Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
Ransom screen hijacks Treasure Global website in apparent cyberattack
July 29, 2025

Ransom screen hijacks Treasure Global website in apparent cyberattack

Written by:

Table of contents

Text Link

A domain name used by New York-based payment and e-commerce company Treasure Global Inc. has been hijacked and redirects to a page with a menacing full-screen message claiming the system has been “HACKED.”

The screen, which mimics ransomware attacks, shows a ticking clock and warns, “Sorry for the inconvenience,” in white text above a stylized figure in a fedora. The image appears to be a prank template hosted on a third-party domain, but its presence on one of Treasure Global’s own domains suggests a serious breach.

Treasure Global, which operates the ZCITY platform through the domains zcity.io and treasuregroup.co, claims to have lost control of its Namecheap account May 2025. Company operations have since been disrupted. The ZCITY app, company email addresses, and other digital infrastructure linked to the domains have reportedly gone dark.

Related: How can ransomware be delivered?

According to public records and legal filings, the company has been unable to regain access despite submitting proof of ownership to its domain registrar, Namecheap, an Arizona-based company founded in 2000 by Richard Kirkendall.  

An unknown hacker, identified only as “John Doe 1” in court documents, allegedly took control of the company’s Namecheap account due to a security breach at Namecheap. The attacker is believed to have changed the password and locked out Treasure Global, cutting off access to its core services and online presence.

“If true, this type of attack can be extremely dangerous,” said ThreatLocker Special Projects Engineer Kieran Human. “An attacker gaining full control over a domain can cause serious harm to both the victim organization and anyone visiting the site. They could redirect the domain to a fake page designed to steal sensitive information.”

Namecheap, a major domain registrar, has allegedly refused to intervene without a court order. Treasure Global filed a lawsuit this week, Treasure Global Inc. v. Namecheap Inc. and John Doe 1, claiming that Namecheap was negligent in allowing the breach and has aided and abetted the continued loss of its property by refusing to return control of the domains.

The federal complaint, filed July 15 in United States District Court for the District of Arizona, accuses the unidentified hacker of violating the Computer Fraud and Abuse Act and the federal cyberpiracy statute. The filing also states that Treasure Global has suffered extensive financial and reputational harm since the breach.

Treasure Global is seeking a court order to compel Namecheap and the hacker to return its domains, along with monetary damages and attorneys’ fees.

Domain & website security review checklist

IT operations

  • Enforce multi-factor authentication (MFA) on all registrar, DNS provider, and web hosting accounts.
  • Maintain a current inventory of all registered domains and hosting providers, with renewal dates tracked with reminders. If possible, configure DNS security features such as DNSSEC and enable automatic SSL/TLS certificate renewals where supported.
  • Verify that DNS records have not been changed without authorization. Pull the latest zone file or record list.
  • Regularly back up website content, DNS configurations, and SSL certificates so services can be restored quickly in the event of compromise or provider lockout.

GRC and compliance staff

  • Ensure you have proof of ownership for your domains stored securely (certified proof, invoices, account setup email messages, etc.)
  • Establish documented ownership and accountability for each domain and hosting provider, tying responsibility to a specific business role (not an individual employee).
  • Review your incident response plan: include domain hijacking scenarios and registrar lock-step procedures.

Security architects

  • Set up monitoring of domains and hosting resources for unauthorized changes and integrate alerts into the SIEM or other log monitoring platform.
  • Architect a business continuity plan where critical websites can be re-hosted or redirected through a secondary provider if access to the primary host is lost.

CISOs and leadership

  • Ask IT to produce a report of all domain properties (domains, subdomains) and who has administrative or account-level access.
  • Define and communicate a clear incident response process for website/domain compromise, including who notifies customers, regulators, and internal stakeholders.

Strengthen domain and website trust before someone hijacks it

Registrar breaches often start at the account / credential level. ThreatLocker® Cloud Control gives you visibility into SaaS-connected accounts, alerts for suspicious sign-ins, and tools to secure recovery credentials and account linkage. Prevent hijacks like this by locking down where your domain control begins.

Learn more about Cloud Control

ABOUT THE AUTHOR

start Your path to stronger defenses

Get a trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Start free trial

Book a demo

Schedule a demo customized to your environment and explore how ThreatLocker aligns with your security goals.

Book a demo

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.

Request information