We've all asked if they could first of all suspend the domain so that the active phishing site (yes, it's insanely enough still active, visit with caution) would be stopped. And the domain should be returned, as per regulation that Namecheap has agreed to with ICANN/registry.
1
4
2
63
Njalla has even contacted @DonutsInc that operates the TLD .fail in order to actually get the site shut down and the domain returned. Hopefully this will amount to enough pressure to make @Namecheap actually rectify the situation.
1
3
2
77
(Personally I even contacted The @NamecheapCEO who has still not returned my e-mails.)
2
2
1
77
Now, here's the kicker. Today we got informed that @Namecheap doesn't agree that the court order is fake! Even though the domain listed on the court order is registered through them, the web redirect is hosted with them, and the incoming email is hosted by them.
1
17
5
145
So even though @Namecheap has all the evidence needed to stop not only one but two ongoing phishing attacks (the domain hijacked plus the domain used to do it) hosted by them, they refuse.
1
12
2
114
The past days has not been great for Tucows nor the people working with them. It was a human error, and unfortunately out of the hands of Njalla (& hover). If the court order would have ended up with Njalla, I'm 110% certain it would not have happened.
1
1
2
65
I've seen a few people very upset with Njalla for "shitty security". The way that domain names work (with this hierarchy) it's near impossible to optimise this flow. Believe me; I'm trying. I left @njal_la (I'm on the advisory team still) to work on a new registrar!
2
2
1
74
So if ICANN had not refused me - afraid that I would not follow their regulation - we would not have ended up in a situation where a domain was phished because of low opsec by one ICANN accredited registrar, and then not returned because another is breaking ICANN regulation.
1
10
1
93
Some of the privacy sensitive domains that used Njalla decided to move. All respect to that. Some have moved to other Tucows-partners (...) and some of them moved to, you guessed it, @Namecheap. Oh do I wish I would had an alternative for them for .fail domains.
1
3
2
62
Now, the phishing attack is still ongoing, and if enough people would push @Namecheap and their @NamecheapCEO on social media, maybe they will help @DarkDotFail out and get their domain back. Thanks.

8:26 PM · May 3, 2021

1
27
4
126
BONUS 1: The court order PDF has no metadata. It's written in German with correct spelling, the person processing it at Tucows speaks German.
2
1
2
60
BONUS 2: The domains transferred to @Namecheap use their privacy service -- would say uncommon for a court to do.
3
2
1
65
BONUS 3: If @Namecheap is claiming the court order is correct, they must believe that the German court has themselves put up a phishing site.
3
10
1
104
BONUS 4: The domain transferred to @EpikDotCom listed NRW as the region of the registered name holder in the whois data. Most likely the account created there was registered to match the transfer in? Maybe you can update us Epik?
1
1
1
46
BONUS 5: The domain that was with @hover seems to also be stuck with @Namecheap.
1
1
1
50
BONUS 6: The court order makes me believe that the attacker is _very_ well versed in how these court orders usually look, and have directed it extremely well within Tucows. It's not someone without insight.
10
5
3
103
Resolved! @Namecheap finally agreed to return the domain, after a lot of pressure from many angles. Many thanks for all the support here, and now we're going into analysis and debriefing.
4
14
3
139