5 May, 2026

Philip Morris Secures Transfer of Cloned ZYN Brand Registration Portal

UDRP Cases

Philip Morris International and Swedish Match North Europe successfully secured the transfer of zyn2.com from respondent Jun Zhao. The respondent used a third-level subdomain to host a cloned interface promoting ZYN nicotine pouches and harvesting user registration data. A WIPO panelist ruled the domain was registered and used in bad faith, ordering its immediate transfer.

Case Snapshot

Case Number D2025-4627
Complainant Philip Morris International, Inc.Swedish Match North Europe
Respondent Jun Zhao
Disputed Domain
zyn2.com
Threat Tactic Typo Domains
Decision Date 2025-12-19
Panelist Alfred Meijboom
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4627

Geographic Impersonation and Credential-Harvesting Threats to Brand Integrity

The combination of numeric typosquatting in the primary domain ‘zyn2.com’ and the strategic deployment of the third-level subdomain ‘us.zyn2.com’ creates an immediate threat of geographic impersonation and customer-trust erosion. By utilizing a localized subdomain, the unauthorized site directly targets North American consumers seeking legitimate regional distribution channels. The prominent display of the registered ZYN trademark alongside authorized-style marketing copy—such as ‘fresh nicotine satisfaction, with ZYN Nicotine Pouches’—falsely implies official corporate backing or regional affiliation. This tactic misleads consumers, diverts legitimate traffic, and erodes trust in the official online presence of Philip Morris International and Swedish Match North Europe.

Furthermore, the deployment of a user registration portal on the cloned website introduces critical cybersecurity risks and potential corporate liability. By actively prompting visitors to register, the site functions as a credential-harvesting interface designed to collect sensitive personal information. Although the record contains no evidence confirming that the respondent successfully compromised specific user accounts, stole funds, or dispatched active phishing emails, the mere existence of a cloned login interface represents a severe brand threat. For brand owners and intellectual property professionals, this case demonstrates how quickly a domain can pivot from a passive ‘Coming soon’ parking page to an active, high-risk fraudulent portal, requiring swift legal intervention before active security breaches occur.

Evidentiary Precision and Procedural Agility Deliver Clear Transfer Ruling

The Complainants’ legal strategy succeeded by demonstrating that the addition of the single digit "2" to the registered "ZYN" trademark was entirely non-distinctive, establishing clear confusing similarity under the first element of the UDRP. Rather than relying solely on the trademark registrations dating back to 2018, the Complainants provided concrete evidence showing how the disputed domain transitioned from a "Coming soon" parking page after its registration in April 2025 to an active entity by October 2025. By documenting the deployment of the regional third-level subdomain "us.zyn2.com" which featured the ZYN trademark and promoted "ZYN Nicotine Pouches," the Complainants clearly demonstrated a calculated effort to mimic legitimate localized market channels. This evidence of subdomain manipulation and brand impersonation left the Panel with clear grounds to find that the Respondent had no rights or legitimate interests.

Crucial to the resolution of the dispute was the Complainants’ swift procedural response after the registrar, GoDaddy, unmasked the registrant behind the proxy service "Domains By Proxy, LLC/ZYN2" as Jun Zhao. The Complainants filed an amended complaint shortly after receiving the registrar verification, maintaining momentum and securing a default holding when the Respondent failed to reply. By documenting the presence of deceptive registration forms on the cloned interface, the Complainants successfully argued that the domain was actively deployed to target the brand’s customer base for unauthorized personal data harvesting. While there was no evidence confirming active phishing emails or completed financial theft, establishing the presence of a cloned credential-collection portal was sufficient for Panelist Alfred Meijboom to find bad faith registration and use under the Policy.

Practical Recommendations

  • Expand defensive domain registration and monitoring strategies to systematically include numeric typosquatting variations, such as the core brand mark appended with non-distinctive single digits (e.g., [Brand]2.com).
  • Implement subdomain-level DNS and SSL certificate monitoring to detect unauthorized regional indicators (e.g., ‘us.brand.com’ structures) that mimic localized market channels.
  • Establish automated tracking alerts for newly registered domains containing the brand mark that initially resolve to passive ‘Coming Soon’ or parking pages, ensuring immediate escalation when they transition to active hosting.
  • Document and archive unauthorized user registration forms or credential-harvesting portals immediately upon discovery to secure clear evidence of deceptive bad faith use for UDRP filings, even before active phishing email campaigns are verified.
  • Consolidate brand enforcement protocols between parent organizations and subsidiaries to allow coordinated, joint UDRP actions using combined international trademark portfolios against offshore entities.

Frequently Asked Questions (FAQ)

Why was the domain zyn2.com considered confusingly similar to the ZYN trademark?

The WIPO panel found the domain name confusingly similar because it fully incorporated the ZYN trademark, while the addition of the number ‘2’ was deemed non-distinctive and insufficient to prevent consumer confusion.

How did the respondent demonstrate a lack of rights or legitimate interests in the domain?

The respondent had no authorization or license to use the ZYN trademark. Furthermore, the respondent failed to provide any evidence of legitimate noncommercial or fair use, choosing instead to default and remain silent during the proceedings.

What evidence proved the respondent acted in bad faith?

Bad faith was established by the respondent’s use of the domain to host a cloned, phishing-style website. By mimicking the ZYN brand and prompting users to register through an unofficial ‘us.zyn2.com’ portal, the respondent clearly intended to deceive users into harvesting their personal data for commercial gain.

What was the specific tactical danger posed by this phishing site?

The site utilized a deceptive third-level subdomain (‘us.zyn2.com’) to create a false appearance of a legitimate regional branch. This tactic sought to lower user defenses, tricking them into providing sensitive personal information under the guise of an authorized ZYN nicotine product portal.

Detecting Look-Alike Domains Before They Target Your Customers

As seen in the ZYN case, attackers use subtle typosquatting and subdomain manipulation to host credential-harvesting portals. If you are concerned about look-alike domains exploiting your brand to capture user data, we can help you assess your exposure and take decisive action.

Start domain recovery

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.