Domain hijacking poses a severe threat to organizations’ online assets, yet the security practices of domain registrars remain under-evaluated. This study presents the first empirical security audit of the top ten registrars within the .nl top-level domain, combining impact modeling and comparative risk analysis to quantify the potential consequences of domain hijacking. While all examined registrars implement basic protective measures, significant gaps persist in the adoption of advanced security mechanisms such as multi-factor authentication. The findings reveal that the impact of successful domain hijacking can rival that of ransomware attacks, underscoring its substantially underestimated risk. This work provides an evidence-based foundation and a structured evaluation framework to enhance the security of domain name infrastructure.

Domain names are key assets for organisation. They anchor an organisation's online presence and reputation, and serve as linking pin for web services and, e.g., email. Consequently, a malicious takeover of a domain can lead to significant damages. Organisations register domain names through so-called registrars, a type of business that plays a key role in the domain name industry. This implies that registrars play an important part in safeguarding against malicious takeovers of domains. In this paper we empirically study how registrars implement security controls to prevent against such takeovers. We focus on the top 10 most popular registrars for the .nl ccTLD. We present the results of this study in light of a model for the impact of domain takeovers, that analyses the possible consequence of a takeover. We contrast this against the impact of two other well-known threats: ransomware and DDoS attacks. We find that all registrars in our study implement relatively effective security measures, but that they fall short in more advanced security controls, such as the proper implementation of two-factor authentication. We also find that a domain takeover can have significant impact, potentially equalling that of a ransomware attack.