What Is Cybersquatting? (And Is It Illegal?)

What is cybersquatting? Learn how it's defined, when it's illegal under the ACPA's bad-faith test, common variants like typosquatting, and what's NOT cybersquatting.

By Lidiia Levitska  ·  June 20, 2026
Domain name listed for sale on a registrar website
Cybersquatting is registering or holding a domain that matches someone else's brand — but only the bad-faith version is actually illegal. Shutterstock
Educational guide, not legal advice. This article explains general legal concepts and is not a substitute for advice from an attorney licensed in your jurisdiction. Reading it does not create an attorney–client relationship.
Quick answer: Cybersquatting means registering, holding, or using a domain name that matches someone else's trademark — but it's only illegal when the registrant acts with a "bad faith intent to profit" from that brand. That bad-faith requirement, spelled out in the U.S. Anticybersquatting Consumer Protection Act (ACPA), is what separates a cybersquatter from a legitimate domain owner, a critic, or someone simply using their own name. If you're a brand owner being targeted, your options include UDRP/URS arbitration and an ACPA lawsuit. This is general education, not legal advice — have an attorney licensed in your jurisdiction review your specific situation.

You’ve decided to register the domain for your brand, only to find someone already owns it — and they want thousands of dollars to hand it over. Or maybe a near-copy of your website address is collecting your customers’ clicks. Is that legal? The frustrating but accurate answer is: it depends entirely on why the other person registered it. This guide explains what cybersquatting actually is, the precise line between legal and illegal, the common variants you’ll hear about, and what to do if your brand is the target.

What cybersquatting actually means

Cybersquatting is the practice of registering, trafficking in, or using a domain name that is identical or confusingly similar to someone else’s trademark — typically to profit from the brand’s reputation. The term comes from “squatting” on property you don’t have a legitimate claim to.

Classic examples include:

  • Registering a well-known company’s name as a domain and then offering to sell it back to that company at an inflated price.
  • Grabbing a brand’s domain to run ads, redirect traffic to a competitor, or capture sales that were meant for the brand.
  • Snapping up the domain of a celebrity, politician, or rising startup before they can, in order to extract a payment.

The key idea is targeting — the squatter chose that particular string of characters because it belongs to someone else’s identity or brand. That targeting, combined with intent to profit, is what the law cares about.

For the broader landscape of how domains and trademarks interact, see the Domain & cybersquatting pillar.

When cybersquatting is illegal: bad faith and the ACPA

Here’s the part most people get wrong: registering a domain that happens to match a trademark is not automatically illegal. In the United States, the governing law is the Anticybersquatting Consumer Protection Act (ACPA), passed in 1999 and codified at 15 U.S.C. § 1125(d).

Under the ACPA, a person is liable only if they:

  1. Register, traffic in, or use a domain name,
  2. That is identical or confusingly similar to (or, for famous marks, dilutive of) a protected trademark, and
  3. Have a bad faith intent to profit from that mark.

That third element — bad faith intent to profit — is the whole ballgame. Without it, there’s no ACPA violation, no matter how valuable the domain is.

The nine bad-faith factors

Because “bad faith” is hard to define in the abstract, the statute gives courts a list of nine factors to weigh. No single factor controls; courts look at the overall picture. The factors at § 1125(d)(1)(B)(i) include:

  1. The registrant’s own trademark or IP rights in the domain name, if any.
  2. Whether the domain is the registrant’s own legal name or a name commonly used to identify them.
  3. Any prior legitimate use of the domain for a bona fide offering of goods or services.
  4. Bona fide noncommercial or fair use of the mark on the site (for example, genuine commentary or criticism).
  5. Intent to divert customers away from the mark owner’s site in a way that could harm the brand’s goodwill — whether for profit or to tarnish the mark.
  6. Offering to sell the domain to the mark owner (or anyone) without having used or intended to use it legitimately — a hallmark of squatting.
  7. Providing false or misleading contact information when registering, or a pattern of doing so.
  8. Registering multiple domains the person knows are identical or confusingly similar to others’ marks (a pattern of conduct).
  9. How distinctive or famous the targeted mark is — the more famous the brand, the harder it is to claim innocent registration.

The safe harbor

Crucially, the ACPA contains a safe harbor: bad faith intent “shall not be found” if the court determines the registrant believed and had reasonable grounds to believe that their use of the domain was a fair use or otherwise lawful. This protects people who registered a domain for honest reasons, even if a brand later objects.

Remedies

If a court finds a violation, it can order the domain forfeited, cancelled, or transferred to the trademark owner. The owner may also elect statutory damages of $1,000 to $100,000 per domain name under 15 U.S.C. § 1117(d), instead of proving actual losses — a powerful deterrent. (The faster arbitration routes, by contrast, generally only transfer or suspend the domain. See UDRP vs URS vs ACPA for how these compare.)

Common variants you’ll hear about

Cybersquatting has several cousins. Knowing the vocabulary helps you describe your problem accurately.

Typosquatting. Registering deliberate misspellings or near-misses of a popular domain — think “gooogle.com” or a brand name with letters swapped — to catch users who fat-finger the address. These sites often serve ads, scams, or malware. Because the intent is usually to capture another brand’s traffic, typosquatting is a frequent target of both UDRP and ACPA claims. (For defensive registration strategy, see typosquatting & defensive domains.)

Gripe sites and criticism sites. A domain like “[brand]sucks.com” used to host genuine criticism, reviews, or complaints. These sit in a gray zone: noncommercial criticism is often protected expression and may fall within the ACPA’s fair-use considerations and safe harbor. The analysis changes if the site is really a pretext for extracting payment or diverting customers for profit.

Reverse domain-name hijacking. This is the flip side — when a trademark owner abuses the process to try to seize a domain from someone who registered it legitimately and in good faith. UDRP panels can formally find that a complainant engaged in reverse domain-name hijacking when they bring a complaint in bad faith. In other words, brands don’t automatically win, and overreaching can backfire.

What is NOT cybersquatting

Plenty of domain ownership that feels unfair is perfectly lawful. The following generally are not cybersquatting:

  • Owning generic or descriptive domains. Registering “bestpizza.com” or “cheapflights.net” to build a business or resell is legitimate “domaining,” not squatting — there’s no targeting of a specific brand.
  • Using your own name or a name you have rights to. If your legal name or your established brand happens to coincide with someone else’s mark, that weighs heavily in your favor.
  • Legitimate prior use. If you registered the domain and genuinely used it for goods, services, or content before any dispute, that cuts strongly against bad faith.
  • Good-faith criticism and commentary. A noncommercial site genuinely devoted to reviews or criticism is often protected, not actionable.
  • Honest coincidence. Many short or common words are trademarks for somebody. Registering one without targeting that brand, and with reasonable grounds to think your use is lawful, falls within the safe harbor.

The recurring theme: no bad-faith intent to profit from someone else’s mark means no cybersquatting. Value alone isn’t a crime, and neither is refusing to sell.

What to do if you’re targeted

If you believe a squatter has grabbed a domain tied to your brand, a few practical steps:

  1. Document everything. Screenshot the site, save WHOIS/registration records, note any sale demands, and record how the domain relates to your trademark.
  2. Confirm your trademark rights. Your position is strongest with a federal registration, but common-law rights from actual use can also support a claim. Stronger, more distinctive marks fare better.
  3. Consider a cease-and-desist or a buy. Sometimes a letter — or simply paying a modest, reasonable amount — resolves it faster and cheaper than litigation. Weigh the cost against the principle.
  4. Choose your forum. The UDRP (and the faster URS for clear-cut cases) offers ICANN-administered arbitration that can transfer or suspend a domain in weeks to months. An ACPA lawsuit is slower and costlier but can win damages and reach registrants the arbitration can’t. UDRP vs URS vs ACPA breaks down the trade-offs.
  5. Get tailored advice. The bad-faith analysis is fact-specific, and a weak claim can trigger a reverse-domain-name-hijacking finding against you. An attorney licensed in your jurisdiction can assess your odds before you spend money.

For more on protecting and enforcing brand identity generally, explore our trademarks topic hub.

The bottom line

Cybersquatting is registering or using a domain that matches someone else’s trademark — but it only becomes illegal when paired with a bad-faith intent to profit from that brand. The ACPA’s nine-factor test and its safe harbor mean context is everything: a squatter demanding ransom for a famous brand’s name is in trouble, while someone using their own name, a generic word, or a genuine criticism site usually is not. If you’re a brand owner, UDRP/URS arbitration and ACPA litigation give you real tools; if you’re a domain owner accused of squatting, good-faith and legitimate-use defenses are real protections.

This article is general legal information for educational purposes only. It is not legal advice, does not create an attorney-client relationship, and may not reflect the most current law in your area. Domain and trademark disputes turn on specific facts. For advice about your situation, consult an attorney licensed in your jurisdiction.

Frequently asked questions

Is cybersquatting illegal?

Sometimes. In the U.S., registering or using a domain name that's identical or confusingly similar to a trademark is illegal under the Anticybersquatting Consumer Protection Act (ACPA, 15 U.S.C. § 1125(d)) only when the registrant has a 'bad faith intent to profit' from the mark. Simply owning a valuable or generic domain is not illegal. The bad-faith requirement is the heart of the law, and courts weigh nine specific factors to decide it.

Is buying and reselling domain names cybersquatting?

Not by itself. Buying generic or descriptive domains and reselling them — often called 'domaining' — is a legitimate business. It only crosses into cybersquatting when someone registers a domain that targets a specific trademark in bad faith, intending to profit from that brand's goodwill. Registering 'organic-coffee.com' to resell is fine; registering a famous brand's name to sell it back to them is not.

What can I do if someone is cybersquatting my brand?

You generally have three main routes: a UDRP or URS arbitration through ICANN-approved providers (fast and relatively cheap, transfers or suspends the domain), or an ACPA lawsuit in U.S. federal court (slower and costlier, but can win statutory damages of $1,000 to $100,000 per domain). Many owners start with a cease-and-desist letter. Talk to an attorney licensed in your jurisdiction about which fits your facts.

Lidiia Levitska
About the Author

Lidiia Levitska

International Intellectual Property Attorney

Lidiia Levitska focuses on intellectual property dispute resolution, policy, and advisory work across international institutions and government bodies. From 2021 to 2025 she served at the World Intellectual Property Organization (WIPO), managing arbitration cases and overseeing compliance with the Uniform Domain-Name Dispute-Resolution Policy (UDRP), and earlier led IP policy research as a Senior Policy Officer at the American Chamber of Commerce in Ukraine. She holds an LL.M. in International Intellectual Property Law from Chicago-Kent College of Law and an M.A. in Information Technology Law from the University of Tartu, and was admitted to the Ukrainian Bar in 2019.

More about Lidiia →