28 February 2023

Which legal actions to carry out in case of cybersquatting of web3 domains?

Romain Chilly

In its last Digital Defense Report, Microsoft considers that the risks associated with the cybersquatting of web3 domain names “are an emerging threat outside of regulation” and in the absence of governance by a centralized authority.

What is a decentralized domain?

Blockchain Naming Services (BNS) are protocols that can replace blockchain addresses, which consist of a random alphanumeric sequence that is not easily legible by a chosen username. These names can also be used for website addresses and constitute the web3 equivalent of a website address.

The best known BNS protocol is the Ethereum Name Service (ENS), based on Ethereum, but there are many others such as Unstoppable Domains, PeerName, Diode, Solana name service, etc. Domain names can be resold as NFTs, which are sold on marketplaces and mainly on Opensea which represents 97% of ENS domain sales.

Unlike traditional domain names, which are purchased through a registrar operating a DNS (Domain Name Service) system regulated by ICANN (Internet Corporation for Assigned Names and Numbers), web3 domains are not governed by any centralized organization, which limits the possibilities of reporting, suspension and forced transfer in case of infringement, particularly cybersquatting.

Which legal qualifications to cybersquatting of web3 domain names?

Cybersquatting is commonly defined as the practice of deliberately registering a domain name corresponding to the name of a company or one of its brands, in order to benefit from the traffic that spontaneously builds up around it. This widespread practice can be sanctioned on several grounds.

The choice of domain name, whether centralized or decentralized, must respect pre-existing rights. The use of a trademark in a domain name without the authorization of the right holder may constitute an infringement justifying the transfer of the domain name. The courts had the opportunity to rule on this subject on several occasions, considering for example in a judgment relating to the company Red Bull that “the registration of the domain name constitutes an infringement of the renowned Community wordmark Red Bull” justifying the forced transfer of this domain name to the mark.

The reservation and use of a domain name reproducing a trademark may also constitute an act of parasitism, unfair competition or fall under the criminal offenses of deceptive commercial practices and identity theft.


Cybersquatting of web3 domain names: How to proceed ?

Several methods can be considered in order to limit the damage caused by the cybersquatting of a decentralized domain name. However, practical difficulties make it difficult to envisage the forced transfer of the decentralized domain name to the right holder.

⛓️ Challenges related to decentralization

  • Incompetence of centralized organizations 

For common web2 domains, centralized registration agencies (i.e., Afnic and ICANN) provides dispute resolution policies to rights holders (procedures to waive anonymity, domain name recovery, out-of-court proceedings).

However, web3 domain names are founded on decentralization, they are granted to the registrant through a non-fungible token distributed on the blockchain so that it is technically not possible for a centralized organization to withdraw the allocated domain name and transfer it to a legitimate right holder.

  • Practical difficulties of committing the responsibility of the protocol

As Ethereum Name Service (ENS), a large part of the Blockchain Naming Services protocols are organized by decentralized entities, most often as DAOs (decentralized autonomous organizations). However, these entities are not always formalized around a legal entity and it can be quite difficult to establish their founders.

In theory, the lack of legal entity does not prevent the founders or developers from being held liable, especially through recourse to the theory of de facto partnership if the participants act towards third parties as partners. If this requalification would then make it possible to seek the liability of the partners for the infringements committed by the protocol, in particular for the granting of infringing domain names, in reality, these steps are complex and affected by a significant hazard.

🔍 Responsibility of the domain registrant

The reservation of a web3 domain in order to obtain a profit to the detriment of a trademark holder may justify the liability of the reserving party.

In case of infringement or parasitism, it is possible to engage the liability of the creator of the NFT and the registrant of the decentralized domain, as long as his identity is known.

However, it can also be complicated to identify the individual or legal entity reserving the decentralized domain name, as only a blockchain address is required to acquire a blockchain domain name and sell it without having to provide identity and contact information.

As a consequence, only an investigation by the right holder or by the authorities as part of a civil or criminal proceeding could permit the identification of the registrant. For that purpose, it is necessary to use blockchain forensic analysis by tracing the transactions coming from the registrant wallet of the disputed domain name to a centralized crypto-currency exchange platform in order to obtain from this platform the identity of the customer who has undergone a Know Your Customer procedure.

However, this is a highly technical process that requires the intervention of a professional in blockchain forensics and the result cannot be guaranteed.

Once the person has been identified, it is quite easy to engage his responsibility. This was illustrated very recently in the “Metabirkin” case, where a crypto-artist who put on sale NFTs representing the Hermès “Birkin” handbag model was convicted of counterfeiting by a New York court.

📮 Platform liability

Digital intermediaries such as hosts, publishers and providers of online sharing services must participate in the anti-counterfeiting fight and illicit content, including when the illicit media is materialized by a NFT.

Two axes of liability can be considered according to the active or passive role of the platform in the selling process of their customers.

  • Responsibility of the publisher

Publishers are the platforms that play an active role in the transaction process, by providing means for optimizing sales, helping to describe items, assisting sellers or spontaneously sending messages to buyers to encourage them to buy. As part of this active role, publishers are presumed to have knowledge of the illegal content found on their platforms and are therefore responsible for it.

In practice, NFT sales platforms such as Opensea take between 0% and 10% commission on each transaction made. Moreover, they often organize and provide the means to carry out auctions and transmit the auction to the holder.

As such, these platforms could be considered as having an active role in the provision of their service and it cannot be excluded that they could be held liable as a publisher.

  • Responsibility of the host 

Unlike publishers, hosts have a passive role in the management of their platform and are therefore not subject to a general obligation to monitor published content. However, hosts must act promptly to delist illegal content that is notified to them.

The right holder may request, through a notification, that the host platform promptly remove the disputed content.

The notification must precisely identify the litigious content and provide all “relevant and necessary” information, including proof of ownership of the rights.

The provisions of the French law on confidence in the digital economy (LCEN) also stipulate that the platform must keep data “that can be used to identify anyone who has contributed to the creation of the content or any of the content of the services they provide“. Thus, the right holder may request the platform to provide the data it possesses, which is nevertheless very limited, as the connecting mode to NFTs selling platforms is generally anonymized.

If the platform refuses to remove the infringing content, it could be held liable.

For example, Hermès requested and obtained the cease of sales of “Metabirkin” NFTs in the metaverse, on the OpenSea platform. However, delisting on one platform is not valid on another platform, which is why Mason Rothschild had continued to issue and sell MetaBirkin NFTs on Rarible.

  • Territoriality rules 

The majority of online content platforms are operated by foreign companies. However, in the case of infringement, the right holder may apply French law in the event of a dispute by means of the “accessibility” criterion established by the Court of Cassation in the Pinckney v. Mediatech case, according to which “the accessibility, within the jurisdiction of the court seized, of a website alleged to be infringing, is such as to justify the jurisdiction of that court, taken as that of the place where the alleged damage was incurred“.


ORWL Avocats is at your disposal to discuss this matter and to assist you in implementing remedial measures and developing an appropriate litigation strategy.

Article written with the collaboration of Ségolène Kervazo and Louisa Auscher, lawyers.

Digital Defense Report par Microsoft


Our latest posts
Le guide ORWL sur la communication des PSAN
8 January 2024
The ORWL Guide on the Communication of Crypto Asset Services
Mémorandum ORWL sur les contrôles LCB-FT des PSAN
14 December 2023
Copie de [Report] GEDI regulation: new rules for Web3 gaming
14 December 2023
[Report] GEDI regulation: new rules for Web3 gaming