Cybersquatting Web3 Domain Names

Enrico Schaefer - April 19, 2022 - Cybersquatting Law, Non-Fungible Tokens (NFTs)


There are new domain extensions in Web3, including .crypto, .eth, and .nft.   What happens when someone registers your trademark or personal name on these web3 extensions?  There are two videos in this web3 domain squatting educational series. Both videos are linked in the description below for easy navigation and reference.  Watch video one below.

This is a ‘one of a kind’ video series on token squatting. I am doing this series because I have been unable to find any other comprehensive content on the web or youtube that lays out a detailed and viable playbook for brands and celebrities to protect their names, slogans, and marks against Web3 cybersquatting. 

Understanding Cybersquatting and Blockchain

If you already understand blockchain and cybersquatting law, feel free to skip to the following video where we will provide instruction on blockchain forensics and wallet owner identification. If you are not an expert in cybersquatting or blockchain technology, Don’t go anywhere! 

Let’s talk about trademark protection and domain names.  

If you are a brand or trademark attorney, you may already know about cybersquatting.  Before diving into token squatting on web3 blockchain technology, we need to understand precisely how the web2.0 domain name system, .net, .edu, .xyz) of the last 30 years has worked.  

How to Protect Your Trademark from Web3 Cyberquattting

Cyberquatting Domain Names

In yesterday’s internet world, a person unknown could register your company name, your slogan, your product name, your brand name, or YOUR personal name as a domain name without your permission. 

Maybe they host a website on this infringing domain name and use the domain name and website to confuse, counterfeit, or defraud your customers – or worse, extort you by demanding an exorbitant price to buy it from them. 

When the internet emerged in the 1990s, you were allowed to steal someone’s trademark as a domain name. There were no laws to stop it. As the internet expanded, confusion about domain names and trademarks persisted.  

The Anticybersquatting Consumer Protection Act (aka ACPA)

Cybersquatting is defined by the Anticybersquatting Consumer Protection Act (aka ACPA). The ACPA is a federal law that brought trademark enforcement to the internet in the year 2000. 

Remember when Microsoft – which thought the internet was a fad – had to pay $1 million dollars to buy from a stranger? That was 1998.  The ACPA was passed in 2000 to make it illegal for anyone except the trademark owner to register, use, or traffic in a domain name with a bad faith intent to profit. 

Microsoft looked foolish back then for failing to register its name as a .com domain name. And thinking the internet was never going to amount to much. This is a fad’ argument sounds familiar when we listen to blockchain deniers. 

Most brands are way more in tune with Web3 today. They are working to understand blockchain technology and start the process of combating the online infringement that web3 will inspire.  

This video channel is here to help you avoid being “a Microsoft.” 

THE ACPA also protects your personal name for the same good and noble reasons… To protect you and your community from fraud. 

If someone who is not the trademark owner registers a literal or variation of your company name, brand, or even your personal name as a domain name with a BAD FAITH intent to profit is liable for up to $100,000 in statutory damages per domain name, plus attorney fees. 

That is some pretty heavy-duty legal and financial leverage. Many cybersquatters fold under the threat of being sued under the ACPA.  

Forced Transfers of Web 2 Domain Names

Courts and arbitrators can also order a transfer of a web2 domain name to your control.  

Let’s pause. This is important because it demarks a critical differentiator between web2 and web3; between the .com world and the .crypto world   How does force transfer work in the web2 world, and why doesn’t forced transfers to work in the web3 world of blockchain?

Why is forced transfer improbable in web3? The answer, my friends, lies in the architectural difference between centralized technology and decentralized technology. 

Because all Web 2 domain names are controlled by ICANN – the internet corporation for assigned names and numbers –  as well as registries such as Verisign, which control DomainName Servers (DNS), and  Domain registrars such as GoDaddy which rent domain names to you for a period of years. Well, in the web2 world, there are three centralized companies involved in every Web 2 domain registration.  That means three controlling entities can take a name from a cybersquatter and transfer it to the trademark owner or person whose name is cybersquatted. 

Think of web2 domain names like this. You don’t OWN a Web2 domain. You rent it.   And the landlord, building owner, or municipality can take it from you and give it to someone else if you break the rules.  That is not the way blockchain or web3 works. Blockchain is Decentralized with no controlling entities.

Domain Squatting in the Web3 World

Web 3.0 moves all power from ‘too big to fail’ corporations directly to ‘we the people. Web3.0 is ‘trickle-up’ economics. Most power lies with the individuals who share whatever power they decide with corporations. Or at least that is the libertarian promise and potential of blockchain.  

Token contracts include self-executing software code which makes ownership immutable – unchanging over time and unable to be changed – unless the little guy agrees. And transfers of domain names occur only when the person who owns that wallet says so; the transfer actually happens without any third-party involvement. No GoDaddy. No escrows. No Versign.  Web3 wallet owners hold private keys that execute software code that controls ownership. 

For Web3 domain names such as 





… And many others, there is no intermediary which can arbitrate trademark infringement or take a Web3 domain away from a token squatter. 

So what if you are a brand or a famous person whose Web3 domain name is purchased by a ‘token squatter’? yourcompany.eth  yorutrademark.blockchain. 

ICANN can’t help you. Verisign cant help you. GoDaddy cant help you. There is no landlord, property owner, or municipality with any say, power, or control over that infringing domain. Only the wallet owner – whose identity is represented by a string of 64 random numbers – controls ownership of the domain name and the ability to execute the transfer code embedded in the token on the blockchain.  

Domain Name Infringement in Web 3 is a Huge Risk

Interestingly, none other than Microsoft – which no doubt has scars from its debacle –  issued its annual ‘Digital Defense Report’ which warned:

“The next big threat” are web3 domain names written into a distributed ledger maintained across a constellation of computers instead of stored in a traditional, centralized registry.


Unstoppable Domains and Ethereum Name Service (ENS) are blockchain entities offering .eth, .nft, .crypto, and other domain name exertions.  Unstoppable Domains says on its website.  “Unlike traditional domains, Unstoppable Domains are fully owned and controlled by the user with zero renewal fees ever (you buy it once, you own it for life!).”

It sounds hopeless, and you might worry that web3 will bring endless consumer confusion about the source and origin of goods and services.  Just as the skeptics and chicken littles of the 1990s were wrong about Web 2.0, so will the critics be wrong about the sky falling as we move towards web3.0.  

Web3 won’t be perfect, but the benefits – even for companies and brands – will far outweigh the problems. 

Why do brands need to register their web3 domain name NFTS?  

For those brands that are already being token squatted, why do they need to act fast and aggressively to secure those domains?  

And given everything I just said about decentralization, how can a brand force a transfer of domains to the company-controlled Ethereum wallet? 

Let’s start with the first question. Why must brands aggressively protect their web 3.0 identity? 

Unlike web2 domain names, web3 domains do much more than point the DNS to the website or email server. Ethereum domain names – NFTS – can be mapped to crypto wallet addresses. 

When the token owner of – for example – googlestore.eth – asks for a crypto payment, they provide the payor the address “googlestore.eth”  

Any crypto sent to that branded address goes directly into the token owner’s wallet.   Well… you can see the problem is worse than web2 domain names and websites.  Web3 domains can be mapped to what would otherwise be arbitrary 64-character wallet addresses that pay and receive cryptocurrency.  

Web3 wallets represent your branded bank account routing number. Web3 domains are the branded ‘swift code’ for your – or a squatter pretending to be your – bank account.  Let that sink in. 

In addition to hosting websites and acting as your branded payment processor, Ethereum NFT domain names can also be set up as a login name, username, avatar name, or store name across any decentralized application on any blockchain.

Whoever controls googlestore.eth can set up a store in the metaverse, ask for crypto payments to be sent to googlestore.eth, and take on the brand identity in both the physical and virtual world.  Owning googlestore.eth – for instance – can make it easy for a scammer to confuse Google customers into thinking the payment request is coming from Google. And that they are paying Google.  

It gets worse,… web3 domain name can be used as your NFT marketplace name on Opensea and your social media handle across web2 and web3.  Your blockchain wallet address – mapped to a web3 branded domain name – can be used to identify all aspects of your web3 existence. Yikes!

We don’t mean to pick on any of the brands whose web3 domain names you see in this or the following video. Hopefully, these brands do control the wallets linked to these domain NFTs. Or at least by the time you are watching this video, these brands have followed the tips in episode 2 to leverage a transfer to their control.  

The domain names shown and mentioned herein are just examples that should help you realize the problem is more than theoretical. Brand protection in a blockchain world is not some distant problem on the horizon of an uncertain metaverse. 

If you are waiting to protect your brand on web3, you are likely making your job that much harder in the future.  Every branded Web3 domain has the potential to defraud in ways web2 domain squatters could never have imagined.   Reading this article to this point might make you think that web3 will incite unsolvable fraud for all of us.  

Web2 detractors thought the same thing in 1999 and protested loudly.  But alas, do not fret. Web3 is more promising than infringement.  I am here today – and every day on the NFT lawyer Youtube Channel – to help you protect your – and your client’s – trademarks in the metaverse and beyond.  Our first question was ‘Why do you need to protect your brand in the web3 world? I now hope your sense of urgency is a little more … (head shake) urgent.

Protecting Your Brand for Web3 Cybersquatting

Remember the second question. How do you protect yourself in the decentralized world of web3? Let’s generally talk and then take a deeper dive into the question of enforcement in episode 2 of this token squatter video series. How do I protect my brand and personal name in a tokenized world?

Instead of looking to centralized third parties to assist you, IP enforcement in the Web3 world is about four things, all of which we will discuss in the following videos in this series:

  • 1. forced compliance,
  • 2. practical leverage,
  • 3. financial leverage and 
  • 4. legal leverage. 

Each of these levers, correctly pulled, can exert real force.  In many instances, they give you as much chance of domain recovery as the centralized control system of web2.  Today, you may be surprised to learn what many blockchain experts already know — Don’t believe the hype and click-bait. 

Web3 is not a haven for criminals to engage in anonymous criminal activity. At least not more so than the real world or web2.  A 64-digit anonymous wallet address is not as anonymous or immune from accountability as you might think. YOu can sometimes identify the wallet owner with a bit of digging on and off the blockchain.  

Leverage against token squatters comes in many forms if you know how to exert it.  There is no threat ‘letter’ in the metaverse.  There are chat and bbs postings on block explorers between wallet addresses, Discord channels for most projects, forum communications, linked social media accounts, and sometimes discoverable emails that can open a line of communication with the squatter.  

Notice of Infringement and Threat Letters

Notice or threats communicated to the wallet owner, which owns the NFT domain, can achieve your IP protection goals.   There are several ways to identify a wallet owner. Sometimes, you have to go to court to get subpoena power.  But often, a reasonable blockchain attorney can uncover the token squatters, and identify or at least establish a line of communication.  

The following video will discuss digital breadcrumbs, subpoenas to decentralized exchanges, and other dAPPS and other wallet owner identification techniques.  

If a threat/notice chat, post, or email does not work,… a john doe lawsuit can also get the job done. You will need expertise in alternative service, among other procedural rules which come into play for many blockchain lawsuits.

An ACPA judgment – typically by default unless the squatter wants to identify themselves by name voluntarily can a) subject the cybersquatter to the collection, attachment, and garnishment. You can chase down their digital asset until the end of days.  The cybersquatters cryptocurrency and NFT transfers through crypto exchanges such as Coinbase and all crypto transactions made through decentralized applications –  known as dAPPs which are the heart of web3 –  They are visible, traceable, and subject to collection. 

An ACPA judgment – or even a threat of being sued for token squatting (b) can be used to preclude the cybersquatter from safely using the best features of blockchain – metaverses, exchanges, dAPPs – 

Establishing  YOUR trademark rights  And ACPA judgment (c) can be used to preclude the squatter from using  NFT marketplaces. This will make it harder to sell the infringing Web3 domain name for a profit. 

A trademark lawyer specializing in cybersquatting and blockchain technology can creatively implement and evolve enforcement strategies as this technology rapidly changes each day.   Remember one of the benefits of Web3; every transaction is recorded and publically available for everyone to see. That transparency doesn’t exist AT ALL in the web2 world. 

IP Protection Playbook in The World of Web 3

This is not the playbook lawyers use to protect their clients’ IP. This is the playbook we are creating in real time for lawyers to assist their clients. This is the playbook brands MUST understand to implement IP protection strategies in our evolving web3 world. 

Don’t forget to watch Episode 2 of this Token Squatting series by clicking the video right there or find the link in the description below. We will be educating and elevating on blockchain forensics and wallet owner identification techniques. 

My name is Enrico, and I am the author of the NFT Lawyer video channel. We will see YOU in the next video. 

Read more interesting articles about cryptocurrency:

GET IN Touch

We’re here to field your questions and concerns. If you are a company able to pay a reasonable legal fee each month, please contact us today.


This page has been written, edited, and reviewed by a team of legal writers following our comprehensive editorial guidelines. This page was approved by attorney Enrico Schaefer, who has more than 20 years of legal experience as a practicing Business, IP, and Technology Law litigation attorney.