tldr: XYZ infrastructure is literally collapsing, they couldn't transfer in one of their own domains without a staff override.

  1. Initial transfer attempt
    • Namecheap e-mails me the “transfer Authorization Code”
    • web interface claims “Invalid EPP Code”
  2. I contact support
    • staff tells me“Please request a new EPP code from Namecheap”
  3. I contact Namecheap support via web chat
    • “I need a new EPP for my domain,; XYZ support told me to request a new one because the one I was sent was invalid.”
    • Namecheap: “For your convenience, I have generated a brand new Auth/EPP code and sent it to you.”
    • It, too, yields “Invalid EPP Code”
    • Namecheap: “As I've checked, the Auth code is valid.”
  4. I return to pester support
    • “I'm trying to transfer my domain from Namecheap, but their EPP codes don't seem to work. The latest one they sent me is …”
    • XYZ replies “Thank you for reaching out to the Support Team. I have manually created the order.”
      • They put a different domain on my account, and invoiced me for it.
      • I paid the invoice before noting their mistake 🤦
    • “I'm sorry, but on closer inspection, I was given the wrong domain. I'm trying to transfer in (the domain which is in my e-mail address and which I was trying to register in previous screenshots), but the domain that was just put on my account is”
    • “Apologies for the typo, I misread. I have created the order for the correct domain.”
    • I pay the (legitimate) invoice
    • Status: “Pending Transfer”… but also, disturbingly, still in my “Cart” on-site. And opening the cart reminds me that the EPP I've entered is still invalid.
    • After several days, it transfers over to GenXYZ!
  5. I return again to pester support, to request a refund
    • “When resolving support ticket #████, I was wrongly invoiced for this domain. I did not order this domain, and paying this invoice was a mistake on my part. Will you refund this? …, with an "o"; I did not order it; invoice #████ was unsolicited.”
    • After a few days, the refund arrives!

I have a creeping suspicion that they might be vulnerable to social-engineering attacks…

Leave a Reply

Your email address will not be published. Required fields are marked *

Warning: This site uses Akismet to filter spam. Until or unless I can find a suitable replacement anti-spam solution, this means that (per their indemnification document) all commenters' IP addresses will be sent to Automattic, Inc., who may choose to share such with 3rd parties.
If this is unacceptable to you, I highly recommend using an anonymous proxy or public Wi-Fi connection when commenting.