The Sex.com Heist: A Forged Letter That Stole the Internet's Most Valuable Domain
In 1995 a con man named Stephen Cohen stole sex.com from rightful owner Gary Kremen with a single forged letter to Network Solutions. The years-long fight to win it back ended in a $65 million judgment, a fugitive in Mexico, and a landmark ruling that domains are property.
- domains
- security
- dns
- domain-security
In 1995, the most valuable address on the internet changed hands because of a single sheet of paper.
There was no break-in, no ransom, no exotic exploit. A con man typed a letter, signed it with a name that wasn't his, and faxed it to a domain registrar in Virginia. The registrar read it, believed it, and handed over sex.com — a domain that would go on to generate a reported quarter-billion-dollar business — to a man who had no right to it. The rightful owner found out only after the fact, and then spent the better part of a decade fighting to get it back.
This is the first great domain heist, and it remains the clearest answer to a question every domain owner should ask: what, exactly, stops someone from simply taking my name? In 1995 the answer turned out to be almost nothing.
Welcome to Domain Mayday / 域名浩劫 — deep-dives on the security incidents that shaped how we think about owning a name online. Episode 02: the forged letter that stole sex.com.
What sex.com was worth
In early 1994, entrepreneur Gary Kremen — who also founded Match.com — looked at the brand-new commercial internet and saw the obvious. Court records put the registration date precisely: Gary Kremen registered the domain name sex.com with Network Solutions, Inc. on May 9, 1994. At the time, domains were free, registered by a quick email, and almost nobody understood what they would be worth. The Ninth Circuit later opened its opinion in the case with the joke that hung over the whole saga: "Sex on the Internet?" they all said. "That'll never make any money."
It made money. After the domain was stolen, the thief turned it into a machine: an advertising-heavy site that received up to 25 million hits a day, reportedly making $50,000 to $500,000 per month from click-throughs and other advertising. By some accounts the stolen domain became the foundation of a $250,000,000 business during the years he had illicit control of the sex.com domain name. This was a domain that, in the words of one industry observer, by some accounts could be worth more than any domain name sold to date.
A name that valuable, sitting behind 1990s registrar security, was a treasure chest with a paper lock.
The theft: one forged letter
The man who picked that lock was Stephen Michael Cohen, and he was no first-time offender. The Ninth Circuit and Wikipedia both note he came to sex.com fresh out of prison: Stephen M. Cohen, who had recently completed a prison sentence after being convicted of fraud. He looked at sex.com and saw exactly what Kremen saw — a fortune — and he decided to take it.
The mechanism was almost insultingly simple. Cohen hoodwinked Network Solutions with a phony letter from a non-existent executive at Kremen's company, Online Classifieds, authorizing transfer of Sex.com to Cohen. Put plainly by the same source, Cohen stole Gary Kremen's domain name, sex.com, simply by submitting a fake transfer letter to domain registrar Network Solutions with a forged signature.
On October 18, 1995, Network Solutions transferred, without permission, the domain to Stephen M. Cohen, a man who, in Wikipedia's words, had been trying to gain control of the domain for some time by misrepresentation, using phone calls, e-mails and forged letters. The most valuable name on the internet had a new "owner," and the real one didn't even know.
The forged "Dimmick letter"
The forgery itself is worth pausing on, because it was not a masterpiece. It was a fax, and a sloppy one.
According to the district court record, in a letter dated October 15, 1995, Sharon Dimmick, purportedly on behalf of Online Classified, informed Stephen Cohen that Online Classified had "decided to abandon the domain name sex.com." The letter's writer had a real problem to solve: how does a company "abandon" a domain so a stranger can grab it? Cohen's answer, quoted in the appellate opinion, was to have the letter explain that Because we do not have a direct connection to the internet, we request that you notify the internet registration on our behalf, to delete our domain name sex.com. A company in the business of running websites, claiming it had no way to reach the internet — and Network Solutions never blinked.
The "Sharon Dimmick" whose name was on the letter was real, but she had nothing to do with abandoning anything. As The Globe and Mail reported, Network Solutions received a letter in late 1995 apparently signed by Sharyn Dimmick, then a roommate of Mr. Kremen's. Cohen had borrowed the name of Kremen's housemate to impersonate Kremen's own company.
And he got the name wrong. As one case summary records flatly, Cohen misspelled Dimmick's signature on the forged letter. The journalist who later wrote a book on the case was even more withering, describing the document as one where the person who is supposed to have sent it couldn't spell her own name; the letterhead looks like it was made on a John Bull home printing press by an illiterate kindergarten pupil.
That is the detail that makes this story sting. The lock that protected the internet's most valuable domain was so weak that it could be picked by a forgery whose own "author" couldn't spell her name — and the registrar took it at face value and ceded control.
The years-long fight to get it back
Getting sex.com stolen took one letter. Getting it back took years of litigation, and Kremen had to fight on two fronts at once: against Cohen, and against the registrar that gave his domain away.
Against Cohen, the facts were damning, and Cohen knew it. He responded the way con men do — by manufacturing more paper. He forged documents to show that he'd always owned the domain and had a trademark on sex.com, building a fictional history to defend the theft. The court was not fooled. Judge James Ware ruled the transfer void: the district court ruled that Cohen had committed fraud, and rendered his ownership of sex.com to be void because he had acquired the domain name via a fraudulent letter. The morelaw verdict record states the result simply — judgment in favor of plaintiff with an order the sex.com be returned to plaintiff. Kremen, whom the judge has ruled is sex.com's true owner, finally had his name back.
The harder fight was against Network Solutions, and it is the part that mattered for everyone else. Kremen argued the registrar should be liable for converting his property — for giving it away. Network Solutions argued a domain wasn't "property" at all, just a service it provided, and a lower court initially agreed. On appeal, Judge Kozinski disagreed and put domains squarely inside property law: Kremen's domain name is protected by California conversion law. His analogy cut to the bone — handing a domain to the wrong person on a forged letter, he wrote, is no different from holding a corporation liable when it gives away someone's shares under the same circumstances. The case settled afterward, but the principle stuck: a domain name is property you can own, and lose, and sue over.
The $65 million judgment — and Cohen's flight
The number attached to the theft was enormous for its time. The court found Cohen liable for fraud and forgery to the sum of $40 million in compensation for lost profits and $25 million in punitive damages — a total the Ninth Circuit summarized as a judgment where the court awarded $40 million in compensatory damages and another $25 million in punitive damages. The Register put the endpoint cleanly: the battle finally ended in April 2001 with Kremen was handed back the domain and awarded $65 million.
Collecting it was another matter. Cohen had no intention of paying. He ignored the order and wired large sums of money to offshore accounts, prompting the judge to, in the opinion's own words, take off the gloves: he declared Cohen a fugitive from justice, signed an arrest warrant and sent the U.S. Marshals after him. By then Cohen was gone. When an arrest warrant was issued, Cohen fled to Mexico, becoming what The Globe and Mail called the Internet's first domain-name fugitive, sought by police in the United States and Mexico. He declared personal bankruptcy and absconded to Mexico, where he eluded capture for several years until being deported by Mexican authorities for immigration violations in 2005.
Kremen won the domain and the judgment. He never came close to collecting the full $65 million. The lesson there is grim but important: a verdict on paper is only as good as your ability to enforce it against someone willing to run.
How registrars let this happen in the 1990s
It is tempting to read this as one negligent registrar, one freak event. It wasn't. It was the predictable result of how domain ownership actually worked in 1995.
In that era, the "proof" that you owned a domain was a record in a registrar's database and an administrative contact — and the way you changed it was by asking, usually with a letter or a fax. There was no cryptographic signature, no two-factor confirmation, no automated notice to the existing owner before a transfer went through. The system ran on trust and on the assumption that nobody would simply lie. Network Solutions, faced with Cohen's letter, made no effort to contact Kremen and, as Wikipedia summarizes, took Cohen's fraudulent letter at face value, and did no due diligence to find errors in Cohen's reasoning or to contact Kremen to verify that he had abandoned the domain name.
Two structural failures stack on top of each other here:
- Authorization by impersonation. The registrar authenticated a document, not a person. Anyone who could produce a plausible-looking letter on the right "company" could move a domain. Identity was a costume.
- No notice to the real owner. The one control that would have stopped this cold — telling Kremen "someone is trying to transfer your domain" before acting — simply didn't exist. The victim was the last to know.
Those are not Cohen's failures. Those are the failures of a system that treated the world's most valuable names like library cards.
What this teaches about domain ownership
The sex.com heist is thirty years old, but its lessons are evergreen because the underlying architecture of domain ownership has changed less than you'd think.
- Your domain is property — and property gets stolen. The most enduring legacy of Kremen v. Cohen is the ruling that a domain is property protected by conversion law. That is good news (you have rights) and a warning (something with value and an owner is something worth stealing).
- The weakest link is the transfer process, not the password. Cohen never guessed a password. He attacked the administrative path — the human process for changing who owns a name. Most domain hijackings still target that seam: registrar support, transfer authorizations, contact-record changes.
- Paper trust is not security. "It looked official" is how the most valuable domain on earth walked out the door. A signature, a letterhead, a plausible story — none of these prove anything about who is actually authorized.
- Notice and verification are non-negotiable. The single control that would have prevented the entire heist was confirming the request with the real owner before acting. Any system that can move your domain without provably involving you is a system that can lose your domain.
- A judgment is not recovery. Kremen won $65 million and recovered far less. Prevention beats litigation every time, because you cannot sue your way back to a domain a fugitive has already monetized and a court cannot find.
The Namefi angle
Strip away the Mexico flight and the porn-empire revenue, and the sex.com heist is a story about one thing: there was no tamper-resistant, owner-controlled record of who owned the name. Ownership lived in a private database, and it could be rewritten by anyone who could fool the clerk with a forged letter signed by a misspelled name.
Namefi starts from the opposite premise. When a domain is tokenized, ownership is anchored to cryptographic keys you control, and every transfer is an on-chain action that is authorized, visible, and auditable — not a fax someone "takes at face value." There is no clerk to deceive, no administrative back channel where a convincing letter outranks the real owner, and no silent transfer the owner finds out about months later. Control is provable, transfers are owner-signed, and the audit trail is public by construction — all while staying compatible with the DNS the rest of the internet relies on.
Cohen's forged letter worked because the only thing standing between him and sex.com was someone else's willingness to believe a piece of paper. The point of verifiable, tamper-resistant ownership is to make that attack impossible to even attempt: you cannot impersonate a private key the way you can impersonate a signature. The most valuable lesson of the internet's first great domain theft is that who owns this name should be a fact you can prove — not a story a stranger can tell.
Sources and further reading
- Wikipedia — Sex.com
- Wikipedia — Kremen v. Cohen
- U.S. Court of Appeals, Ninth Circuit — Kremen v. Cohen / Online Classifieds v. Network Solutions, 325 F.3d 1035 (full opinion, PDF)
- MoreLaw — Gary Kremen v. Stephen Michael Cohen, et al. (case record)
- CircleID — Domain Name Theft, Fraud And Regulations
- The Globe and Mail — The fugitive, the Cupid and sex.com
- The Register — Sex.com: read it if you dare (review of Kieren McCarthy's book)
- Studicata — Kremen v. Cohen — Case Brief Summary
- Kieren McCarthy — The lowdown on the Sex.com case
- CircleID — Book Review: Sex.com by Kieren McCarthy
About the author(s)
Related guides
- The $12 Minute: When Someone Quietly Bought Google.comIn September 2015, a former Google employee bought google.com through Google Domains for $12 and held administrative control of the world's most valuable domain for about a minute. The story of Sanmay Ved, the $6,006.13 bounty, and what one minute of ownership reveals about who really controls a domain.
- Domain Mayday EP03: The 2020 Twitter Bitcoin Account TakeoverOn July 15, 2020, attackers phoned their way into Twitter, hijacked the verified accounts of Obama, Biden, Musk, Gates, Apple and Uber, and ran a Bitcoin doubling scam — netting about $118,000. A deep-dive on how control of an online identity was stolen, and what it teaches about owning a name.
- Domain Mayday EP05: The 2024 Squarespace DeFi Domain Mass-HijackIn July 2024, a registrar migration from Google Domains to Squarespace turned weak default authentication into a mass attack surface. Attackers hijacked the domains of crypto and DeFi projects — Compound Finance, Celer Network, Pendle, Unstoppable Domains — and pointed them at wallet-drainer phishing sites. Here is how a "seamless" migration created hundreds of unlocked front doors, and what it teaches about registrar security and MFA.
- The BadgerDAO Front-End Attack: $120M Drained Through One Injected ScriptIn December 2021, attackers compromised BadgerDAO's Cloudflare account and injected one malicious script into its website front-end. The audited smart contracts were never touched — yet ~$120M walked out the door through wallet approvals users signed without knowing. A deep-dive on why the website is part of your security surface.