Cybersquatting vs Legitimate Domaining: UDRP and ACPA Explained

Two people register a domain to resell it. One buys solarpanels.com, a plain dictionary phrase anyone in the industry might want. The other buys nike-running-shoes.net, a string that exists only because Nike does. Same activity on the surface, two completely different legal positions. The first is ordinary domaining. The second is cybersquatting, and there are two well-built systems designed to take that name away from the person who registered it.

That gap is the most important line in this business, and it is the one most easily crossed by accident. This guide walks the boundary: what cybersquatting actually is, the three-part conjunctive test the UDRP uses to claw back a name, how the U.S. ACPA adds money damages, and the flip side most articles skip, reverse domain name hijacking, where a brand abuses the system against a legitimate owner. It is the legal-risk companion to our pillar on domain flipping and the law and the domain flipping series hub.

Not legal advice. This is general information for domain owners, not legal advice. Outcomes turn on specific facts. If you receive a complaint or are considering filing one, talk to a qualified attorney.

What cybersquatting actually is

Cybersquatting is not "registering a name someone else wants." It is registering a name to exploit someone else's trademark. Wikipedia's definition is the one to internalize: it is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else. Every word in that sentence is load-bearing. The conduct (register, traffic, use) is broad. The intent (bad faith, to profit) is the trigger. And the target is specific: a trademark belonging to someone else, not a generic word the whole market shares.

Legitimate domaining lives on the other side of that intent line. Buying generic, descriptive, or invented names and reselling them is a long-established trade. A domain like solarpanels.com has value because the words are valuable to an entire industry, not because they ride on one company's reputation. The same goes for brandable coinages and short .com or .io names with no trademark attached. The asset is the string itself, and that is the whole of domain trading as a legitimate practice.

The trouble starts when a name's value comes from a brand rather than from the words. Register tesla plus a hyphenated suffix, a deliberate typo of a famous mark (typosquatting), or a brand name in a new TLD right after a product launch, and the value you are trying to capture is someone else's goodwill. That is exactly what the two enforcement systems below are built to catch.

The UDRP three-part conjunctive test

The first and most common system is the UDRP, the Uniform Domain-Name Dispute-Resolution Policy. Every accredited registrar makes you agree to it when you register a name, which is why a private arbitration panel, not a court, can order your domain transferred away. We cover the full process, timeline, and outcomes in what is UDRP; here the focus is the test itself, because the test is where flippers win or lose.

A complainant must prove all three of the following. This is a conjunctive test, which is the single most important fact about it. Fail any one element and the complaint is denied, no matter how strong the other two are.

1. Identical or confusingly similar. As the policy puts it, the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights. In practice this works mostly as a standing requirement: it confirms the complainant owns a relevant mark and that your name looks like it.

2. No rights or legitimate interests. The second element requires that the registrant does not have any rights or legitimate interests in the domain name. A genuine business use, a descriptive meaning, or non-commercial speech can all establish a legitimate interest, which is why generic names are so much safer to hold than brand-adjacent ones.

3. Registered and used in bad faith. The third element requires that the domain name has been registered and the domain name is being used in "bad faith". The word and is the one to underline. Bad faith must be present at both registration and use. A name registered years before a complainant's trademark even existed generally cannot have been registered in bad faith, because you cannot target a brand that does not yet exist.

That third element is where defensible portfolios survive. The bad-faith patterns the UDRP recognizes are specific: registering primarily to sell the name to the trademark owner at an inflated price, registering to block a brand from its own name as part of a pattern, registering to disrupt a competitor, or using the name to draw traffic by creating confusion with the mark. Crucially, offering a generic or descriptive domain for sale is not, by itself, bad faith. Selling names is a legitimate business. The dividing line is whether you were trading in words or targeting a brand.

The practical takeaway for a flipper is short. Buy the dictionary word, never the trademark, and keep a record of why and when you bought it, because a registration date that predates the mark is often dispositive.

ACPA: when cybersquatting costs real money

The UDRP can only do two things to a name: transfer it or cancel it. There are no damages. For a determined brand, or a particularly egregious squatter, the United States built a second system with sharper teeth.

The Anticybersquatting Consumer Protection Act, enacted in 1999, created a federal cause of action. As Wikipedia summarizes it, the ACPA established a cause of action for registering, trafficking in, or using a domain name confusingly similar to, or dilutive of, a trademark or personal name. The statutory standard mirrors the UDRP's intent requirement: liability under the law attaches to a person who has a bad faith intent to profit from that mark and registers, traffics in, or uses a domain identical or confusingly similar to a distinctive mark.

The difference that matters is the remedy. Where the UDRP just moves the name, the ACPA can hit your wallet. A prevailing plaintiff may elect statutory damages of not less than $1,000 and not more than $100,000 per domain name, as the court considers just. Per name. A squatter holding a portfolio of brand variants is staring at a number that scales with the portfolio, on top of losing the domains.

Two practical points follow. The ACPA is U.S. law, most relevant when the parties or registrar have a U.S. connection, whereas the UDRP is global by registrar contract. And the two are not mutually exclusive: a brand can run a fast, cheap UDRP to grab the name and still sue under the ACPA for damages. For a legitimate domainer this is mostly reassuring, because the ACPA's bad-faith-intent requirement protects good-faith generic registrations the same way the UDRP's third element does. For a squatter it is the reason the math never works.

Reverse domain name hijacking: when the brand is the bad actor

The line runs both ways, and this is the part most "is domain flipping legal" articles skip. A trademark does not entitle its owner to every domain that resembles it. When a brand uses the dispute process to try to wrench a legitimately held name away from its owner, that abuse has a name: reverse domain name hijacking.

Wikipedia defines it as occurring where a rightful trademark owner attempts to secure a domain name by making cybersquatting claims against a domain name's "cybersquatter" owner who is, in fact, not a squatter at all. The UDRP rules give panels a tool against it. Under Paragraph 15(e), a finding of reverse domain name hijacking is made when there has been the filing of a complaint in bad faith, resulting in the abuse of the UDRP administrative process.

An RDNH finding awards the domain owner no money, but it is a formal, public rebuke that damages a complainant's credibility in future disputes and litigation. The classic trigger is a brand that wanted a generic name, missed its chance to buy it, and tried to use the UDRP as a shortcut to take what it should have purchased. The fact pattern that exposes the complaint is usually simple: the domain was registered before the trademark existed, which makes bad-faith registration impossible. For a domainer holding a clean, generic name, raising RDNH in a response is a real defensive weapon. This is also distinct from a security-level domain hijacking, which is an attack you prevent rather than a legal process you answer.

Staying on the safe side of the line

Most of staying safe is decided before you spend a dollar. A handful of habits keep a portfolio defensible:

• Buy words, not brands. Generic, descriptive, and invented names are the safe inventory. If a name has value only because a specific company exists, skip it. When you are unsure whether a name reads as a brand, that uncertainty is itself a signal to pass.
• Run a trademark check before you buy. A quick search of the relevant registry on the exact string and obvious typo variants catches most problems. It matters most on the aftermarket, where you inherit the prior registrant's history along with the name.
• Keep records, and keep parking clean. Save your registration date and reasoning, since bad faith generally must exist at registration. Avoid PPC ads that compete with any trademark owner, which can turn a generic name into evidence of bad-faith use.
• Handle inbound offers carefully. If a brand approaches you, do not demand a number framed around their need for the name. That framing is easily recast as "registered primarily to sell to the trademark owner."

When the name is clean and the records are clean, the transfer itself is the last variable. High-value sales settle through neutral escrow precisely so neither side has to move first, and a verifiable chain of custody is part of what makes a name defensible if its history is ever questioned. Namefi leans into that: tokenized ownership gives a name a durable, auditable provenance record while keeping it fully ICANN-compliant, so the underlying domain stays squarely inside the system the UDRP and ACPA govern. Tokenization strengthens your evidence and your control. It does not place a name outside trademark law, and no honest tool would claim otherwise.

The bottom line

Domaining and cybersquatting are separated by one thing: intent. Buy words and you are an investor. Buy brands and you are a target, with a global arbitration system that can take the name and a U.S. statute that can charge you up to six figures per domain on top. The same line protects you in reverse, because a trademark owner who abuses the process against your legitimate name can be branded a reverse hijacker. Learn the three-part UDRP test cold, keep your portfolio generic and your records clean, and the legal risk in this business stays where it belongs: on the people trying to game it.

Sources and further reading

• Wikipedia — Cybersquatting (definition)
• Wikipedia — Uniform Domain-Name Dispute-Resolution Policy (the three elements)
• Wikipedia — Anticybersquatting Consumer Protection Act (1999; cause of action)
• Legal Information Institute (Cornell) — 15 U.S.C. § 1125(d) ("bad faith intent to profit")
• Legal Information Institute (Cornell) — 15 U.S.C. § 1117(d) (statutory damages: $1,000–$100,000 per domain)
• Wikipedia — Reverse domain name hijacking (definition; UDRP Paragraph 15(e))
• ICANN — Uniform Domain-Name Dispute-Resolution Policy · WIPO — Guide to the UDRP