5 May, 2026

Biopharma Phishing Risks and Domain Recovery: Tarsus Pharmaceuticals, Inc. v. Justin Gear

UDRP Cases

Tarsus Pharmaceuticals successfully recovered two ‘rx’ themed domains used in an active corporate impersonation and phishing scheme. The Respondent utilized linked email accounts to solicit fraudulent transactions, leading the WIPO panel to order an immediate transfer of the assets.

Case Snapshot

Case Number D2025-5152
Complainant Tarsus Pharmaceuticals, Inc.
Respondent Justin Gear
Disputed Domain
rxtarsus.com
Threat Tactic Corporate Impersonation
Decision Date 2026-01-20
Panelist Jeffrey M. Samuels
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-5152

Corporate Impersonation and Phishing Risks in the Pharmaceutical Sector

The registration of rxtarsus.com and tarsusrx.com represents a calculated threat to the pharmaceutical supply chain by leveraging industry-specific identifiers. By appending the ‘rx’ keyword—a standard shorthand for prescription pharmaceuticals—to the TARSUS mark, the Respondent created a false sense of technical credibility. This naming convention is specifically designed to exploit the expectations of industry partners and clinicians who may mistake such domains for legitimate prescription portals or specialized administrative branches of Tarsus Pharmaceuticals. For brand owners, this tactic increases the likelihood of successful phishing attacks, as the ‘rx’ suffix provides a layer of perceived authenticity that typical typosquatting lacks, making it a potent tool for bypassing the skepticism of professional stakeholders.

The primary business threat in this case was the active use of the domains to facilitate fraudulent transactions and harvest sensitive private information. Rather than maintaining a passive website, the Respondent utilized linked email accounts to send communications that purported to originate from the Complainant. This transition from domain squatting to active corporate impersonation transforms a trademark dispute into a significant security and fraud event. When a threat actor uses a brand’s identity to solicit funds or data, the resulting damage includes not only direct financial losses for the targeted third parties but also a systemic erosion of trust in the brand’s digital communications infrastructure. The evidence established that these domains were used for illegitimate commercial purposes rather than any bona fide offering of goods, directly targeting the Complainant’s corporate integrity.

The use of privacy services further complicates the risk profile by delaying the identification of the threat actor and allowing the fraudulent activity to persist during the initial stages of the dispute. The Respondent’s true identity was only revealed following a registrar verification request on December 11, 2025, which pierced the ‘Domains By Proxy’ shield. This procedural gap between the detection of fraudulent emails and the identification of the registrant highlights the necessity for rapid enforcement in the biopharmaceutical sector. By securing a transfer of the assets, the Complainant stopped a scheme that leveraged a United States registered trademark to deceive third parties, effectively mitigating a scenario where sensitive corporate or personal data could have been further compromised through deceptive email-based solicitation.

Strategy Breakdown: Proving Active Impersonation

Tarsus Pharmaceuticals successfully established bad faith by documenting the active use of domain-linked email accounts for deceptive communications. By presenting evidence that the Respondent sent emails purporting to be from the Complainant to solicit fraudulent transactions and harvest private data, the Complainant moved the case beyond mere typo-squatting into the realm of criminal impersonation. This specific documentation of outbound phishing activities provided the Panel with a clear basis to find that the domains were never intended for a bona fide offering of goods or services, but were instead instruments of fraud designed to exploit the Complainant’s established reputation in the biopharmaceutical sector since its founding in 2016. This evidence of active harm outweighed any defense regarding the disclaimed nature of the term TARSUS in certain trademark registrations.

The Complainant’s focus on the industry-specific ‘rx’ keyword highlighted a calculated attempt by the Respondent to gain credibility within the pharmaceutical supply chain. By combining the TARSUS mark with a term synonymous with prescription medicine, the Respondent created a high risk of confusion among professional partners and clients. Furthermore, the Complainant demonstrated procedural agility when the initial privacy-shielded registrant was revealed to be Justin Gear during the December 2025 verification process. Promptly amending the Complaint to name the actual individual ensured that the enforcement action was directed at the correct party, effectively neutralizing the anonymity typically afforded by proxy services and allowing the Panel to link the fraudulent emails directly to the named Respondent.

Practical Recommendations

  • Monitor for ‘brand-plus-keyword’ domain registrations that incorporate industry-specific terms like ‘rx’ to proactively identify potential phishing vectors targeting the pharmaceutical supply chain.
  • Implement a protocol to capture and preserve full email headers and message content from unauthorized domains, as active use of linked email accounts to solicit transactions is definitive evidence of bad faith.
  • Verify the presence of MX records on newly registered domains containing your brand name; an active MX record without a corresponding website often signals an intent for corporate impersonation via email.
  • Anticipate a two-stage filing process when privacy services are used; ensure legal teams are prepared to submit an ‘Amended Complaint’ immediately after the registrar reveals the true registrant’s identity to avoid procedural delays.
  • Emphasize the trademark’s role as the ‘distinguishing feature’ in UDRP filings to successfully establish confusing similarity, even in cases where certain components of the registered mark have been disclaimed.

Frequently Asked Questions (FAQ)

Why were the domains rxtarsus.com and tarsusrx.com considered confusingly similar to the TARSUS mark?

The WIPO Panel determined that the term ‘TARSUS’ is the most distinguishing feature of the disputed domains. Despite the addition of the ‘rx’ keyword, the domains remained confusingly similar to the Complainant’s registered TARSUS mark, which the Complainant has used continuously since 2016.

How did the respondent attempt to establish credibility, and why was this deemed an illegitimate interest?

The Respondent used the ‘rx’ keyword to mimic a pharmaceutical supply chain presence, attempting to gain industry-specific credibility. The Panel found this use illegitimate because the domain was not used for bona fide offerings, but rather as a vehicle for active corporate impersonation.

What evidence was decisive in proving the Respondent acted in bad faith?

Bad faith was established by the Respondent’s active use of the domains to send fraudulent emails impersonating Tarsus Pharmaceuticals. These communications were specifically designed to deceive third parties into conducting unauthorized transactions and harvesting sensitive private information.

How did the procedural discovery process affect the outcome of this case?

The Complainant initially filed against a privacy service. During the UDRP procedural timeline, a registrar verification request revealed the true identity of the registrant, Justin Gear, allowing the Complainant to amend the filing and successfully secure the transfer of both domains.

Is your brand being impersonated?

Corporate impersonation through deceptive domains and email fraud can lead to significant financial loss and reputational damage. If you have identified unauthorized domains or fraudulent communications targeting your company, a UDRP strategy may help you regain control and protect your stakeholders.

Assess impersonation threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.