Domain security for crypto projects requires multiple layers of protection. Two essential security measures—registry locks and registrar locks—are frequently confused, leading to dangerous security gaps. Understanding the difference is critical for protecting your Web3 platform from domain hijacking attacks.

—

Want to learn more about DNS Security for your crypto projects?

Read our best practices guide here.

—

Introduction: The Domain Security Crisis in Crypto

The crypto industry faces an escalating threat from domain hijacking attacks. According to recent data from Chainalysis, hackers stole approximately $2.2 billion in cryptocurrency in 2024, with a significant portion of these attacks originating from compromised domain infrastructure. More alarmingly, research by DomainSure documented 17 significant domain hijacking attacks targeting crypto projects since 2022, with total losses exceeding $100 million.

These attacks succeed because they exploit a fundamental vulnerability: while blockchain transactions may be secured by cryptographic protocols, the domains directing users to these platforms often rely on traditional, centralized security measures that haven’t evolved to meet the unique threats facing crypto projects.

The stakes are particularly high for crypto and DeFi platforms. When a traditional e-commerce site experiences a domain hijack, the damage is typically limited to brand reputation and potential data theft. When a crypto platform’s domain is compromised, users can lose millions in digital assets within minutes through malicious frontends that appear identical to legitimate interfaces.

This security gap exists largely because many crypto security teams focus exclusively on blockchain-level security while overlooking the critical domain layer. Understanding the difference between registrar locks and registry locks is the first step toward closing this dangerous vulnerability.

Registrar Locks: The Basic Protection Layer

Registrar locks (also called transfer locks or domain locks) are the most common form of domain protection. They operate at the registrar level and primarily prevent domain transfers to other registrars.

How Registrar Locks Work

Registrar locks function by setting specific status codes at the registrar level that prevent certain actions. The most common status code is “clientTransferProhibited,” which prevents the domain from being transferred to another registrar. This protection is mandated by ICANN for most generic top-level domains (gTLDs) and is typically enabled by default.

When a registrar lock is active, the domain cannot be transferred without first removing the lock. This provides a basic layer of protection against domain theft through unauthorized transfers. However, it’s important to understand that this protection exists only at the registrar level, not at the registry level where the authoritative domain database is maintained.

Technical Implementation of Registrar Locks

From a technical perspective, registrar locks are implemented through EPP (Extensible Provisioning Protocol) status codes. These codes are set by the registrar and communicated to the registry. The most common status codes associated with registrar locks include:

• clientTransferProhibited: Prevents domain transfers
• clientUpdateProhibited: Prevents updates to domain contact information
• clientDeleteProhibited: Prevents domain deletion

 

These status codes can be viewed in the domain’s WHOIS information, allowing domain owners to verify that locks are in place. For example, a WHOIS query for a locked domain might return:

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited

Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited

 

Registrar Lock Limitations

While registrar locks provide basic protection against domain theft, they have significant limitations:

 

1. Nameserver Vulnerability: Most critically, registrar locks do not prevent changes to nameserver settings. An attacker who gains access to your registrar account can still change your nameservers, redirecting all traffic to malicious servers without transferring the domain.
2. Account-Level Protection Only: Registrar locks can be removed by anyone with access to your registrar account. If credentials are compromised through phishing, password reuse, or other means, the attacker can simply disable the lock.
3. Social Engineering Vulnerability: Many registrars have support processes that can be exploited through social engineering. Attackers may impersonate domain owners to convince support staff to remove locks or reset account credentials.
4. Inconsistent Implementation: Different registrars implement locks with varying levels of security. Some may offer additional protections, while others provide only the minimum required by ICANN.

 

Real-World Failures of Registrar Locks

In July 2024, multiple crypto projects using Squarespace’s domain services were compromised during a migration from Google Domains. Despite having registrar locks in place, attackers exploited a vulnerability in the migration process to gain control of several high-profile domains, including those of Celer Network Foundation.

Similarly, in March 2025, a popular NFT marketplace suffered a domain hijacking when attackers gained access to their domain registrar account through credential stuffing. Despite having registrar locks enabled, the attackers were able to change nameserver settings, redirecting users to a phishing site that drained approximately $7.3 million in assets before the team regained control.

These incidents highlight the fundamental limitation of registrar locks: they provide protection only against domain transfers, not against nameserver changes or other critical modifications that can be equally devastating.

For crypto projects with millions in digital assets at stake, this basic protection is insufficient. This is where registry locks become essential.

 

Registry Locks: The Enterprise-Grade Protection

Registry locks operate at a higher level—directly at the TLD registry that controls the authoritative database for domains. This provides significantly stronger protection against unauthorized changes.

 

Understanding Registry Operators vs. Registrars

To understand registry locks, it’s important to distinguish between registries and registrars:

• Registry Operators: Organizations that manage the authoritative database for specific top-level domains (TLDs). For example, Verisign operates the registry for .com and .net domains, while Public Interest Registry manages .org domains.
• Registrars: Companies accredited by ICANN to sell domain registrations to end users. Registrars interact with registries on behalf of domain owners.

 

Registry locks are implemented at the registry level, meaning they’re enforced by the organization that maintains the authoritative database for the TLD, not just by your registrar.

 

Technical Implementation of Registry Locks

Registry locks use server-side EPP status codes that can only be modified through a secure, out-of-band process. The most common status codes associated with registry locks include:

• serverUpdateProhibited: Prevents updates to domain information at the registry level
• serverTransferProhibited: Prevents domain transfers at the registry level
• serverDeleteProhibited: Prevents domain deletion at the registry level

 

These “server” status codes differ from “client” status codes in that they cannot be removed through standard registrar interfaces or API calls. Instead, they require a formal verification process involving the registry operator.

 

When a registry lock is active, a WHOIS query might return:

 

Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited

Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited

Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited

 

The Registry Lock Process

The process for implementing and managing registry locks typically follows these steps:

 

Initial Setup: The domain owner works with their registrar to establish registry locks. This usually involves:

• Completing formal documentation
• Designating authorized contacts
• Establishing verification procedures
• Setting up secure communication channels

Lock Activation: Once the setup is complete, the registrar submits a request to the registry to apply server-side status codes to the domain.

Change Management: When legitimate changes are needed (such as nameserver updates), a multi-step process is followed:

• The domain owner submits a change request to the registrar
• The registrar initiates an unlock request with the registry
• The registry performs out-of-band verification with authorized contacts
• Upon successful verification, the lock is temporarily removed
• The requested changes are made
• The registry lock is reapplied

This process typically takes 24-48 hours, creating a deliberate time buffer that allows for detection of unauthorized change attempts.

 

Key Characteristics of Registry Locks

Registry locks provide several critical security features:

 

Implementation Level: Applied at the TLD registry (e.g., Verisign for .com domains), not just at the registrar level.

Primary Protection: Prevents ALL changes to domain settings, including nameserver changes, which are the most common attack vector for crypto projects.

Activation Method: Requires a formal request process with out-of-band verification, not just a toggle in a control panel.

Authentication: Employs multi-factor authentication, often including verbal confirmation with pre-authorized contacts.

Bypass Potential: Extremely difficult to bypass; requires sophisticated social engineering across multiple organizations.

 

Registry Lock Availability and Pricing

Registry locks are available for most major TLDs, but pricing and implementation details vary significantly:

 

• .com/.net (Verisign): Available through authorized registrars, typically costing $100-200 per month per domain.
• .org (Public Interest Registry): Available through select registrars, with pricing ranging from $75-150 per month.
• .io (Internet Computer Bureau): Limited availability, with costs ranging from $200-300 per month when available.
• Country-code TLDs: Availability varies widely. Some ccTLDs like .ch (Switzerland) offer registry locks, while others do not.

 

According to data from NameSilo, registry locks typically cost around $12 per month or $144 per year per domain. However, pricing can vary significantly between registrars, with some charging as much as $399.99 per domain annually, as reported by Webnames.ca.

It’s worth noting that some registrars mark up registry lock services substantially. As reported by Krebs on Security, some registrars charge up to 2500% of the standard domain registration cost for registry lock services.

 

Why Registry Locks Are Essential for Crypto Projects

For crypto and Web3 platforms, registry locks provide essential protection against the most common attack vectors:

1. Protection Against Nameserver Hijacking

Nameserver hijacking is the most common and devastating attack vector for crypto projects. By changing nameserver delegations, attackers can redirect all traffic to malicious servers that perfectly mimic legitimate platforms.

In January 2023, a major DeFi protocol lost $14.5 million when attackers compromised their domain registrar account through a social engineering attack. The attackers changed the nameserver delegation at the registrar level, pointing users to a malicious frontend that drained their wallets.

Registry locks prevent this attack vector by requiring out-of-band verification for any nameserver changes, creating a critical security layer that registrar locks simply cannot provide.

 

2. Defense Against Social Engineering

Social engineering attacks against registrar support staff are increasingly common. Attackers impersonate domain owners, claiming they’ve lost access to their accounts and need urgent assistance.

Registry locks mitigate this risk by requiring verification through multiple channels and organizations. Even if an attacker successfully social engineers a registrar’s support team, they would still need to pass the registry’s separate verification process, which typically involves different communication channels and pre-authorized contacts.

 

3. Mitigation for Account Compromise

Credential theft through phishing, password reuse, or other means is a persistent threat. If an attacker gains access to your registrar account, they can typically make immediate changes to domain settings.

With registry locks in place, account compromise alone is insufficient to make critical changes. The attacker would still need to pass the out-of-band verification process with the registry, providing a critical security layer that remains effective even if account credentials are compromised.

 

4. Time Buffer for Incident Response

One of the most valuable aspects of registry locks is the time buffer they create. Since changes typically take 24-48 hours to implement due to the verification process, security teams have a critical window to detect and respond to unauthorized change attempts.

This time buffer can mean the difference between a thwarted attack and millions in stolen funds. In the fast-moving crypto space, where transactions are irreversible and assets can be quickly moved through mixers or cross-chain bridges, this response window is invaluable.

 

Implementation Considerations

Implementing registry locks requires careful planning and consideration of several factors:

Advantages:

1. Maximum Security for Domain Settings: Registry locks provide the highest level of protection available for domain settings, preventing unauthorized changes at the registry level.
2. Protection Against Sophisticated Attacks: The multi-layered verification process defends against advanced social engineering and account compromise attacks.
3. Defense-in-Depth Security Approach: Registry locks complement other security measures, creating multiple layers of protection.
4. Compliance with Enterprise Security Standards: Many security frameworks and compliance standards now recommend registry locks for critical domains.
5. Demonstrable Security Posture: Having registry locks in place demonstrates a commitment to security that can build trust with users and investors.

 

Challenges:

1. Higher Cost than Standard Registrar Locks: Registry locks typically cost $100-400 per domain annually, representing a significant premium over basic domain registration.
2. Limited Availability Through Some Registrars: Not all registrars offer registry lock services, potentially requiring domain transfers to supported providers.
3. Longer Lead Time for Legitimate Changes: The verification process typically takes 24-48 hours, which can impact emergency changes or time-sensitive updates.
4. More Complex Implementation Process: Setting up registry locks requires documentation, authorized contact designation, and formal processes.
5. Vendor Selection Considerations: The quality of registry lock implementation varies between registrars, requiring careful vendor evaluation.

 

Implementation Process:

A thorough implementation process for registry locks should include:

 

1. Availability Assessment: Confirm registry lock availability for your specific TLDs, as not all TLDs support this feature.
2. Registrar Evaluation: Assess your current registrar’s registry lock offerings, or identify alternative registrars if necessary.
3. Authorized Contact Designation: Establish primary and backup authorized contacts who will be responsible for verifying change requests.
4. Documentation Development: Create comprehensive documentation for lock management, including:

 

• Verification procedures
• Emergency protocols
• Contact information
• Escalation paths

 

1. Monitoring Implementation: Set up monitoring for lock status changes to ensure early detection of any issues.
2. Testing and Validation: Conduct a test of the unlock and relock process to ensure all parties understand the procedures.
3. Emergency Planning: Develop procedures for situations requiring expedited changes, including contact information for registry emergency support.

 

Operational Tradeoffs

Registry locks create operational tradeoffs that security teams must carefully consider:

1. Change Management

With registry locks in place, changes to nameservers and other critical settings require advance planning. This impacts several operational areas:

 

• Maintenance Windows: Changes must be scheduled well in advance, with unlock requests submitted 24-48 hours before the planned change.
• Documentation Requirements: Detailed change documentation is essential, as registry operators typically require specific information for verification.
• Approval Workflows: Organizations should implement formal approval workflows for registry lock changes to ensure proper authorization.
• Communication Protocols: Clear communication channels must be established between technical teams, security teams, and authorized contacts.

 

2. Emergency Procedures

Critical situations may require expedited unlock processes. Organizations should:

 

• Establish Emergency Contacts: Identify emergency contacts at both the registrar and registry level.
• Document Expedited Procedures: Understand and document any available expedited verification processes.
• Define Emergency Criteria: Clearly define what constitutes an emergency warranting expedited procedures.
• Test Emergency Processes: Periodically test emergency procedures to ensure they function as expected.

 

3. Authorized Contact Management

Maintaining current contact information for verification is critical:

 

• Regular Updates: Implement processes to regularly update authorized contact information.
• Role-Based Contacts: Consider using role-based contacts (e.g., “Head of Security”) rather than individual names when possible.
• Geographic Distribution: Ensure authorized contacts are distributed across different geographic locations and time zones.
• Succession Planning: Develop clear succession plans for authorized contacts who leave the organization.

 

4. Business Continuity

Organizations must plan for situations where authorized contacts are unavailable:

 

• Backup Contacts: Designate multiple backup contacts who can verify change requests.
• Escalation Procedures: Establish clear escalation procedures for situations where primary contacts cannot be reached.
• Documentation Access: Ensure that business continuity teams have access to registry lock documentation and procedures.
• Regular Reviews: Periodically review and test business continuity procedures related to domain management.

 

Best Practices for Domain Lock Implementation

For optimal protection, implement these best practices:

1. Layered Approach

Use both registry and registrar locks to create multiple layers of protection:

• Registry Locks: Implement for maximum security at the registry level.
• Registrar Locks: Maintain as an additional layer of protection.
• Account Security: Enhance registrar account security with strong authentication.
• Access Controls: Implement strict access controls for domain management.

 

This defense-in-depth approach ensures that multiple security layers must be breached for an attack to succeed.

2. Comprehensive Documentation

Maintain detailed procedures for lock management:

• Process Documentation: Document step-by-step procedures for lock changes.
• Contact Information: Maintain current contact information for all relevant parties.
• Verification Procedures: Document the specific verification methods used by your registry.
• Emergency Procedures: Clearly document procedures for emergency situations.
• Recovery Plans: Develop and document recovery procedures in case of compromise.

 

Thorough documentation ensures that teams can respond effectively even in high-pressure situations.

 

3. Contact Redundancy

Establish multiple authorized contacts to ensure availability:

• Primary Contacts: Designate primary contacts for normal operations.
• Backup Contacts: Establish backup contacts for situations where primary contacts are unavailable.
• Geographic Distribution: Ensure contacts are distributed across different locations and time zones.
• Role Coverage: Ensure multiple people can fulfill each critical role.
• Regular Updates: Update contact information whenever personnel changes occur.

 

Contact redundancy prevents situations where critical changes are delayed due to unavailable personnel.

 

4. Regular Verification

Periodically confirm lock status to ensure continued protection:

• Scheduled Checks: Implement regular checks of domain lock status.
• WHOIS Monitoring: Monitor WHOIS data for unexpected changes to status codes.
• Registry Confirmation: Periodically confirm lock status directly with the registry when possible.
• Change Audits: Audit all domain-related changes to ensure they followed proper procedures.
• Penetration Testing: Consider including domain security in penetration testing scenarios.

 

Regular verification ensures that locks remain in place and functioning as expected.

 

5. Comprehensive Monitoring

Implement alerts for any lock status changes:

• Status Code Monitoring: Monitor for changes to domain status codes.
• WHOIS Change Alerts: Set up alerts for any changes to WHOIS data.
• Nameserver Monitoring: Implement continuous monitoring of nameserver configurations.
• DNS Propagation Checks: Regularly verify that DNS is resolving to the expected locations.
• Certificate Transparency Monitoring: Monitor CT logs for unexpected certificate issuance.

 

Comprehensive monitoring enables rapid detection and response to unauthorized changes.

 

6. Specialized Registrar Selection

Work with a registrar experienced in registry locks for crypto projects:

• Crypto Experience: Select registrars with specific experience serving crypto clients.
• Security Focus: Prioritize registrars with strong security practices and features.
• Support Quality: Evaluate the quality and responsiveness of technical support.
• Documentation Quality: Assess the clarity and completeness of security documentation.
• Implementation Experience: Consider the registrar’s experience with registry lock implementation.

 

The right registrar can significantly enhance your domain security posture through expertise and appropriate security features.

 

Case Study: Registry Lock Preventing Attack

In 2023, a major DeFi protocol with registry locks in place detected an unauthorized unlock attempt. The attack was thwarted through the following sequence:

 

1. Initial Compromise: The attacker compromised the protocol’s registrar account through a sophisticated phishing attack targeting a team member with domain management access.
2. Attempted Change: Upon gaining access, the attacker attempted to change the nameserver settings to redirect traffic to a malicious frontend designed to drain user funds.
3. Registry Lock Barrier: The attacker discovered they could not make immediate changes due to the registry lock in place.
4. Unlock Attempt: The attacker initiated a registry unlock request through the registrar’s support system.
5. Out-of-Band Verification: Following standard procedure, the registry contacted the protocol’s authorized representative through pre-established channels to verify the unlock request.
6. Attack Detection: The authorized contact, who had not initiated any changes, immediately recognized the request as fraudulent and denied authorization.
7. Security Response: The protocol’s security team was alerted to the attempted change, allowing them to:

 

• Secure the compromised registrar account
• Implement additional security measures
• Investigate the attack vector
• Alert team members to the phishing threat

 

Attack Mitigation: The registrar account was secured before any damage occurred, preventing what could have been a multi-million-dollar theft.

 

The security team later estimated that without registry locks in place, the attack would have succeeded within minutes of the account compromise, potentially resulting in losses exceeding $20 million based on the protocol’s total value locked at the time.

This case study demonstrates the critical value of registry locks as a last line of defense. Even when other security measures fail—in this case, anti-phishing training and account security—registry locks provide a crucial safety net that can prevent catastrophic losses.

 

The Future of Domain Security for Crypto Projects

As attacks against crypto projects continue to evolve, domain security measures are also advancing. Several emerging trends are worth monitoring:

 

1. Blockchain-Based Domain Governance: Some registrars are beginning to implement multi-signature requirements for domain changes, similar to multi-sig wallet security in blockchain.
2. Automated Monitoring and Response: Advanced monitoring systems using machine learning can detect anomalous domain activity and trigger automated responses.
3. Decentralized Naming Systems: Systems like ENS (Ethereum Name Service) and Handshake offer alternative approaches to domain security through blockchain technology.
4. Regulatory Evolution: Increasing regulatory focus on crypto security may lead to new requirements for domain security practices.
5. Industry Standards: Industry groups are developing specific domain security standards for crypto projects, which may become de facto requirements.

 

Conclusion

The distinction between registry locks and registrar locks is not merely technical—it’s the difference between basic and enterprise-grade security. For crypto projects with significant assets at stake, registry locks are an essential component of a comprehensive security strategy.

While registry locks create some operational challenges, these are far outweighed by the protection they provide against the most common and devastating attack vectors targeting crypto projects. By implementing registry locks alongside other security measures, you can significantly reduce the risk of domain hijacking and protect your users from attacks that bypass blockchain security entirely.

In an ecosystem where trust is paramount and transactions are irreversible, the additional layer of security provided by registry locks is not just a best practice—it’s a necessity for responsible platform operation

—

Want to learn more about DNS Security for your crypto projects?

Read our best practices guide here.