Recovering 12 domains seized by a former employee
It started with one email on Thursday morning. The owner of a wholesale company from Częstochowa discovered that he could not log in to the management panel of his websites. A former employee who left a week earlier had changed the passwords to 12 key domains and was demanding payment for their return.
Sudden cutoff from work tools
Everything happened rapidly. On Thursday at 8:15 AM, the sales department noticed that the store's administration panel was not accepting passwords. An attempt to reset passwords did nothing because the recovery email had been changed to the former IT technician's private address. This man had been managing the system for the last 4 years and knew every security gap. The wholesaler, which averages 23 orders a day, came to a standstill. Calls from upset regional customers started coming in around 10:00 AM.
The business owner first tried calling the former employee personally. He heard that access would be restored once 15,000 PLN was transferred to the technician's account. This was to be 'compensation' for unused vacation and alleged overtime from 2023. The blackmail was evident, but a court battle would take months. The company could not afford so many days of inactivity. That's when the case came to us, at the Agora Giedroyć office. We knew that here time counted more than paragraphs.
We act in silence because in such disputes, emotions are the worst advisor and only drive up the price of blackmail.
Preparing technical arguments
Piotr Zawadzki spent the first 3 hours analyzing Whois and bank statements. It turned out that 4 domains were purchased before the employee was even hired, which gave us a solid legal basis. The remaining 8 addresses were paid for from the company card but registered to private data. This is a common mistake in small companies that backfires during departures. However, we found 17 emails in which the employee confirmed that the domains belonged to the company's resources and were part of its assets.
Instead of sending a pre-litigation letter, which could provoke the technician to completely delete files from the server, we prepared a 'loss scenario'. We calculated that 32 hours of downtime had already cost the wholesaler 5,600 PLN in margin. We presented this as a debt that grows every minute. Our strategy was to show that it was the technician who had more to lose than to gain. Documentation was ready at 2:00 PM on Friday. We scheduled the meeting for 4:00 PM at a cafe on the Avenue.
4 hours that saved the company
The conversation was not easy. The former employee was very confident at first. He claimed that the domains were his because he 'invented' them. We calmly showed him the list of invoices and transfer confirmations. We explained the mechanism of employee material responsibility. Piotr Zawadzki, as an IT specialist, pointed out errors in his thinking about intellectual property point by point. Instead of attacking, we gave him a way out with his dignity intact. We proposed signing a settlement right then and there.
The key moment was showing the already prepared application to the domain registrar for a forced transfer based on digital identity theft. The technician understood that his block was temporary, but the financial consequences would be permanent. At 7:30 PM, after drinking two coffees, he pulled out his laptop. In our presence, he transferred all 12 domains to a new, secure technical address managed by Agora Giedroyć. In return, he received a written statement of waiver of claims for the 32 hours of downtime to date.
New security standards
After regaining control, we did not stop at simply taking over the passwords. That same evening, Piotr implemented 2-factor authentication (2FA) based on hardware keys. Now, access to domains requires physically touching a key that is kept in the company's safe. We also changed the hosting provider for the 3 most important stores, moving the data to servers with a better backup system. The entire operation cost the client a fraction of what the blackmailer was demanding, and the business resumed on Saturday morning without further hindrance.
The former employee did not get the money, but he also avoided the bailiff and the prosecutor. For the wholesaler owner, the most important thing was peace and returning to work. This case shows that in IT, negotiations based on facts are more effective than emotional arguments. Currently, we manage this client's infrastructure under constant supervision, which excludes a repeat of such a situation in the future. 8 months have passed since that event and the system has not been threatened once.
True security begins where trust in a single administrator ends.
