Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
Ransom screen hijacks Treasure Global website in apparent cyberattack
December 18, 2025

Ransom screen hijacks Treasure Global website in apparent cyberattack

Written by:

Table of contents

Text Link

Originally published: July 29, 2025

A domain name used by New York-based payment and e-commerce company Treasure Global Inc. has been hijacked and redirects to a page with a menacing full-screen message claiming the system has been “HACKED.”

The screen, which mimics ransomware attacks, shows a ticking clock and warns, “Sorry for the inconvenience,” in white text above a stylized figure in a fedora. The image appears to be a prank template hosted on a third-party domain, but its presence on one of Treasure Global’s own domains suggests a serious breach.

Treasure Global, which operates the ZCITY platform through the domains zcity.io and treasuregroup.co, claims to have lost control of its Namecheap account May 2025. Company operations have since been disrupted. The ZCITY app, company email addresses, and other digital infrastructure linked to the domains have reportedly gone dark.

Related: How can ransomware be delivered?

According to public records and legal filings, the company has been unable to regain access despite submitting proof of ownership to its domain registrar, Namecheap, an Arizona-based company founded in 2000 by Richard Kirkendall.  

An unknown hacker, identified only as “John Doe 1” in court documents, allegedly took control of the company’s Namecheap account due to a security breach at Namecheap. The attacker is believed to have changed the password and locked out Treasure Global, cutting off access to its core services and online presence.

“If true, this type of attack can be extremely dangerous,” said ThreatLocker Special Projects Engineer Kieran Human. “An attacker gaining full control over a domain can cause serious harm to both the victim organization and anyone visiting the site. They could redirect the domain to a fake page designed to steal sensitive information.”

Namecheap, a major domain registrar, has allegedly refused to intervene without a court order. Treasure Global filed a lawsuit this week, Treasure Global Inc. v. Namecheap Inc. and John Doe 1, claiming that Namecheap was negligent in allowing the breach and has aided and abetted the continued loss of its property by refusing to return control of the domains.

The federal complaint, filed July 15 in United States District Court for the District of Arizona, accuses the unidentified hacker of violating the Computer Fraud and Abuse Act and the federal cyberpiracy statute. The filing also states that Treasure Global has suffered extensive financial and reputational harm since the breach.

Treasure Global is seeking a court order to compel Namecheap and the hacker to return its domains, along with monetary damages and attorneys’ fees.

Domain & website security review checklist

IT operations

  • Enforce multi-factor authentication (MFA) on all registrar, DNS provider, and web hosting accounts.
  • Maintain a current inventory of all registered domains and hosting providers, with renewal dates tracked with reminders. If possible, configure DNS security features such as DNSSEC and enable automatic SSL/TLS certificate renewals where supported.
  • Verify that DNS records have not been changed without authorization. Pull the latest zone file or record list.
  • Regularly back up website content, DNS configurations, and SSL certificates so services can be restored quickly in the event of compromise or provider lockout.

GRC and compliance staff

  • Ensure you have proof of ownership for your domains stored securely (certified proof, invoices, account setup email messages, etc.)
  • Establish documented ownership and accountability for each domain and hosting provider, tying responsibility to a specific business role (not an individual employee).
  • Review your incident response plan: include domain hijacking scenarios and registrar lock-step procedures.

Security architects

  • Set up monitoring of domains and hosting resources for unauthorized changes and integrate alerts into the SIEM or other log monitoring platform.
  • Architect a business continuity plan where critical websites can be re-hosted or redirected through a secondary provider if access to the primary host is lost.

CISOs and leadership

  • Ask IT to produce a report of all domain properties (domains, subdomains) and who has administrative or account-level access.
  • Define and communicate a clear incident response process for website/domain compromise, including who notifies customers, regulators, and internal stakeholders.

Strengthen domain and website trust before someone hijacks it

Registrar breaches often start at the account / credential level. ThreatLocker® Cloud Control gives you visibility into SaaS-connected accounts, alerts for suspicious sign-ins, and tools to secure recovery credentials and account linkage. Prevent hijacks like this by locking down where your domain control begins.

Learn more about Cloud Control

Update: Treasure Global voluntarily dismisses lawsuit against Namecheap

On October 15, 2025, Treasure Global voluntarily dismissed its federal lawsuit against Namecheap without prejudice, ending the case before the court ruled on the registrar’s motion to dismiss.

The dismissal does not resolve the underlying domain hijacking incident or restore public access to Treasure Global’s affected infrastructure. It does, however, close the legal path Treasure Global initially pursued to compel mitigating action from its domain name registrar, Namecheap, and seek damages related to the alleged account takeover.

For enterprise security leaders, that framing matters because it reflects a difficult operational reality: Even when a domain loss disrupts core services, registrars may treat restoration as a legal process rather than an incident response action.

Court filings show that Namecheap argued it functioned solely as a neutral domain registrar and had no legal obligation to intervene or return stolen accounts absent specific statutory liability or a court order. The registrar also argued that routine registration services do not constitute use, trafficking, or bad faith under federal cyberpiracy law .

This underscores a critical enterprise risk reality. Domain registrars are universally used by virtually all enterprises, but they are not incident response partners. Legal ownership documentation alone may not be enough to trigger rapid remediation once registrar account access is lost. Recovery timelines driven by legal escalation rarely align with enterprise operational, regulatory, or customer expectations.

Domain control remains a business-critical asset for any enterprise operating on the public internet. When registrar accounts fall outside enterprise identity governance and security controls, a single compromise can negatively affect email and application operations, customer trust, and brand integrity simultaneously.

The voluntary dismissal brings the lawsuit to a close, but it does not change the broader lesson. Enterprises cannot rely on registrars, courts, or after-the-fact remedies to protect or restore domain control. That responsibility sits squarely within enterprise security architecture and governance, whether organizations are prepared for it or not.

No items found.

start Your path to stronger defenses

Get a trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information