In brief. The UDRP is a fast, low-cost administrative path for recovering a domain name from a cybersquatter—roughly six weeks and a few thousand dollars, against the expense and jurisdictional headaches of federal litigation. To win, a complainant must prove three elements: the domain is identical or confusingly similar to a mark in which it has rights; the registrant has no rights or legitimate interests; and the domain was registered and is being used in bad faith. This guide covers provider selection (WIPO and FORUM, the rebranded National Arbitration Forum, lead a field of six accredited providers), complaint drafting under the UDRP Rules, the respondent's defenses, the passive-holding doctrine, reverse domain name hijacking, and when federal litigation under the Anticybersquatting Consumer Protection Act is the better route. Not legal advice.

In 1994, a writer for Wired magazine registered mcdonalds.com—and, for good measure, claimed the email address ronald@mcdonalds.com. The hamburger company had not yet noticed that the open frontier of the internet was busy being homesteaded by people who were not it. That episode, and a thousand like it, gave us a word the dictionary did not have: cybersquatting. Somebody registers a domain that incorporates a brand they do not own, then waits—parking it on pay-per-click ads, dangling it for sale at a markup, or pointing it at a competitor—for the brand owner to come knocking, wallet open.

For most of the 1990s a trademark owner's only recourse was a lawsuit, which was slow, expensive, and frequently useless when the squatter lived three time zones and one extradition treaty away. So in 1999 the Internet Corporation for Assigned Names and Numbers (ICANN), working with the World Intellectual Property Organization (WIPO), built a faster mousetrap: the Uniform Domain-Name Dispute-Resolution Policy. Effective January 1, 2000, the UDRP is baked into the registration agreement for every generic top-level domain. When you click "I agree" to register a domain, you have already consented to this private dispute-resolution regime—no service of process, no subject-matter jurisdiction fight, no answer-and-counterclaim. A trademark owner files a complaint, an expert panel decides it on the papers in about six weeks, and the registrar transfers or cancels the domain. WIPO alone has now administered more than 75,000 cases, including a record 6,282 in 2025.

This guide is the canonical walk-through of that process: how the three elements work, how to choose a provider, how to draft a complaint that wins, what the respondent can throw back at you, and—crucially—when you should walk past the UDRP and file in federal court under the Anticybersquatting Consumer Protection Act (ACPA), 15 U.S.C. § 1125(d) instead.

To keep the doctrine grounded, we follow a hypothetical. Cascade Outfitters is a (fictional) outdoor-gear company that has sold packs and tents under the federally registered mark CASCADE OUTFITTERS for a decade. One morning a customer emails to ask why cascadeoutfitters.com—a domain Cascade never owned—now resolves to a page full of pay-per-click links to competing gear brands. A week later, the registrant emails Cascade directly: the domain can be theirs for $25,000. Cascade wants the domain, not a lawsuit. We will build its case from the ground up. (Cascade Outfitters is a hypothetical; any resemblance to a real company is coincidental.)

The UDRP framework: a private court for a public network

Understand first what the UDRP is and is not. It is an administrative proceeding—often loosely called arbitration, though it lacks the hallmarks of binding commercial arbitration. It is contractual: ICANN requires every accredited registrar to incorporate the UDRP into its registration agreements, so the policy reaches every registrant of a generic top-level domain (gTLD) as a condition of registration. That includes the legacy gTLDs everyone knows—.com, .net, .org, .biz, .info—and the more than 1,200 "new gTLDs" that ICANN has rolled out since 2012, from .shop and .app to .blog and .lawyer. Many country-code top-level domains (ccTLDs) have adopted the UDRP or a close cousin, though a fair number run their own regimes, a distinction we return to below. For a fuller map of the domain-name system itself, see our companion overview of top-level domain names.

The proceeding is decided by a one- or three-member panel of trademark and domain-name specialists drawn from a provider's roster. There is no live hearing, essentially no discovery, and—in the ordinary case—a single round of submissions: complaint, response, decision. That spare procedure is the source of both the UDRP's great virtue (speed and cheapness) and its great limitation (no fact-finding machinery for genuinely contested cases).

Feature What to expect
Year the UDRP took effect January 1, 2000
WIPO cases administered to date 75,000+ (a record 6,282 in 2025)
Typical time from filing to decision ~40–60 days
Complainant success rate ~85% of decided cases
Cost, single-member panel ~$1,300–$1,500 (provider fees)
Cost, three-member panel ~$2,600–$4,000 (provider fees)
Remedies available Transfer or cancellation only—no damages

That roughly 85% complainant win rate is widely cited and widely misread. It is not evidence that panels rubber-stamp complaints. It reflects selection: the clearest cybersquatting cases get filed, while disputes featuring a legitimate competing claim either settle or are never brought, because sophisticated owners and their counsel recognize a losing hand. At WIPO in recent years, a small slice of decided cases are denied and a meaningful share settle before any decision issues. The UDRP is a sorting machine that works best on obvious squatting; feed it a close case and the odds look very different.

The three required elements

Everything in a UDRP case orbits a single sentence—paragraph 4(a) of the Policy. To obtain transfer or cancellation, a complainant must prove all three of the following:

  1. The domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights;
  2. The registrant has no rights or legitimate interests in the domain name; and
  3. The domain name was registered and is being used in bad faith.

The conjunctions matter. The elements are cumulative—fail any one and the complaint fails entirely, no matter how strong the other two. And within the third element the policy says "registered and is being used," not "or," a small word that does enormous work and divides the UDRP from the ACPA, as we will see. The complainant carries the burden of proof on all three, though the practical burden on the second element shifts once a prima facie case is made, because the facts that would establish a legitimate interest lie almost entirely within the registrant's own knowledge.

The single most valuable tool for predicting how a panel will read these elements is the WIPO Jurisprudential Overview of Panel Views on Selected UDRP Questions, now in its third edition (the "WIPO Overview 3.0"). It is not binding precedent—there is no stare decisis in the UDRP—but it distills the consensus and majority views of panelists across tens of thousands of decisions into something close to a restatement. Cite it. Panels do. Drafting a complaint without consulting the Overview is like arguing a Lanham Act case without reading the circuit's pattern jury instructions.

Element one: identical or confusingly similar

The first element has two halves: the complainant must (a) hold rights in a mark, and (b) show the domain is identical or confusingly similar to it.

Rights are easy where there is a registration. A federal trademark registration—the kind covered in our guide to filing a trademark application with the USPTO—is prima facie evidence of rights and is rarely contested at this stage. State and foreign registrations work too. Crucially, the UDRP recognizes unregistered (common-law) rights as well, so long as the complainant proves the mark has become a distinctive identifier associated with its goods or services—secondary meaning, shown through sales volume, advertising spend, length of use, media recognition, and consumer surveys. A complainant relying on common-law rights should expect to do real evidentiary work; bare assertions of use will not carry it. (On how far common-law rights actually reach, see our discussion of the geographic scope of common-law trademark rights.)

One timing wrinkle trips up the unwary: for the first element, the mark need not predate the domain registration. What matters is that the complainant holds rights as of the date the complaint is filed. Timing returns with a vengeance under element three, where the sequence of mark and domain becomes the whole ballgame—but at the threshold, late-acquired rights still satisfy element one.

The similarity comparison is mercifully mechanical. Panels disregard the TLD suffix (.com, .net, .shop) as a functional necessity of the domain-name system; the test is essentially whether the mark is recognizable within the disputed domain. Under that standard, the usual cybersquatter tricks fail:

  • Added generic or descriptive terms. cascadeoutfittersstore.com or buy-cascade-gear.com remains confusingly similar—the mark is plainly recognizable.
  • Typosquatting. Deliberate misspellings designed to catch fat-fingered typists (cascdeoutfitters.com, cascadeoutfiters.com) almost never escape; indeed, the obviousness of the typo often cuts against the registrant on later elements.
  • Geographic or corporate add-ons. cascade-usa.com, cascadeoutfittersinc.com—still similar.
  • Pejoratives. Even cascadesucks.com is generally found confusingly similar for element-one purposes under the prevailing view, because the mark is recognizable; whether such a "gripe site" survives is fought out under elements two and three, not here.

For Cascade, this element is trivial. cascadeoutfitters.com is identical to its registered mark once the .com is stripped. Element one is the rare hurdle that is usually cleared at a walk; denials almost never turn on it.

Element two: no rights or legitimate interests

Now the complainant must prove a negative—that the registrant has no legitimate basis for holding the domain. Because that negative is genuinely hard to prove from the outside, panels apply a burden-shifting framework: the complainant need only make a prima facie showing that the registrant lacks rights or legitimate interests, after which the burden of production shifts to the registrant to come forward with evidence of a legitimate interest. If the registrant defaults or offers nothing credible, the prima facie case stands.

Paragraph 4(c) of the Policy gives the registrant a non-exhaustive menu of ways to demonstrate a legitimate interest:

  • (i) Bona fide offering of goods or services. Use of, or demonstrable preparations to use, the domain in connection with a genuine offering before notice of the dispute. The qualifier is doing the work: a registrant cannot manufacture legitimacy by slapping up a storefront the day after receiving a cease-and-desist letter. (When a registrant receives such a letter, the calculus of how to respond is its own discipline—see our guide to responding to a trademark cease and desist letter.)
  • (ii) Commonly known by the name. An individual or business genuinely known by the domain has an interest in it, even without a trademark registration. A person actually named Mike Ross has a real claim to mikeross.com; a company that has traded as "Cascade" in an unrelated field may have one too.
  • (iii) Legitimate noncommercial or fair use. Use without intent for commercial gain to misleadingly divert consumers or to tarnish the mark. Genuine criticism, commentary, fan, and parody sites can qualify—if they are what they claim to be and not a pretext. A site that purports to criticize a brand but quietly monetizes the traffic with pay-per-click ads is not making fair use; it is cybersquatting in a costume.

To shift the burden persuasively, the complainant should affirmatively establish the negatives within reach: the registrant is not commonly known by the name (cite the WHOIS record), holds no trademark rights of its own, has not been licensed or authorized by the complainant, and is making no bona fide or fair use—buttressed by screenshots of whatever the domain actually resolves to. Cascade can show all of it: the WHOIS registrant is not "Cascade Outfitters," sells nothing under the name, has no relationship with Cascade, and merely parks the domain on auto-generated ad links. Prima facie case made; burden shifted; and the registrant has nothing to shift it back.

Element three: bad-faith registration and use

This is where complaints are won and lost. The third element demands bad faith in both the registration and the use of the domain—two findings, not one. A domain registered in good faith but later used opportunistically does not satisfy the UDRP (it may well satisfy the ACPA, which is one reason the statutes are not interchangeable). Conversely, a domain registered to exploit a mark but never actually deployed can still satisfy the element through the passive-holding doctrine discussed below.

Paragraph 4(b) lists four non-exclusive circumstances that, if found, establish bad-faith registration and use:

  • (i) Registration primarily to sell. Acquiring the domain primarily to sell, rent, or transfer it to the trademark owner or a competitor for more than out-of-pocket costs. Proof: an offer to sell, a ransom demand, or a portfolio of trademark-matching domains held for resale.
  • (ii) Pattern of blocking registrations. Registering the domain to prevent the mark owner from reflecting its mark in a corresponding domain, where the registrant has engaged in a pattern of such conduct. Prior adverse UDRP decisions against the same registrant are the classic evidence.
  • (iii) Disrupting a competitor. Registering primarily to disrupt the business of a competitor.
  • (iv) Confusion for commercial gain. Using the domain to intentionally attract internet users, for commercial gain, by creating a likelihood of confusion with the mark as to source, sponsorship, affiliation, or endorsement. Pay-per-click parking pages, impersonation sites, and phishing all live here.

Panels routinely look beyond the enumerated four to a wider set of bad-faith indicators: use of privacy or proxy services to hide the registrant's identity, supplying false or incomplete WHOIS data, failing to respond to the complaint, registering the domain shortly after the mark gained prominence (or after a merger announcement, a product launch, or a news event made the term valuable), and registering a mark so famous that no plausible good-faith explanation exists—what panels call "opportunistic bad faith." The fame of a mark can itself supply the inference that the registrant knew exactly what it was doing.

Cascade has two independent bad-faith hooks, either of which would likely suffice and which together are formidable. First, the unsolicited $25,000 sale offer dwarfs any conceivable out-of-pocket registration cost—paragraph 4(b)(i) in its purest form. Second, the pay-per-click page steering visitors to competing gear is textbook 4(b)(iv): the registrant is monetizing confusion with Cascade's mark for commercial gain. Either pillar would carry the element; the combination makes the case close to airtight.

The passive-holding doctrine: bad faith without a website

What if the domain just sits there—registered, parked, blank, doing nothing? Early panelists worried that "use in bad faith" required some affirmative act, which would let the savviest squatters insulate themselves by simply not building a site. The landmark decision Telstra Corp. Ltd. v. Nuclear Marshmallows, WIPO Case No. D2000-0003, closed that loophole. The respondent there held the domain inactively, but the panel held that the concept of bad-faith use is not limited to positive action; in the totality of the circumstances, passive holding can itself constitute use in bad faith.

The factors Telstra identified—now codified in the WIPO Overview 3.0—ask whether bad faith is the only sensible inference. They include: the distinctiveness or reputation of the complainant's mark (the more famous, the worse it looks to sit on the domain); the registrant's failure to respond or to offer any evidence of good-faith use; the registrant's concealment of identity behind a privacy service or false WHOIS data; and the implausibility of any good-faith use to which the domain could conceivably be put. Where a famous mark is held inert by an anonymous registrant who cannot articulate a single legitimate purpose, passive holding is bad faith. Telstra is among the most cited UDRP decisions ever rendered, and any complaint involving a dormant domain should invoke it by name.

Selecting a dispute-resolution provider

ICANN accredits a handful of providers to administer UDRP proceedings. As of 2026 the field is:

Provider Base Single-panel fee Three-panel fee
WIPO (World Intellectual Property Organization) Geneva, Switzerland ~$1,500 ~$4,000
FORUM (formerly the National Arbitration Forum, "NAF") Minneapolis, USA ~$1,300 ~$2,600
ADNDRC (Asian Domain Name Dispute Resolution Centre) Hong Kong / Beijing / Seoul / Kuala Lumpur ~$1,300 ~$3,000
CAC (Czech Arbitration Court) Prague, Czech Republic ~€1,300 ~€3,200
ACDR (Arab Center for Domain Name Dispute Resolution) Amman, Jordan ~$1,000 ~$2,500
CIIDRC (Canadian International Internet Dispute Resolution Centre) Vancouver / Ottawa, Canada ~CAD 1,500 ~CAD 4,000

Fees are approximate and change; confirm the current schedule with the provider before filing.

In practice, two providers dominate. WIPO handles the largest caseload and has the deepest published jurisprudence; its panelist roster reads like a who's-who of trademark scholars, and it authors the Overview 3.0 that every serious complainant relies on. For complex, high-value, or internationally tangled disputes, WIPO is the default. FORUM—still widely called "NAF" out of habit, and the provider whose model complaint underlies much of U.S. practice—is the second-largest center, decides on the order of 1,500 cases a year, and is popular with U.S.-based complainants for its efficiency and competitive fees.

Choosing between them is mostly about fit. The substantive policy is identical (it is, after all, uniform), but each provider has its own Supplemental Rules governing format, length, and mechanics—and these differ in ways that matter. WIPO, for instance, imposes a word limit on the complaint's argument (commonly cited at around 5,000 words for the substantive sections), while FORUM uses a page-based limit. Language, the parties' locations, the provider's familiarity with a particular type of dispute, and your own comfort with its procedures all factor in. The cardinal rule: read the chosen provider's Supplemental Rules, the UDRP itself, and the UDRP Rules of Procedure before you draft a word. A complaint that ignores the provider's formatting requirements can be bounced on administrative compliance grounds before a panel ever sees it.

Drafting the complaint

The complaint is your case. There is no hearing to clean it up, no deposition to develop the facts, and in the ordinary proceeding no reply brief. You get one document, the respondent gets one document, and the panel decides. Treat the complaint as the only shot it is.

The UDRP Rules of Procedure, Rule 3, prescribe the required contents. A complete complaint includes: a request that the dispute be decided under the UDRP; the complainant's and any representative's contact information and communication preferences; the panel election (single member, or three members with three named candidate panelists from the provider's list); the respondent's information, matched as closely as possible to the WHOIS record (including placeholders like "Redacted for Privacy" where they appear); the disputed domain(s) and the registrar(s); the trademark(s) relied on and the goods or services they cover; the factual and legal grounds, organized around the three elements; the remedy sought (transfer or cancellation); a statement of any other pending or decided legal proceedings relating to the domain; a mutual-jurisdiction statement; the prescribed certification; and the documentary annexes.

Two of those deserve special attention because they trip up first-timers.

The mutual-jurisdiction statement. The complainant must submit to the jurisdiction of the courts in at least one "mutual jurisdiction"—generally the location of the registrar's principal office or of the registrant's address shown in the WHOIS record—for the limited purpose of any challenge to a transfer order. The complaint must also include the certification that the complainant's claims and remedies concerning the domain are solely against the registrant, waiving claims against the provider, panelists, registrar, and registry (except for deliberate wrongdoing). This is the structural feature that lets a losing respondent run to court within ten business days to freeze a transfer; you are agreeing in advance to be suable there.

Service and the registrar lock—handled by the provider, not by you. Under the Rules as revised in 2015, the complainant does not serve the respondent. You file with the provider; the provider notifies the registrar and serves the respondent (UDRP Rule 2(a)). As part of its compliance review, the provider requests that the registrar lock the domain—and the registrar must do so within two business days of notice, and before giving the registrant any notice of the dispute (UDRP Rule 4). The lock freezes the registration so the respondent cannot transfer the domain to a confederate or let it lapse mid-proceeding (a maneuver once called "cyberflight"). For a FORUM filing, FORUM also serves the registrar. This sequencing—lock first, notify the registrant second—is deliberate, and it is one of the UDRP's quiet strengths over a lawsuit, where a savvy defendant can shuffle a domain offshore between the filing of a complaint and the entry of an injunction.

Drafting strategy, element by element

Match your effort to where the case is actually contested.

Element one should be tight and confident. Attach the trademark registration certificate as an annex (or, for common-law rights, the secondary-meaning evidence—advertising, sales figures, press), do the side-by-side comparison, note that the TLD is disregarded, and explain in a sentence or two why any added terms fail to dispel confusion. Resist the urge to over-argue a point you have already won.

Element two is a methodical checklist. State the prima facie case in plain terms—the registrant is not known by the name, owns no marks, was never licensed, makes no bona fide or fair use—and attach the proof: the WHOIS printout, screenshots of the parked or infringing page, and any correspondence. Then anticipate the legitimate-interest argument the registrant is most likely to make and rebut it preemptively. If the domain is a common dictionary word, say why the registrant's use nonetheless targets your mark rather than the word's ordinary meaning.

Element three earns the bulk of your argument. Lay out the chronology: when did your mark become known, and when was the domain registered? Reach for the inference of knowledge—fame, a recent product launch, a typo of your exact mark. Run the registrant's name through prior UDRP decisions to surface any pattern (a serial squatter is a panel's favorite kind of respondent to rule against). Then prove bad-faith use: the pay-per-click links trading on your mark, the offer to sell above cost, the impersonation or phishing, or—if the domain is inert—the Telstra passive-holding analysis. Cascade's complaint would foreground its two pillars: the $25,000 demand under 4(b)(i) and the competing-gear ad links under 4(b)(iv), each anchored to a dated screenshot.

Evidence checklist

Marshal the proof before you write. A useful organizing principle is to gather evidence by element:

  • Element one (rights): registration certificate(s) and a current status printout from the USPTO's Trademark Search system (note that the USPTO retired the legacy TESS database in favor of the cloud-based Trademark Search); first-use evidence and secondary-meaning proof for any common-law rights; representative marketing materials; sales or revenue figures; media coverage; and screenshots of the mark in genuine use.
  • Element two (no legitimate interest): the WHOIS record; screenshots of whatever the disputed domain resolves to; Wayback Machine snapshots showing historical use (or non-use); evidence that the registrant is not commonly known by the name and has no connection to the mark; and any correspondence.
  • Element three (bad faith): evidence of when the mark became known, set against the domain's registration date; screenshots of pay-per-click, impersonation, or misleading content; any offer to sell or demand for payment; prior UDRP decisions against the registrant; evidence of the registrant's other trademark-matching registrations; and false, incomplete, or proxy-shielded WHOIS data.

A recurring rookie mistake: failing to capture the evidence before it vanishes. Parked pages rotate their ads, sites get taken down, and a registrant who senses a complaint coming will often "clean up" the domain. Screenshot everything—dated, with the URL visible—and pull Wayback Machine archives the day you start the investigation, not the week you file.

The respondent's options and common defenses

The respondent has 20 days from the date the proceeding commences to file a response, with an automatic short extension available on request. A few features of the response phase are worth internalizing.

A default is not an automatic win for the complainant. If the respondent fails to respond, the panel must still find all three elements proven on the record before it—the complainant cannot prevail merely because the other side stayed silent. As a practical matter, though, a default does ease the path: there is no competing evidence, and the unrebutted prima facie case on element two stands. Many of the cleanest cybersquatting cases end in default.

When a respondent does fight, expect some combination of these defenses:

  • Bona fide use predating the dispute. Business plans, development records, customer communications, or an actual operating site that predates any notice—the paragraph 4(c)(i) safe harbor. This is the strongest defense when it is real and the weakest when it is fabricated after the fact.
  • Common name or generic term. Especially potent where the mark is descriptive or the domain is an ordinary dictionary word that the registrant uses for its ordinary meaning. A registrant who built apple-orchard-supply.com to sell, well, apples, is not squatting on a computer company.
  • Fair use or criticism. A genuine gripe or commentary site can defeat the complaint—provided it is not a pretext for pay-per-click revenue and does not create source confusion. Execution is everything; the line between protected criticism and disguised squatting is drawn on the facts.
  • No bad faith. The registrant genuinely did not know of the mark, or the mark was not famous (or did not yet exist) at the time of registration. Because the UDRP requires bad-faith registration, a domain that predates the complainant's rights is frequently fatal to the complaint.
  • Laches and delay. The UDRP has no statute of limitations, and delay alone rarely bars a complaint. But long, unexplained delay coupled with the complainant's apparent acquiescence can undercut the inference of bad faith and bolster the registrant's reliance interest.

Reverse domain name hijacking

The UDRP cuts both ways. Under UDRP Rule 15(e), a panel may declare that a complaint was brought in bad faith—a finding of Reverse Domain Name Hijacking (RDNH)—where the complainant knew, or should have known, that it could not prove one of the required elements and filed anyway. RDNH is the system's check on overreaching brand owners who try to use a cheap administrative proceeding to muscle a legitimate registrant out of a valuable name.

Panels make RDNH findings sparingly, but they do make them, and the stigma is real—the decision is published, with the complainant named as an abuser of the process, and that record can surface in later disputes and in litigation. The recurring fact patterns are instructive. RDNH is found where a complainant tries to capture a generic dictionary word it does not exclusively own; where it tries to wrest a domain from a legitimate business operating under a similar name in good faith; and, most damningly, where the complainant's trademark rights postdate the domain registration, making bad-faith registration logically impossible—yet the complainant files anyway, sometimes hiding the inconvenient dates. The U.S. analogue under the ACPA is a reverse-hijacking claim by a registrant whose domain was seized or suspended through an improper UDRP filing, discussed below.

The lesson is simple and worth repeating: do not overreach. If the domain predates your rights, if the term is generic, or if the registrant has a colorable legitimate use, think hard—and investigate harder—before you file. A losing complaint costs you the filing fee; an RDNH finding costs you your credibility.

UDRP versus the ACPA: choosing your forum

The UDRP is not the only way to fight cybersquatting in the United States. Congress passed the **Anticybersquatting Consumer Protection Act in 1999—the same year the UDRP was born—**creating a federal cause of action codified at 15 U.S.C. § 1125(d). The two regimes overlap but are emphatically not the same, and choosing between them (or running both) is one of the most consequential strategic decisions in a domain dispute.

How an ACPA claim is built

Although courts phrase the elements slightly differently, an ACPA plaintiff must show:

  1. It owns a valid trademark that was distinctive or famous as of the date the challenged domain was registered;
  2. The defendant registered, trafficked in, or used the domain;
  3. The domain is identical or confusingly similar to (or, for famous marks, dilutive of) the plaintiff's mark; and
  4. The defendant acted with a bad-faith intent to profit from the mark.

(See 15 U.S.C. § 1125(d); DaimlerChrysler v. The Net Inc., 388 F.3d 201, 204 (6th Cir. 2004).)

Note the structural differences from the UDRP at a glance. First, the ACPA folds the UDRP's separate "no legitimate interest" inquiry into the broader bad-faith analysis rather than treating it as a standalone element. Second—and this is the crucial divergence—the ACPA requires a bad-faith intent to profit that can arise at any time, including long after a perfectly legitimate registration. The UDRP demands bad faith at registration and in use; the ACPA does not. Courts have accordingly found ACPA liability where an employee registered a domain lawfully for an employer but later weaponized it during a falling-out, or where a registrant flipped a good-faith site into a competing one after the trademark owner expressed interest. (See, e.g., DSPT Int'l v. Nahum, 624 F.3d 1213, 1220 (9th Cir. 2010); Newport News Holdings Corp. v. Virtual City Vision, 650 F.3d 423, 436 (4th Cir. 2011).) A registrant who would escape the UDRP because its registration was innocent may still be on the hook under the ACPA.

The nine bad-faith factors

The ACPA supplies courts with nine non-exhaustive factors for assessing bad-faith intent to profit, listed at 15 U.S.C. § 1125(d)(1)(B)(i). The first four tend to negate bad faith (they look at the legitimacy of the registrant's interest and use); the last five tend to support it:

  1. The defendant's trademark or other intellectual-property rights in the domain name;
  2. The extent to which the domain consists of the defendant's legal name or a name commonly used to identify it;
  3. The defendant's prior bona fide use of the domain in connection with offering goods or services;
  4. The defendant's bona fide noncommercial or fair use of the mark on a site accessible under the domain;
  5. The defendant's intent to divert consumers from the mark owner's site in a way that could harm the mark's goodwill, for commercial gain or to tarnish;
  6. The defendant's offer to sell the domain for financial gain without having used (or intended to use) it in a bona fide offering, or a pattern of such conduct;
  7. The defendant's provision of false or misleading contact information, or a pattern of doing so;
  8. The defendant's registration of multiple domains it knows are identical or confusingly similar to (or dilutive of) others' marks; and
  9. The distinctiveness and fame of the plaintiff's mark.

(See 15 U.S.C. § 1125(d)(1)(B)(i); Lamparello v. Falwell, 420 F.3d 309, 319 (4th Cir. 2005).) There is no formula and no element-counting; courts weigh the relevant factors holistically, and the statute supplies a safe harbor for a defendant who "believed and had reasonable grounds to believe" the use was fair or otherwise lawful—15 U.S.C. § 1125(d)(1)(B)(ii)—a harbor courts construe narrowly to avoid swallowing the rule. (See Rearden LLC v. Rearden Commerce, Inc., 683 F.3d 1190, 1220 (9th Cir. 2012).)

Remedies—and why owners sometimes choose court

Here is the decisive advantage of the ACPA: money. The UDRP's only remedies are transfer or cancellation of the domain. The ACPA offers those and monetary relief. A prevailing plaintiff may recover the defendant's profits and its own actual damages, or—at its election any time before final judgment—statutory damages of between $1,000 and $100,000 per domain name, in the court's discretion (15 U.S.C. § 1117(d)). Courts calibrate the award to the egregiousness of the conduct: serial squatters, false WHOIS data, and willful confusion push toward the ceiling. Attorneys' fees and costs are available in exceptional cases, and a registrant's use of false contact information creates a rebuttable presumption that the violation was willful (15 U.S.C. § 1117(e)).

The ACPA also solves a problem the UDRP cannot: the vanishing defendant. Where the registrant cannot be identified or is beyond the court's personal jurisdiction, the statute authorizes an in rem action against the domain name itself, filed in the judicial district of the registrar or registry (15 U.S.C. § 1125(d)(2)). The trade-off is that in rem actions yield only injunctive relief—forfeiture, cancellation, or transfer of the domain—not damages. Note, too, that registrars and registries are generally not proper defendants and enjoy their own statutory safe harbor for complying with court orders or implementing the UDRP (15 U.S.C. §§ 1114(2)(D)).

Choosing—and the option of running both

The decision tree is not complicated once you know what you want:

Choose the UDRP when the case is clear-cut cybersquatting with no plausible legitimate use—ideally an anonymous registrant, a parked or infringing page, an offer to sell, or a pattern of squatting—and your goal is to recover the domain quickly and cheaply without needing damages, discovery, or a precedent. This describes the large majority of disputes, Cascade's included.

Choose ACPA litigation when you need monetary recovery (especially against a squatter who profited substantially or runs a portfolio), when the defendant is within reach of personal jurisdiction with assets to satisfy a judgment, when the facts are genuinely contested and you need discovery to develop intent, when you want binding precedent, or when the domain sits in a ccTLD that has not adopted the UDRP so that no administrative remedy exists. The ACPA is also the vehicle a losing UDRP complainant uses to try again, and the vehicle a losing UDRP respondent uses to undo a transfer it considers an unjust seizure (a reverse-hijacking posture).

Importantly, the two are not mutually exclusive. A trademark owner can pursue the UDRP and ACPA litigation in parallel, though a panel will often suspend or terminate its proceeding if a court action covering the same domain is filed. Many owners file the UDRP first—cheap, fast, and frequently decisive—and reserve litigation for the rare respondent who fights to court or for the case where damages are the point. For owners whose dispute also implicates a platform hosting the infringing content, the related question of intermediary liability is taken up in our analysis of Section 230 reform and platform liability for user-generated IP infringement.

Special situations

New gTLDs and the URS

Every one of the 1,200-plus new gTLDs—.shop, .app, .blog, .store, and the rest—is subject to the UDRP. Many also offer a streamlined cousin, the Uniform Rapid Suspension System (URS). The URS is faster and cheaper (roughly three weeks, on the order of $375–$500), but it is built for a narrower job. It demands a higher burden of proof—clear and convincing evidence—and, critically, its only remedy is to suspend the domain for the balance of the registration term. It does not transfer the name to you. The URS is therefore the right tool when your goal is to stop an obvious abuse fast (a phishing site impersonating your bank during a fraud campaign), and the wrong tool when your goal is to acquire the domain. For that, you still want the UDRP. The broader strategy of policing your marks across this expanded namespace is the subject of our guide to brand protection online.

Country-code TLDs

Most ccTLDs have adopted the UDRP or a close variant, but not all, and some run their own distinct regimes. The .uk space is administered by Nominet, whose Dispute Resolution Service uses different standards and procedures from the UDRP (notably an "abusive registration" test and a built-in mediation stage). Other registries—.eu, .us, .ca, .de—each have their own policies. The practical instruction is unglamorous but essential: before filing anything, confirm which dispute policy governs the specific TLD, and read it.

GDPR-redacted WHOIS

Since the EU's General Data Protection Regulation took effect in 2018, WHOIS records frequently redact the personal data of registrants, especially those in Europe—so the pre-filing investigation that used to start with a name and address now often starts with "Redacted for Privacy." This complicates due diligence but does not defeat a UDRP complaint. ICANN's Temporary Specification for gTLD Registration Data lets complainants file without full registrant details; once the complaint is filed, the registrar discloses the underlying WHOIS data to the provider, which passes it to the complainant to enable any necessary amendment and to facilitate settlement. In short, redaction delays the unmasking until after filing; it does not prevent recovery. You file against "Redacted for Privacy," learn who that is when the registrar discloses, and amend accordingly.

Practical tips for winning complaints

A handful of habits separate the complaints that win from the ones that limp:

Investigate before you file. Pull the WHOIS, screenshot the live site, archive the historical versions, check the registration date against your mark's timeline, and search the registrant's name across prior UDRP decisions. The goal is to confirm you have a winner before you spend the fee—and to make sure you are not the one about to overreach into an RDNH finding.

Pick the provider deliberately. WIPO's jurisprudential depth for complex, high-value, or international brands; FORUM or another center for the efficient resolution of a straightforward domestic squat.

Capture evidence early and date it. Sites change. The offer email, the parked page, the WHOIS record—preserve them the day you discover the problem, with URLs and timestamps visible, and pull Wayback Machine snapshots before the registrant tidies up.

Be comprehensive but disciplined. Address all three elements completely; do not pad the easy ones or blow the word/page limit on element one when element three is where the fight is.

Anticipate the defense. Identify the registrant's best legitimate-interest or timing argument and answer it in the complaint, before the response forces you to.

Consider a three-member panel for contested cases. The extra cost buys insulation against an outlier single-panelist decision when you expect a serious, well-resourced response. For a clear default-bound squat, a single member is fine.

Do not overreach. It is the through-line of this entire guide. The UDRP rewards the clear cybersquatting case and punishes the speculative land grab. Know which one you have.

After the decision

If the panel orders transfer, the mechanics are gratifyingly automatic—with one built-in pause. The registrar implements the transfer after waiting ten business days to see whether the losing respondent files court proceedings to challenge it. That ten-day window is the UDRP's pressure valve and the reason the policy is not, strictly speaking, final. Either party may go to court: a losing complainant can sue under the ACPA (or the equivalent law abroad), and a losing respondent can file in a mutual jurisdiction within those ten business days to stay the transfer while a court takes a fresh look. If no court action lands in the window, the registrar transfers the domain and the matter is closed.

Court challenges are rare in practice. For complainants, re-litigating under the ACPA costs far more than the fresh UDRP filing they could simply re-attempt, so they rarely appeal a loss. For respondents, the ones who lost a UDRP are disproportionately the squatters with neither the resources nor the defenses to fund a federal lawsuit. The vast majority of UDRP decisions therefore stand, and the domain changes hands a few weeks after it all began.

Conclusion

The UDRP is one of the small triumphs of internet governance: a private, global, expert-decided process that recovers a hijacked brand from a cybersquatter in weeks, for thousands rather than tens of thousands of dollars, without a courthouse in sight. Master the three-element framework—identical or confusingly similar, no rights or legitimate interests, bad-faith registration and use—choose the right provider, and draft a complaint that proves each element with dated, organized evidence and a respectful nod to the WIPO Overview 3.0, and you will win the cases worth winning.

But know the tool's limits. The UDRP delivers a domain, not damages; it decides clean cases, not muddy ones; and it punishes overreach with the published stigma of reverse domain name hijacking. When you need money, discovery, precedent, or a defendant the policy cannot reach, the ACPA's federal cause of action—with its nine bad-faith factors, its statutory damages of up to $100,000 per domain, and its in rem jurisdiction over the domain itself—is the better road, and the two can even run together. For Cascade Outfitters, with an identical domain, a sale demand for $25,000, and a page of competing-gear ads, the UDRP is exactly right: a few weeks from filing to transfer, and cascadeoutfitters.com comes home. The discipline that makes that outcome routine—knowing your rights, documenting your mark, and not asking for more than the facts will bear—is the same discipline that runs through every strong trademark practice. It begins, as so much of brand protection does, with a clean clearance search and a registration that establishes your rights before a squatter ever shows up.

Related articles

Selected authorities

Policy and rules. Uniform Domain-Name Dispute-Resolution Policy (ICANN, eff. Jan. 1, 2000), ¶¶ 4(a), 4(b), 4(c); Rules for UDRP (Rules 2, 3, 4, 5, 15(e)); provider Supplemental Rules (WIPO; FORUM); Uniform Rapid Suspension System (URS); ICANN Temporary Specification for gTLD Registration Data (2018); Anticybersquatting Consumer Protection Act, 15 U.S.C. § 1125(d); remedies and damages, 15 U.S.C. §§ 1116, 1117(d)–(e); registrar/registry safe harbor, 15 U.S.C. § 1114(2)(D).

Decisions and guidance. Telstra Corp. Ltd. v. Nuclear Marshmallows, WIPO Case No. D2000-0003 (passive holding); DaimlerChrysler v. The Net Inc., 388 F.3d 201 (6th Cir. 2004) (ACPA elements); Lamparello v. Falwell, 420 F.3d 309 (4th Cir. 2005) (bad-faith factors; fair use); Rearden LLC v. Rearden Commerce, Inc., 683 F.3d 1190 (9th Cir. 2012) (safe harbor); DSPT Int'l v. Nahum, 624 F.3d 1213 (9th Cir. 2010) and Newport News Holdings Corp. v. Virtual City Vision, 650 F.3d 423 (4th Cir. 2011) (post-registration bad faith); Sporty's Farm L.L.C. v. Sportsman's Market, Inc., 202 F.3d 489 (2d Cir. 2000) (fame); WIPO Jurisprudential Overview of Panel Views on Selected UDRP Questions (3d ed.) ("WIPO Overview 3.0").

Providers and data. WIPO Arbitration and Mediation Center; FORUM (formerly the National Arbitration Forum); ADNDRC; Czech Arbitration Court; Arab Center for Domain Name Dispute Resolution; Canadian International Internet Dispute Resolution Centre; WIPO caseload statistics (record 6,282 cases in 2025). Provider fees, rosters, and statistics change; confirm current figures before relying on them.

This article is for general information and is not legal advice. Domain-name disputes turn on specific facts and the governing policy for the particular TLD; consult qualified counsel before filing.