Domain theft is becoming ‘purely financial’: Malta cybersecurity expert Keith Cutajar

A recent case in Malta has brought renewed attention to an increasingly sophisticated form of cybercrime: domain hijacking.

Last week, 24-year-old Martin Laurent was handed a suspended sentence and a €10,000 fine after admitting to stealing a website domain from a Maltese company and attempting to sell it for €70,000.

The court heard that Mr Laurent had transferred ownership rights using two fake email addresses before putting the domain up for sale. Police traced him to a Gżira flat through his IP address and discovered several phones, laptops, a Flipper Zero hacking device, and a computer tower so heavy that “two burly police officers” were needed to carry it into the courtroom.

To understand the growing risks, MaltaCEOs.mt spoke to cybersecurity specialist Keith Cutajar, founder of CY4 and one of Malta’s leading digital forensic investigators. Through CY4’s accredited laboratory, he routinely works with the Law Courts and private sector on complex cybercrime cases.

A shift from vandalism to high-value financial targeting

Mr Cutajar explained that domain theft, sometimes referred to as domain hijacking, has historically been less visible in Malta compared to ransomware or phishing. However, this is changing rapidly.

“While domain theft has historically been less visible than ransomware or phishing in Malta, we are observing a shift towards high-value targets,” he said. What used to be motivated by vandalism is now about profit. As more Maltese businesses digitise, their online brand presence becomes a valuable asset for extortion or resale.

Mr Cutajar added that social engineering attacks – where an attacker manipulates people rather than exploiting code – are becoming more frequent. Criminals increasingly rely on impersonation rather than technical exploits.

How attackers gain control

According to Mr Cutajar, the vulnerabilities exploited in these attacks rarely stem from technical flaws.

“In cases involving ‘fake email addresses,’ the vulnerability is rarely a technical glitch in the system; it is almost always process failure and human error,” he noted.

The most common weaknesses include:

– Identity impersonation, such as registering email addresses that look nearly identical to legitimate ones, tricking registrars into approving transfers.
– Lack of multi-factor authentication, where accounts are protected only by a password, often reused or weak.
– Dormant administration portals, where businesses purchase a domain and rarely revisit its management settings, leaving changes unnoticed.

These shortcomings make it possible for attackers to initiate transfers unnoticed until it is too late.

What operators should be doing

Mr Cutajar believes that registrars and service providers must strengthen their verification processes.

“Reputable registrars and service providers must move beyond simple email verification,” he said, describing a series of safeguards that should now be considered standard in the industry.

Among them:

– Strict identity verification (KYC) for ownership transfers or contact changes.
– Registry Lock protocols, ensuring no modifications occur without manual authentication between registrar and registry.
– Mandatory multi-factor authentication for administrative access.

He added that frameworks such as DORA, NIS2, ISO27k, NIST and PCI all offer solid guidelines on how to implement these controls effectively.

For companies relying on digital platforms, domains are no longer just technical assets – they are core business property. Cutajar outlined practical steps organisations should implement without delay.

“To protect their digital real estate,” he advised, businesses should first ensure their domains are set to Registrar Lock (ClientTransferProhibited). He also recommended segregating duties, avoiding generic email addresses such as info@company.com for domain administration, and instead using a secured account with two-factor authentication.

He emphasised the importance of monitoring domain assets: “Your domain registration needs checking. Ensure the WHOIS contact data is accurate so you receive renewal and security notifications.”

Mr Cutajar also encouraged businesses to enrol in Extended Threat Intelligence services, which notify organisations when someone registers or initiates an impersonation attempt, allowing them to be proactive rather than reactive.

Finally, he pointed to the value of SOC-as-a-Service solutions, where a security operations team monitors threats on a 24/7 or 8/5 basis.

While last week’s case was resolved without financial loss to the company involved, it highlights a rising threat as local businesses increase their digital footprint.

Domain hijacking may not trigger the same alarm bells as a data breach or ransomware attack, but for many organisations, losing control of their website – even temporarily – can cause reputational, operational and financial damage.