5 May, 2026

WIPO orders transfer of carrefonr.com to Carrefour, revealing keyboard-typo vulnerability

UDRP Cases

Carrefour SA successfully secured the transfer of the domain <carrefonr.com> in WIPO case D2025-4568. The panelist ruled that the single-letter keyboard typo (‘n’ instead of ‘u’) constituted deliberate typosquatting. Despite resolving to an inactive error page, the domain was found to have been registered and used in bad faith by Theresa Chavez.

Case Snapshot

Case Number D2025-4568
Complainant Carrefour SA
Respondent Theresa Chavez
Disputed Domain
carrefonr.com
Threat Tactic Typo Domains
Decision Date 2025-12-23
Panelist Xu Lin
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4568

Keyboard Typo Vulnerabilities and the Threat of Latent Domain Weaponization

The registration of the disputed domain <carrefonr.com> exploits a highly specific keyboard-proximity typographical error, substituting the letter ‘u’ with the adjacent letter ‘n’. For a global retail pioneer like Carrefour SA, which operates over 14,000 stores across more than 40 countries, this minor variation exposes a critical gap in preventive domain portfolio controls. When brand owners do not defensively register or block highly predictable typosquatting variants, they leave their brand equity vulnerable to third-party registrations that capitalize directly on manual user input errors.

Although the disputed domain resolved to an inactive error page under a passive holding state, its existence presented immediate corporate risks. Inactive domains mimicking major trademarks are highly susceptible to future weaponization, including phishing campaigns, fake retail operations, or corporate impersonation. Leaving such gaps unresolved in the domain portfolio forces brands to monitor dormant threats continuously, exposing them to sudden operational disruptions if the domain is suddenly activated for fraudulent purposes.

Furthermore, the registrar registration records show the Respondent utilized a privacy proxy service, ‘Private by Design, LLC’, through Porkbun LLC to conceal their identity. This tactic of identity concealment combined with tactical typosquatting increases corporate enforcement costs by forcing brands to rely on reactive WIPO UDRP filings rather than proactive, automated domain blocking. To mitigate these recurring legal expenditures, enterprise brand protection programs must prioritize defensive registration strategies for common keyboard typos.

Evidentiary Strength of Global Brand Recognition and Typographical Exploitation

The Complainant’s strategy succeeded primarily due to the undeniable historical and commercial weight of its trademark evidence. Carrefour SA established an extensive global presence dating back to its founding in 1959, backed by over 14,000 retail stores across more than 40 countries and early intellectual property rights, specifically International Registration No. 351147 registered in 1968. Presenting this massive operational footprint made it virtually impossible for the Respondent, Theresa Chavez, to argue any plausible unawareness of the brand. This established that the replacement of the letter ‘u’ with the adjacent letter ‘n’ in the disputed domain <carrefonr.com> was not a coincidence, but a deliberate case of typosquatting aimed at exploiting keyboard errors.

Furthermore, the Complainant’s legal approach successfully navigated the challenges of passive holding and privacy shield obstacles. Although <carrefonr.com> resolved to an inactive error page and had never hosted active content, the Complainant successfully argued that the Respondent’s use of a privacy service (Private by Design, LLC) and passive storage of a typo-infringing domain constituted bad faith registration and use. By demonstrating that the deliberate imitation of a famous retail mark to capture adjacent-key typographical errors is inherently incompatible with a bona fide offering of goods or services, the Complainant secured a transfer. For brand owners, this highlight reveals a critical portfolio gap regarding physical-proximity keyboard typos that proactive defensive registrations could preempt, while demonstrating that reactive UDRP filings remain highly persuasive when such gaps are exploited.

Practical Recommendations

  • Perform a systematic keyboard-proximity audit for all core brand marks, specifically identifying and defensively registering adjacent-key variations (such as substituting ‘u’ with ‘n’ on QWERTY layouts) to close obvious typosquatting gaps.
  • Implement registry-level trademark protection programs and blocking services to secure trademark variations globally across multiple gTLDs, avoiding the prohibitive cost of registering and maintaining individual defensive domain portfolios.
  • Establish automated brand monitoring that tracks newly registered domain name variations featuring known privacy proxy services (such as ‘Private by Design, LLC’) to identify potential threats immediately upon registration.
  • Monitor inactive or passively held typo domains for changes in MX (Mail Exchange) record configurations, which can indicate that a domain resolving to an error page is being prepared for silent phishing or email spoofing campaigns.

Frequently Asked Questions (FAQ)

Why was the domain <carrefonr.com> considered confusingly similar to the CARREFOUR trademark?

The WIPO panelist determined that replacing the letter ‘u’ with an ‘n’ is a minor typographical variation intended to mimic the well-known CARREFOUR mark. This constitutes clear typosquatting, as the alteration does not distinguish the domain from the protected brand.

What evidence proved that the Respondent lacked legitimate rights or interests in the domain?

The domain was used for passive holding, resolving only to an inactive error page. The panel found that such conduct, combined with the deliberate imitation of a famous brand, is inherently incompatible with a bona fide or legitimate offering of goods or services.

How did the panel establish that the domain was registered and used in bad faith?

Bad faith was confirmed because the Respondent specifically targeted a globally recognized brand for no plausible purpose other than to capitalize on or disrupt Carrefour SA’s reputation. The use of a privacy service to conceal identity further supported the finding of bad faith.

What does this case reveal about the limitations of reactive UDRP filings?

The case highlights that while UDRP is effective for recovery, relying on it is a reactive and costly strategy. It underscores a critical gap in preventive controls for keyboard-proximity typos, suggesting that enterprise portfolio management should prioritize proactive blocking of such variations before they are weaponized.

Is your brand vulnerable to keyboard-based typosquatting?

Carrefour’s recovery of ‘carrefonr.com’ highlights how simple keyboard proximity errors can lead to brand abuse. Don’t wait for a costly UDRP process—audit your domain portfolio for high-risk variations today.

Start domain recovery

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.