Namefi

Domain Flipping and the Law: Trademarks, UDRP, and Scams

The legal landscape every domain flipper needs: trademark basics, UDRP and ACPA, escrow at closing, hijacking defense, and how to dodge sale scams.

Published on June 21, 2026By Namefi Team
  • domains
  • security
  • domain-flipping
  • explainer
Domain Flipping and the Law: Trademarks, UDRP, and Scams

Flipping domains is legal. Flipping the wrong domains will cost you the name, the money you paid for it, and sometimes a five-figure judgment on top. The difference between those two outcomes is not luck. It is a small body of law you can learn in an afternoon, plus a handful of operational habits that keep your portfolio clean and your deals from getting robbed at the door.

This is the legal and safety pillar of our domain flipping series. It covers the line between domaining and cybersquatting, the two dispute systems that enforce that line, how to settle a sale without getting scammed, and how to keep someone from stealing a name out from under you. None of it is legal advice (see the disclaimer at the end), but all of it is the working knowledge experienced flippers price into every trade.

The one line you cannot cross: trademarks

Editorial illustration of a generic domain tag with a green check on one side of a dividing line and a brand-emblem domain blocked by a red no-entry sign on the other

The whole legal question reduces to a single distinction. Registering a generic, descriptive, or invented name to resell is ordinary investing. Registering something that trades on a specific company's brand is cybersquatting, and it is the one move that turns a legitimate flip into a losing one.

Wikipedia's definition is the standard one: cybersquatting is the practice of registering, trafficking in, or using an Internet domain name, with a bad faith intent to profit from the goodwill of a trademark belonging to someone else. Two words in that sentence do the heavy lifting: bad faith and trademark. A dictionary word like loans or a coined name like Zapio belongs to no one in particular. nikeshoes-store.com plainly leans on a mark that does. The closer a name sits to an existing brand, the more it looks like you registered it to extract money from that brand, and that intent is exactly what the law punishes. We draw the full boundary in cybersquatting vs domaining: UDRP and ACPA.

A practical filter before you buy: would a reasonable person assume this name was meant to point at a particular company? If yes, walk away no matter how cheap it is. The fundamentals that make a name worth owning are covered in how to value a domain name and what is a domain; a name that fails the trademark test has negative value, because holding it is a liability.

UDRP: how a trademark owner takes a name back

The fast, cheap enforcement path is the Uniform Domain-Name Dispute-Resolution Policy. It is part of ICANN's rules, baked into the registration agreement you accept whenever you register a name, so you are already bound by it. ICANN adopted the UDRP in 1999, and disputes are decided by accredited providers — most prominently the World Intellectual Property Organization (WIPO).

A complainant has to prove three things, all of them. As Wikipedia summarizes the policy, the name must be identical or confusingly similar to a trademark or service mark in which the complainant has rights; the registrant does not have any rights or legitimate interests in the domain name; and the name has been registered and the domain name is being used in 'bad faith'. Miss any one of the three and the complaint fails.

The stakes of a UDRP are narrow but absolute. The only remedies are cancellation or transfer of the domain. There is no money awarded, but you lose the asset outright, and a panel can take it in weeks rather than the months a lawsuit would run. This system stays busy: WIPO reported that in 2024, trademark owners from 133 countries filed 6,168 cases under the Uniform Domain Name Dispute Resolution Policy (UDRP) and national ccTLD variations. For a flipper the lesson is simple: a UDRP is the cheap, fast tool a brand reaches for first, so any name that could plausibly draw one is a name you do not want in inventory.

ACPA: when it escalates to a lawsuit and money

The UDRP can only move the name. United States law goes further. The Anticybersquatting Consumer Protection Act, enacted in 1999, lets a trademark owner sue in federal court and ask for damages, not just the domain.

The ACPA turns on whether the registrant has a bad faith intent to profit from the mark, and courts weigh a list of factors to decide that. Several of those factors are aimed squarely at flippers: a court looks at the registrant's intent to divert customers from the mark owner's online location and at any offer to transfer, sell, or otherwise assign the domain name to the mark owner or a third party for financial gain without a legitimate use. Read that twice: emailing a brand to offer them "their" name for a price is itself evidence of bad faith. That is the trap clueless flippers walk into.

The money is the part that stings. Under the statute a plaintiff can elect statutory damages of not less than $1,000 and not more than $100,000 per domain name, as the court considers just. Register a handful of brand-adjacent names and the exposure multiplies fast. None of this touches the generic and brandable names that make up a healthy portfolio. It is entirely avoidable by never buying names that ride on someone else's mark.

The flipper's defense: reverse domain name hijacking

The law cuts both ways, and this is the part most beginners do not know. Sometimes the trademark owner is the one acting in bad faith, trying to muscle a legitimate registrant out of a name they have no real claim to. The policy has a name for it. Reverse domain name hijacking occurs where a rightful trademark owner attempts to secure a domain name by making cybersquatting claims against a domain name's "cybersquatter" owner. The UDRP rules define it as the filing of a complaint in bad faith, resulting in the abuse of the UDRP administrative process.

If you registered a generic word years before some company adopted it as a brand, you have a legitimate interest, and a panel can find against the complainant for trying it on. This is exactly why dated, documented acquisition records matter. The cleaner your story — generic name, registered for an obvious non-infringing reason, never used to target anyone — the stronger your defense and the more likely a panel calls out a bully. Keep your WHOIS and purchase records straight; they are your evidence.

Settling the sale without getting scammed

Editorial illustration of a buyer with coins and a seller with a domain tag both routing through a neutral escrow safe that releases funds and the domain simultaneously

Trademark risk is the legal hazard. The transactional hazard is the deal itself. A domain sale is a classic trust standoff: the seller will not transfer before getting paid, and the buyer will not pay before receiving the name. Whoever moves first is exposed, and scammers live in that gap.

The standard fix is escrow — a neutral third party that, per the general definition, receives and disburses money or property for the primary transacting parties, with the disbursement dependent on conditions agreed to. The buyer funds the escrow agent, the seller transfers the domain, the agent confirms the handoff, then releases the money. Neither side has to trust the other, only the agent. We walk the mechanics in domain escrow explained and the escrow glossary entry.

A few scam patterns recur often enough to memorize, and we catalog more in avoiding domain sale scams:

  • Fake escrow sites. A "buyer" insists on an escrow service you have never heard of, with a URL that mimics a real one. The site is theirs; your domain and any fees vanish. Only use escrow services you chose and verified independently.
  • Chargeback and reversal fraud. A buyer pays by a reversible method, you transfer the name, then they claw the payment back. Reputable escrow and irreversible settlement exist precisely to kill this.
  • Overpayment scams. A "buyer" sends too much and asks for the difference back; the original payment later bounces.

The throughline: never release control of a name on a promise. For the seller's full playbook, see how to sell a domain name you own and the broader domain trading overview.

Keeping your portfolio from being stolen

Editorial illustration of a domain tag protected by a closed padlock and shield with an envelope-shaped key, while a red phishing hook is blocked

The last threat does not need your cooperation at all. Domain hijacking is the act of changing the registration of a domain name without the permission of its original registrant. For a flipper, your portfolio is your bank account, and a hijacked premium name can be sold to an innocent third party before you notice it is gone.

Hijackers rarely break cryptography. They go through people and email. The common routes, per Wikipedia, are unauthorized access to, or exploiting a vulnerability in the domain name registrar's system, through social engineering, or simply getting into the domain owner's email account that is associated with the domain name registration. Compromise the email on file and a thief can reset registrar passwords and approve a transfer. How domain hijacking actually happens traces the full kill chain.

The defenses are cheap and worth building into your routine across every registrar you use:

How tokenized ownership changes the risk

Most of the hazards above share a root cause: ownership of a traditional domain is a database row at a registrar, provable only through that registrar's account and email recovery, and transferable only through a multi-step process where each handoff is a chance to be scammed or hijacked. That is the surface attackers and fraudsters work on.

Tokenizing a real ICANN domain narrows that surface. When control is represented on-chain, ownership is auditable rather than taken on trust, and a transfer settles atomically instead of stretching across a window where someone can intervene — with DNS continuity so the name keeps resolving cleanly through the handover. It does not repeal trademark law (a brand-infringing name is still a bad idea on any rail), but it directly attacks the escrow trust gap and the hijacking-via-email problem. That is the gap Namefi is built to close, and we go deeper in how tokenized marketplaces replace escrow.

The short version

Buy generic, descriptive, and invented names; never names that lean on a brand. Know that a UDRP can take a name fast and the ACPA can take money on top. Keep clean records so you can defend a legitimate name, including against reverse hijacking. Close every sale through escrow you chose yourself, and lock down your portfolio so nobody walks off with it. Do that, and the law is a fence that protects your business rather than a trap waiting to spring.

Friendly Disclaimer (Read Me!)

We're not lawyers, accountants, financial advisors, or doctors, and nothing in this article is legal, financial, tax, accounting, medical, or any other flavor of professional advice. We write these posts to educate ourselves and as a convenience for our customers. Info here may be out of date, geography-specific, or just plain wrong. We make mistakes too.

For any important decision, please consult a real professional (seriously!). Or if that's not your vibe, ask a friend, ask Twitter, ask Reddit, ask an AI, or ask a psychic. In short: DOYR - Do Your Own Research. Let's learn and have fun.

Sources and further reading

About the author(s)

Namefi Team
Namefi Team • Namefi
TwitterLinkedIn

Namefi is a collective of engineers, designers, and operators who obsess over building tools that make managing your onchain domain names effortless.

Related guides