Can you take down a fake domain registered through an offshore registrar?

Often yes, by escalating to the registry, the upstream backbone provider and (where available) ICANN compliance, in parallel with browser-blocking, ad-network removal and payment-processor disruption. In jurisdictions with no abuse-handling tradition the realistic end-state is to make the domain commercially useless rather than de-registered.

Registrar abuse · UDRP · Cybersquatting

Domain takedowns done at the registrar level.

Q: What is a domain takedown?

A domain takedown is the removal or suspension of a domain name registration that is being used abusively — for example, a typosquat impersonating a brand, a lookalike or IDN-homograph domain hosting a phishing page, or a registration filed in bad faith for cybersquatting. Action takes place at the registrar, the registry, or via a UDRP-adjacent dispute.

Q: What is the difference between a domain takedown and a website takedown?

A website takedown removes specific content from a host while leaving the domain registered. A domain takedown removes the underlying domain registration so the abuser cannot just rehost the same content elsewhere. For brand-impersonating typosquats and lookalike domains the right answer is almost always domain-level action.

Q: Do you handle UDRP cases?

We prepare the technical evidence pack a UDRP panel needs, coordinate with your trademark counsel, and represent the day-to-day operations side. We are not ourselves a law firm, but we work seamlessly with retained counsel and have established relationships across the major UDRP providers.

Q: How quickly can a typosquat be removed?

Compliant registrars typically suspend confirmed phishing typosquats within 24–72 hours of receiving a properly evidenced complaint. Pure cybersquatting (no active phishing) is slower and may need UDRP. Browser safe-browsing partners can deliver visitor-level blocking within an hour, regardless of the registrar timeline.

DomainTakedown is the registrar-focused practice of 78 OVER 37 LIMITED. We assemble the evidence package every registrar's abuse desk wants to see — and rarely receives — and we don't close a case until the offending domain is suspended, transferred, or commercially useless to the abuser.

Open a case Telegram intake →

Sample case file

brand:example-bank.com

typosquat:examp1e-bank.com

registrar:NameCheap, Inc.

nameserver:cloudflare

created:2026-04-12 03:14 UTC

cert:LE — issued T+11min

page:credential phishing

action:suspended T+19h

status:closed — monitoring

VirusTotal detection page for a NameCheap-registered tracker domain — 13 of 93 vendors flagging it as malicious, registered six months ago. — An actual case file: a tracker domain registered through NameCheap, six months old, with thirteen security vendors marking it malicious. The domain was suspended at the registrar within twenty-four hours of our complaint.

<72hmedian registrar action

<24hmedian first outage

96%closure on confirmed abuse

1,400+registrar abuse complaints filed

The threats we remove

Every kind of abusive domain registration

Typosquats

Single-character variations of a real domain ("yorubrand.com", "yourbrnad.com", "yourbrand.co.example"). Register, point at a phishing kit, harvest credentials. Removed via registrar abuse complaints with the documentary evidence those abuse desks want to see first.

Lookalike domains

Variants that swap the TLD ("yourbrand.shop"), insert hyphens ("your-brand-support.com"), or append plausible suffixes ("yourbrand-login.com", "yourbrand-secure.com"). Often used to legitimise smishing and phishing emails.

IDN

IDN homographs

Internationalised domain names mixing Latin with Cyrillic, Greek or Armenian glyphs that render visually identical to the brand. Detected by Punycode comparison and removed via registry abuse channels and UDRP where applicable.

Cybersquatting

Bad-faith registrations of brand-matching domains held passively or for sale. Action paths include registrar abuse, UDRP and (in trademark-strong jurisdictions) the URS rapid-suspension procedure.

Combosquats

Brand + descriptive-term combinations ("yourbrand-refund.com", "yourbrand-rebate.com", "yourbrand-careers.com"). Frequent vector for fake job offers, fake refund portals and fake KYC pages.

Expired-domain abuse

Lapsed brand-related domains re-registered by squatters and weaponised. We monitor your portfolio, your suppliers' portfolios and any domain ever publicly tied to your brand for unintended drop-and-catch events.

Services

Five workflows tuned to domain-level abuse

1. Registrar abuse complaints

The bread and butter. We assemble the WHOIS, DNS, certificate transparency, screenshots, source HTML, redirection chains and (where applicable) credential-flow recordings into a complaint formatted to the abuse desk's intake template. Trusted-complainant reputation accelerates the response time.

2. Registry escalations

When a registrar refuses to act, the registry sometimes will. We have direct working channels into several gTLD and ccTLD registries for confirmed phishing. Where ICANN compliance jurisdiction applies, we can escalate further.

3. UDRP & URS support

For cybersquatting, lookalike domains and bad-faith registrations, we prepare the technical evidence pack a UDRP panel needs, coordinate with your retained trademark counsel and run the day-to-day operations side. URS where speed matters and trademark proof is clean.

4. IDN homograph defence

Continuous monitoring of new registrations against the Unicode-confusables list for your brand. Detection feeds directly into our intake queue with the Punycode-decoded form and visual comparison rendered in the dossier.

5. Domain portfolio hygiene

Audit of your defensive registrations, identification of gaps that attackers will probably register first, and monitoring for drops, expiries and ownership changes that would create an opening.

6. Continuous brand-domain monitoring

Daily scans across all major gTLDs, ccTLDs and certificate-transparency feeds for new registrations matching your brand-name patterns. Anomalies flow into investigations automatically — the next typosquat starts in remediation, not in your support inbox.

Process

How a domain takedown case runs

Intake & classification

You send the offending domain (or we detect it via monitoring). We classify it: typosquat, lookalike, IDN homograph, combosquat, cybersquatting, expired-domain abuse. The classification determines the workflow and the abuse-desk template we use.

Infrastructure mapping

Registrar, registry, nameservers, hosting, certificate issuer, certificate transparency timeline, related domains by registrant, related domains by IP/ASN. The dossier shows every operationally relevant link in the chain.

Forensic evidence package

WHOIS snapshot, DNS records, CT artefacts, time-anchored screenshots, source HTML, redirection chains, credential-flow recordings (where the page is collecting credentials). All hashed, signed and stored in immutable archives.

Parallel outreach

Registrar abuse, registry abuse (where appropriate), browser safe-browsing programs, ad networks, payment processors, mobile-operator abuse desks for SMS lures. The campaign experiences pressure on every channel simultaneously.

Escalation & UDRP if needed

If the registrar refuses to act and the case meets UDRP standards, we prepare the panel-ready evidence pack and coordinate with your retained counsel. URS is used where speed matters and trademark proof is unambiguous.

Re-emergence monitoring

Most operators register new domains in days. Continuous monitoring catches the next variant in our queue automatically, and the abuse-desk relationship we built on the prior case accelerates the next removal.

Closeout & reporting

Closure report with milestone timestamps, residual-risk analysis, recommended portfolio adjustments, and a tightened monitoring profile so the next variant is detected sooner.

Email from a registrar (REG.RU) refusing a domain abuse complaint and pointing the complainant at the registrant — illustrating why expert escalation is required. — Sometimes the first response is "no". REG.RU declined a complaint citing third-party-claims policy. Our response: registry-level escalation plus parallel browser blocking until the campaign is uneconomic for the operator.

Cisco Talos Security Intelligence reputation card showing a domain marked Untrusted, classified Malicious and added to the active block list. — Cisco Talos reputation card after a successful escalation: Untrusted, Malicious, on the active block list — every Talos-protected enterprise resolver now refuses the domain.

Why DomainTakedown

Domain abuse is operational work, not a marketing tool.

Registrar-desk fluency

Each registrar has its own abuse-handling templates, evidence preferences and unwritten escalation paths. We have filed enough complaints with each of the major ones to know which mistake costs you 48 hours and which sentence triples the response speed.

Forensic, not screenshot-only

Hashed, time-anchored evidence stored in immutable archives. Screenshot-only evidence is fine for awareness; it is not enough to win a UDRP, support a defamation claim or stand up in a registrar's own audit log when they re-review the suspension.

Parallel response

Registrar action, registry escalation, browser blocking, ad-network removal, payment-processor disruption, mobile-operator abuse — every relevant channel notified in the same hour. We don't wait for "the proper sequence", because the attacker isn't waiting either.

Counsel-friendly

Our evidence packages are prepared so your trademark counsel can drop them into a UDRP filing or a cease-and-desist without re-doing the work. Operations and legal sit in the same case file.

FAQ

Frequently asked questions about domain takedowns

What is a domain takedown?

The removal or suspension of a domain name registration that is being used abusively. Action takes place at the registrar (the company that sold the domain to the abuser), the registry (the operator of the TLD), or via a UDRP-adjacent dispute. For brand-impersonating typosquats and lookalike domains, domain-level action is almost always the right answer because removing the page alone leaves the abuser free to rehost.

Difference between a domain takedown and a website takedown?

A website takedown removes specific content from the host while leaving the domain registered and reusable. A domain takedown removes the underlying registration. Domain-level action is harder, slower and more legally textured, but it is the only durable answer for impersonation cases.

Do you handle UDRP cases?

We prepare the technical evidence pack a UDRP panel needs to find bad faith, coordinate with your trademark counsel, and run the operations side of the dispute. We are not ourselves a law firm; we work alongside retained counsel and have established working relationships with the major UDRP providers (WIPO, the Forum, CAC, ADNDRC).

How quickly can a typosquat be taken down?

Compliant registrars typically suspend confirmed-phishing typosquats within 24–72 hours of receiving a properly evidenced complaint. Pure cybersquatting (no active phishing) is slower and usually needs UDRP. Browser safe-browsing partners deliver visitor-level blocking within an hour for clear phishing, regardless of the registrar's pace.

What if the domain is registered with an offshore or non-cooperative registrar?

The realistic plan is parallel pressure: registry escalation where applicable, browser blocking, ad-network removal, payment-processor disruption and (where the registrar's upstream backbone is in a cooperating jurisdiction) backbone-level escalation. The end-state is making the domain commercially useless to the abuser even when the registrar refuses to act.

What evidence do you need from us?

The offending domain, your authority to act for the brand or trademark concerned, prior correspondence (if any) with the registrar, and any additional context (smishing source, ad campaign that pointed at the domain, etc.). The technical evidence we generate ourselves; that's the part of the work you are paying us for.

How are you priced?

Per case for one-off engagements, retainers for ongoing brand-portfolio monitoring. Volume discounts apply on retainers. Single-URL consumer reports go through our free public intake at sitereport.su.

Can you protect us before an attack happens?

Yes, via continuous brand-domain monitoring across major gTLDs, ccTLDs and certificate-transparency feeds. Most attacker domains are visible in CT logs within minutes of registration; that gives us time to start the takedown before the attack lands at the victim's inbox.