When DOJ Comes for Your Domain: A New Enforcement Era

In September, the DOJ announced the seizure of 32 internet domains it alleged were used in Russian government-directed influence campaigns, referred to by the DOJ as “Doppelganger.” At the same time, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions designations of a dozen individuals and entities on the same basis. The DOJ stated the seized entities had violated U.S. money laundering and trademark laws and specifically, had transferred funds intended to violate sanctions under the International Emergency Economic Powers Act (IEEPA).

These domain seizures were not an isolated event, and in recent months, the DOJ has escalated its use of seizure authorities to take control of websites and domains alleged to be involved in criminal activity. The DOJ now appears to be using this authority on a broader basis, including to enforce alleged violations of sanctions designations made under IEEPA.

Domain seizure represents the risk of a company losing control of its website and the value the website creates for the business. When a domain is seized, visitors are redirected to a government domain that typically indicates that the site was seized. Therefore, it is imperative to understand the potential exposure and practical steps that can mitigate the risk of seizure.

Recent DOJ domain seizures

In the Doppelganger case, the DOJ alleged that 32 internet domains were being used by criminal actors at the direction of the Russian government and that the domains were used in violation of U.S. money laundering and criminal trademark laws in order to “covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election.” The DOJ also alleged that criminal actors had illegally copied or used trademarks of legitimate news organizations as part of the scheme and used “cybersquatted” domains. In conjunction with the domain seizures, OFAC announced the designation of 10 individuals and two entities largely for the same conduct, which followed a March 2024 designation of other actors alleged to be involved in the Doppelganger scheme.

A seizure warrant in the case specified how the DOJ was permitted to seize the domains. The issuing court authorized the government to serve the warrant on each “registry or registrar for the top-level domain or for each SUBJECT DOMAIN,” who were in turn ordered to “restrain and lock” each website, which the DOJ would then redirect to a new server and display notice of the warrant and seizure. The warrant also specified each of the domain registries to be seized, all but two of which were located in the U.S. (The remaining two domain registries were located in Palau and Finland, each of which generally cooperates with U.S. law enforcement.) 

The warrant was obtained under seal and without notice to any of the users or operators of the domains and was not unsealed and announced until five days later, likely because the DOJ was communicating with the domain registrars while the warrant was still sealed.

It turns out the DOJ was just getting started. A few weeks later, the DOJ announced the seizure of websites associated with three “illicit cryptocurrency exchanges,” specifically, the seizure of “two website domain names used to support the cryptocurrency money laundering exchange ‘Cryptex.net.’” The announcement stated, “our Dutch partners seized the servers hosting PM2BTC and Cryptex. Those servers have been taken offline at various locations around the world, and the Dutch have seized cryptocurrency from those servers worth over $7 million.” The DOJ concurrently announced the indictment of two individuals alleged to be responsible for operating these exchanges, as well as sanctions on associated individuals and entities.

Weeks later on Oct. 3, the DOJ announced the seizure of 41 internet domains alleged to be used by Russian intelligence to commit computer fraud and abuse, adding that “the seized domains were used by hackers belonging to, or criminal proxies working for, the ‘Callisto Group,’ an operational unit within Center 18 of the Russian Federal Security Service (the FSB).” The Callisto Group allegedly “used the seized domains in an ongoing and sophisticated spear-phishing campaign with the goal of gaining unauthorized access to, and steal valuable information from, the computers and email accounts of the U.S. government and other victims.” In conjunction, Microsoft announced the filing of a civil action to seize 66 internet domains also used by some of the identified threat group actors. No. 4-24-71375 (N.D. Cal. Sept. 16, 2024).

The DOJ’s recent use of domain seizure authority has not been limited to the sanctions or the national security context. For example, the DOJ also recently announced the seizure of more than 350 internet domains allegedly used for the importation of parts designed to convert semiautomatic pistols into fully automatic machine guns, which are prohibited under U.S. law.

Compliance

2025’s Burning Question: Can Your Compliance Program Pass DOJ Scrutiny?

by Jonny Frank

January 2, 2025

New regulatory expectations and emerging technologies create urgent challenges for corporate compliance teams

Read moreDetails

Potential application & responses

The DOJ’s growing reliance on domain seizures is unmistakable and presents a risk going forward for entities that provide domain-level services and that may be connected to OFAC-sanctioned entities or individuals that rely on domain registries based in the U.S. or jurisdictions likely to cooperate with U.S. law enforcement.

There is a risk that the DOJ may seek to shut down any websites or domains used by any entities or individuals that allegedly violate the recent OFAC designations. Because the DOJ typically obtains domain seizure warrants under seal and without notice, it is unlikely that such entities would have any warning or opportunity to stop a seizure before it occurred. So, what lessons can be drawn from these examples?

First, the DOJ’s seizure authority is not unlimited. To the contrary, it is constrained by statute, and the government cannot simply seize property connected to any potential violation of U.S. law. While not all of the warrants authorizing the above-cited seizures have been unsealed, those that are public have typically relied on the civil forfeiture statute, 18 U.S.C. § 981 (a)(1)(a), which permits the seizure of all property “involved in” an alleged violation of the money laundering statute, 18 U.S.C. § 1956(a)(2)(A). The statute encompasses so-called promotional money laundering, where funds are transferred to or from the U.S. “with the intent to promote the carrying on of specified unlawful activity.” International promotional money laundering is a common charge for federal prosecutors because, unlike traditional money laundering, it does not require proof that the funds being transferred are the proceeds of a crime. Instead, the DOJ only needs to show that the funds are being transferred with the intent to promote unlawful activity. While this authority may seem broad, it nonetheless requires a domestic nexus — the transfers must come to or from the U.S. Therefore, due diligence on overseas payments can be a prudent first line of defense to avoid being ensnared in a seizure operation.

Second, the DOJ’s posture so far has leaned heavily into targeting actors unlikely to contest any seizures: alleged foreign intelligence agents, computer hackers and gun traffickers unlikely to see value in retaining experienced counsel to litigate over control of a seized domain. Domain providers or users may consider moving aggressively in response to any such seizures — threatened or actual — in order to test the DOJ’s commitment. As seen above, the DOJ appears to view this authority as a useful disruption tool and thus may show less appetite for defending such seizures in an adversarial proceeding.

Third, the DOJ seems to be moving toward this strategy because a substantial number of domains are registered in the U.S. and thus must comply with DOJ warrants. Using or transitioning to domain registrars that are not located in the U.S., even registrars in jurisdictions which are friendly with the U.S., can present more complicated seizures and may provide an opportunity to challenge any such warrants before they are executed.

Finally, it is notable that the DOJ’s warrant relied on two grounds: promotional money laundering and alleged violations of trademark law. While the DOJ’s money laundering approach is novel, it is unlikely to want to test this theory in a highly public disputed case without more conventional grounding in seizure authorities under well-settled precedent, such as copyright law.