The company behind the MetaMask cryptocurrency wallet, Consensys Software Inc., filed a UDRP against the MetaMask.com domain name. The UDRP was filed at the World Intellectual Property Organization (WIPO), and it is WIPO Case D2021-3337. The decision was published today, and the sole panelist (Adam Taylor) ruled in favor of the domain registrant.
The popular MetaMask cryptocurrency wallet operates on the MetaMask.io domain name. With an abundance of scams and schemes, it is pretty obvious why Consensys Software would want to control the MetaMask.com domain name. In the factual background section of the decision, an alleged contact by the domain registrant was cited and the registrant denied he was the person who initiated contact:
“On July 20, 2021, a person using the name Alex Schleifer contacted the Complainant via its customer service channel and stated: “Hi. I own the Metamask.com domain name. I wasn’t actively looking to sell it but just received an offer from someone. Thought I’d reach out to you before I committed to selling it. I’ll hold off on selling it for a week or so. Please forward to the appropriate person.” In response to an email from the Complainant enquiring about the asking price, Mr Schleifer replied on July 23, 2021, stating: “I’ve received another interesting offer and wanted to make sure to ask you folks first. We’ve owned this domain for years and there has a been a fair amount of interest lately. He went on to moot a price of ‘6-7 figures’”.
On October 5, 2021, the Complainant emailed Alex Schleifer (to a different email address from the one it used previously) informing him that it appeared that someone had used his identity to try to sell it a domain name relating to one of its brands and claiming that that person had engaged in phishing and fraud campaign after the Complainant declined to buy the disputed domain name. The Complainant asked that, for the purposes of its proposed domain name dispute complaint, Mr Schleifer confirm that he was not the person who approached the Complainant to sell the disputed domain name to the Complainant and that he did not otherwise own the disputed domain name.
Mr Schleifer’s attorney emailed a response on October 6, 2021, stating that Mr Schleifer did in fact own the disputed domain name and insisting that Mr Schleifer had not been involved in a phishing scheme. The attorney stated that his client took the claims seriously and asked for a call to discuss the situation. The Complainant did not respond.”
It’s been on the back of my mind that someone could really harm a domain investor by emailing a company about selling a domain name the investor owns while impersonating the investor. There would be nothing to gain for a third party to do this, but it is not something that would surprise me to see. Given the findings in this UDRP, I think it would serve as a good reference point for a future UDRP proceeding should something like this happen to someone else.
Whois records show that the MetaMask.com domain name was created in January of 2005. When I went to visit MetaMask.com today, the domain name did not resolve to any website. In its defense, the domain registrant cited the fact that it registered the domain name before the complainant existed as a means to prove that it was not possible to have registered the domain name in bad faith:
“Furthermore, the Complainant must prove both registration and use in bad faith. Even if the Complainant has rights in the term “Metamask”, the Respondent’s registration of the disputed domain name predates such use by a decade. The Respondent could not have been aware of the existence of the Complainant when it registered the disputed domain name and could not have acquired the disputed domain name for the purpose of sale to the Complainant.”
The panelist, Adam Taylor, agreed with this and ruled in favor of the domain registrant:
“As the Complainant and its rights did not exist in 2005, the disputed domain name could not have been registered in bad faith. This is fatal to the Complainant’s case, irrespective of the nature of any later use1 of the disputed domain name, as the Complainant is required to prove both registration and use in bad faith.”
In addition, the panelist ruled that this was a case of Reverse Domain Name Hijacking (RDNH). Here’s why Mr. Taylor ruled the RDNH finding was warranted:
“First, the Complainant has failed by a large margin. In the Panel’s opinion, the Complainant knew or at least should have known that it could not prove one of the essential UDRP elements. The Complainant quoted extensively from UDRP case law and the Panel thinks it unlikely that the Complainant was unaware of the current overwhelming view of UDRP panellists as to the need to prove registration as well as use in bad faith. Indeed, the discussion of the third element in the Complaint is simply headed: “The domain name is being used in bad faith”, i.e., omitting the requirement for registration in bad faith.
Second, the Complaint lacks candour in that it makes no mention of either (a) the Complainant’s email to Mr Schleifer of October 5, 2021, stating that someone had apparently adopted Mr Schleifer’s identity to try and sell the disputed domain name to the Complainant and had thereafter used the disputed domain name for phishing/fraud or, more importantly, (b) the October 6, 2021, response from Mr Schleifer’s attorney confirming that Mr Schleifer did own the disputed domain name (and denying his involvement in phishing/fraud). Even if, despite this email, the Complainant still somehow harboured doubts about the identity of the person who approached it to sell the disputed domain name, and notwithstanding that ultimately nothing turned on this issue given the lack of registration in bad faith, the Complainant ought not to have relied on the alleged use of a fake identity without at least mentioning the denial by the attorney for the very person whose identity was allegedly faked.”
“someone could really harm a domain investor by emailing a company about selling a domain name the investor owns while impersonating the investor”:
Nothing says the actual company, wanting the targeted domain, couldn’t itself engage in this. I’m not saying this is what happened here, but it is possible.
I would assume anyone serious would email from xxx@THEactualDOMAIN.tld
Pretty difficult for anyone else to impersonate this (if the domain is a little correctly configured!), and quite obvious the person claiming to control the domain is indeed controlling it.
NOTE:
What isn’t clear here (I didn’t look further) is: Was the MMdotCOM domain involved in the alleged “phishing and fraud campaign”? I guess MM didn’t have clear proof of this (if it did really happen), or this should constitute the “bad faith” argument (and it would be difficult for the .com name owner to argue he had nothing to do with it)
NOTE2: Well, this is addressed in the last quote… In any case, for this matter, USE in bad faith isn’t enough. It also had to be REGISTERED in bad faith, which it clearly wasn’t.