of a domain theft where the thief was caught and arrested. However, on July 30th, Daniel Goncalves was arrested at his home in Union, New Jersey and charged in a landmark case, the first criminal arrest for domain name theft in the United States.
In a similar fashion to the Sex.com theft, the events that led to Goncalves arrest involve a long back story, one that spans well over 2 years, and many players. Although insiders familiar with this case contend that Goncalves has stolen other valuable domains, this case centers on the theft and subsequent sale of the domain name P2P.com.
In 2005, internet entrepreneur and domain name investor Marc Ostrofsky and attorney Albert Angel along with his wife Lesli Angel partnered to purchase the domain name P2P.com for $160,000 from a Wisconsin company, Port to Print Inc. The domain industry was heating up in 2005, as was the emerging peer to peer music business and the co-owners of the domain name saw a great deal of potential with this investment and future development of the domain.
Ostrofsky is a well known investor in the domain space. His name was etched in domain name history with his 1999 sale of Business.com for $7.5 million and the multi-million dollar domain holding company,IREIT, that he helped form with investment backing from Howard Schulz and Ross Perot. Albert Angel is an attorney and former Justice Department prosecutor with a background in internet payment processing. Angel and Ostrofsky have known each other for over 25 years and have done business together in other ventures.
The Angels had already invested in a small portfolio of domain names including profreedom.com and drugoverdose.com (2 more domains reportedly stolen by Goncalves). As a nurse who dealt with teen drug abuse issues, Lesli Angel became interested in buying and building sites on domains in the late 90’s. Domains such as drugoverdose.com gave her a means to reach out to some of the same audience that she was already helping as a nurse. As the domain space heated up, Angel continued buying domains and built up a portfolio of around 800 domain names.
Daniel Goncalves, the 25 year old law firm computer technician arrested on Thursday, reportedly hacked in to the Angel’s AOL email account, used that information to retrieve the login details for the P2P.com from the Godaddy.com domain account. Goncalves performed an internal “domain push” transfer,which in effect transfered the domain name to another Godaddy account that he owned. Goncalves reportedly also falsified Paypal.com transaction records in an attempt to cover his trail and provide evidence that made it appear that he purchased the domain name for $1,500 from the Angels. The domain was listed in the name of Daniel Louvado during this time period (a bogus name consisting of Goncalves first name and his fiances last name).
In late 2006, Goncalves put the domain name P2P.com up for sale on eBay.com and on September 24, 2006 the eBay.com auction for the domain P2P.com closed in the amount of $111,000. The Angels pointed out to DNN that from their investigations Goncalves already owned his own home with a new inground pool being installed (in New Jersey?), drove a Lotus and Mercedes and was frequently bragging about his travels.
Caught in the middle of this and claiming to be a “good faith” purchaser is Mark Madsen, NBA basketball player with the LA Clippers. Madsen is reportedly also a domain name investor and was the buyer of the P2P.com domain name on eBay.com. Domaintools.com Whois history shows that Madsen took ownership of the domain name on February 28, 2007. Current whois records for the domain show that the domain name is protected with whois privacy protection, but according to insiders familiar with the case the current owner is still Madsen. Madsen has been investing in domain names for years and has been linked to the user name thecollins2 in some domain name forums and the company Woodside Technology Group.
Godaddy.com is the world’s largest domain name registrar. With over 30 million domains being managed, it’s safe to assume the registrar has been faced with a few cases of domain name theft. The domain name P2P.com was registered with Godaddy.com and all evidence from whois history records points to the domain name being moved internally to a new account within Godaddy. The domain name now uses Godaddy’s whois privacy services to hide the ownership. According to the Angels, Godaddy stone-walled any efforts to investigate the theft and in a final passing of the buck, the Angels say that Godaddy told them that they should have been better defended against hackers and must bear the risk. It’s clear that the domain name was pushed between 2 accounts. The Angels contend that subpoenaed Godaddy.com records reveal that the registrar knew that Goncalves was implicated in two other domain thefts at least one month prior to the P2P.com theft.
In many cases, intricate registrar contracts, safe-harbor laws and statutory exemptions protect domain name registrars from being held liable in domain theft cases. Cases like Kremen v. Cohen (Sex.com stolen) and Solid Host v. Namecheap however have carved new paths in applying the law to cases involving registrars and domain name theft. The P2P.com civil and criminal cases will use these decisions and likely even lay new ground for future decisions.
Joshua Pelissero, a self-described legend in tracking domain thieves, was enlisted by the Angels to help unwind the events that happened after the domain theft and to find additional evidence of Goncalves online activities. Domain investor Richard Lau and expert witness from the Sex.com case, Ellen Rony was also tapped to help uncover more information about the case. The Angels and more specifically Lesli Angel have been tracking Daniel Goncalves and building up evidence for over 2 years. With the help of Pelissero, Lau, and Rony the pieces of the puzzle began to fall together and the evidence began to become more clear. Angel told us “this business is not for the faint of heart. You have to know what you’re doing and be educated.” With these pros backing up their efforts, the Angels made a great deal of progress.
In the Spring of 2007, the Angels took their case to prosecutors in both New Jersey and Florida. The investigation proceeded in Florida since the Angels are Florida residence, meanwhile the New Jersey police, where the accused resides, put their case on hold. Three months after taking the case, Florida prosecutors dropped it for “lack of evidence”. The only recourse left for the Angels was to pursuit Goncalves through a civil action. They used the Freedom of Information Act to gather up the evidence from the Florida prosecutors investigations and continued in their vigilance, building up an even stronger civil case.
The civil suit against Daniel Goncalves and Mark Madsen was filed in November 2007 to retrieve the P2P.com domain name. After further discovery, the filing was amended in June of 2009 to include new defendents, Goncalves brother and wife (on RICO conspiracy grounds) and Godaddy.com (for negligence and contributory trademark infringement under Anti-Cyber Piracy statute). The civil suit is still ongoing but but as of Thursday Goncalves is also now facing criminal charges.
Months after the Florida prosecutors dropped the original investigation, Detective Sergeant John Gorman of the New Jersey State Police Cyber-Crimes Unit reviewed and reignited the P2P.com case, asking the couple if they would like to pursuit it further. The Angels traveled to New Jersey and presented the mountains of evidence and findings that they had been accumulating over the last 2 years. In May of 2009 the NJ District Attorney approved the indictment and on July 30th Goncalves was arrested at his home and his computers seized.
According to the P2P.com theft victims, this marks the first time in the US that a domain name theft has resulted in an arrest. Detective Sergeant, John Gorman of the New Jersey Cyber-Crimes Unit is responsible for reviving this case. Without his push to move this case forward it’s likely another domain theft would have just been left to be handled through a civil case. Albert Angel told DNN “these hackers basically thumb their nose at the legal system.” With the criminal prosecution moving forward, these cyber-criminals, who often taunt their victims with a brazen “what are you going to do about it” attitude, now may actually face the long-arm of the law.
So why are these thieves escaping justice and why aren’t we hearing more about these cases?
Simply put, Complications
Cases of domain name theft have not typically involved a criminal prosecution because of the complexities, financial restraints and sheer time and energy involved. If a domain name is stolen, the victim of the crime in most cases would need experience with the technical and legal intricies associated with the domain name system. To move the case forward, they would also need a law enforcement professional who understands the case or is willing to take the time to learn. For example, the Angels told us that in their case they called their local law enforcement in Florida who sent a uniformed officer in a squad car to their home. The first thing you can imagine the officer asked was, “What’s a domain?”.
Additionally financial restraints play a major role. Often times the rightful owners of these domains simply can’t justify the thousands of dollars in legal fees necessary to handle a case like this. Domains that don’t have the sort of value that a domain like P2P.com has in the aftermarket may still contain a value that only the original owner can appreciate. Good luck convincing a law enforcement professional that your domain name is valuable under those circumstances. It’s likely that many small business owners faced with this situation would simply give up. Lesli Angel told DNN “we’re fortunate enough to be in a position where we can go after the criminals . . .what if you weren’t in our position though?” Pelissero stated that most of the domains he has helped recover were owned by people who didn’t have the means, desire or knowledge to track down the thieves and get their domain name back. “I had a domain stolen from me before, so I know what it’s like to have that happen. It’s horrible and I was only out $10,000″ said Pelissero. “This could happen to anyone and there really is no recourse especially for someone without financial means,” stated Angel.
Complicating the matter further is that domain names are globally traded assets and jurisdiction muddies the waters further. In this particular case, the domain name was stolen from a registrar headquartered in Arizona, the domain was owned by a Florida resident and the accused is a resident of New Jersey. Add to it that the domain registry is located in Virginia. Frankly, the owners were lucky that this all took place on US soil. Imagine how much more complicated a case like this could become if involved international parties.
Attorney Paul Keating told DNN that most cases of domain theft recovery that he has dealt with have been complicated at best. The real problem stems from the fact that domain names aren’t considered property. “The laws do not specifically identify domains as property. That has been the subject of various court decisions. Not all courts have issued consistent decisions. For example, bankruptcy courts have no difficulty treating domains as property. The IRS treats domains as a form of intellectual property and allows amortization along the lines of a trademark though over a shorter period,” Keating said. Further complications come in to play when we look at the rulings in different states. “California is believed to treat them as property after the Sex.com case but that was a federal decision interpreting California law. The Eastern District of Virginia (where the Verisign registry is headquartered) clearly holds domains to be the subject of a license and thus not property. I have been involved in various state-level cases seeking recovery of stolen names or trying to specifically enforce a domain purchase agreement in California and the courts have always honored the claim.”
Albert Angel summed it up well “If your car is stolen and you demand its return from a subsequent purchaser for value, you recover your car in 50 states, on well-settled common law principles. Try to recover a stolen domain name, and you have a decent chance perhaps in one state (CA) but you have bought yourself an expensive, and legally uncertain lawsuit in most other states. Short of such laws being created on a Federal basis or by each State, any business owner could lose their domain name and website and never legally be able to retrieve it. Federal laws are needed to protect every company and individual domain name owner.”
These complications and hurdles however seemed to be no match for the vigilant Albert and Lesli Angel. In fact when talking to the victims, one realizes that the hacker who stole the P2P.com domain from this group couldn’t have picked a worse target. I’m sure if Goncalves knew he was going to be facing the challenge of a team consisting of Ostrofsky, a well-known and connected player in the domain space, Albert Angel, an experienced attorney and Lesli Angel, a vigilant former nurse who told us she “just can’t stand to see anyone suffering”, he may have reconsidered some of his actions.
When asked what drove their continued vigilance in pursuing this case for over 2 years Lesli Angel told DNN “Besides wanting our domain back, we want to carve a path for others. Let’s face it the legal system has not caught up with the growth of the internet. We hope the outcome of this case paves the way and makes it easier for victims of this type of crime. These guys are thieves! Why are they not being arrested? Why are they continuing to get away with this?”
Goncalves is now out of jail after posting $60,000 bond. He will be facing at least 2 court cases soon and this time it’s not just a civil suit. The NJ prosecutors intend to push forward with the criminal case and press for a felony conviction.
So, what do you think about this case ?
- Should a domain name registrar be held responsible for domains stolen from accounts ?
- Do we need new laws that protect domains and classify them as a form of property with certain protections ?
- Do we need reform in the current domain name registry contracts and ICANN policy which would also classify domains as property rather than a contract ?
- Who will be the overseer and enforcer of these new rules ?
- Lastly, What would you do if your most valuable domain name was stolen ?