RC Security LLC, Otter Audits LLC, Robert Chen, and OtterSec LLC v; Redacted for Privacy, Privacy Service Provided by Withheld for Privacy ehf

Case

WIPO Case No. DIO2025-0008

14-07-2025

No judgment structure available for this case.

ARBITRATION

AND

MEDIATION CENTER

ADMINISTRATIVE PANEL DECISION

RC Security LLC, Otter Audits LLC, Robert Chen, and OtterSec LLC v.
Redacted for Privacy, Privacy Service Provided by Withheld for Privacy ehf

Case No. DIO2025-0008

1. The Parties

The Complainant is RC Security LLC, Otter Audits LLC, Robert Chen, OtterSec LLC, United States of

America (“United States”), represented Kaufhold Gaskin LLP, United States.

The Respondent is Redacted for Privacy, Privacy Service Provided by Withheld for Privacy ehf, Iceland.

2. The Domain Name and Registrar

The disputed domain name <ottersec.io> is registered with Sarek Oy (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on March 26, 2025. On March 27, 2025, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On May 14, 2025, in the absence of a verification response from the Registrar, and at the Center’s request, the .IO registry transmitted by email to the Center its verification response confirming that the Respondent is listed as the registrant and providing the contact details.

The Center verified that the Complaint satisfied the formal requirements of the .IO Domain Name Dispute the WIPO Supplemental Rules for .IO Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on May 21, 2025. In accordance with the Rules, paragraph 5, the due date for Response was June 10, 2025. The Respondent did not submit any response. Accordingly, the Center notified the Respondent’s default on June 24, 2025.

The Center appointed Andrew D. S. Lothian as the sole panelist in this matter on June 30, 2025. The Panel
finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration
of Impartiality and Independence, as required by the Center to ensure compliance with the Rules,
paragraph 7.

page 2

4. Factual Background

The Complainants are Otter Audits LLC, RC Security LLC, OtterSec LLC, and Robert Chen.

Robert Chen is the founder of Otter Audits LLC and RC Security LLC, and was the co-founder of OtterSec code for companies operating on the blockchain that faced security vulnerabilities. Its services were provided under the OTTERSEC unregistered trademark. Said company is asserted to have experienced “explosive growth” and to have generated over USD 1 million in its first two months of operation.
LLC along with the late Sam Chen (acting on behalf of his then minor son, David Chen). Between February
14, 2022, and about October 6, 2022, when the Articles of Dissolution of OtterSec LLC were filed with the

Sam Chen died on July 13, 2022, and his death is said to have triggered a requirement for OtterSec LLC to be dissolved. Otter Audits LLC and RC Security LLC were formed by Robert Chen on September 13, 2022. Robert Chen states in a formal declaration made under penalty of perjury that on September 24, 2022,

OtterSec LLC’s assets were auctioned in a pre-publicized auction, that he (Robert Chen) was the high bidder in this auction, and that he paid USD 210,000 for various assets including the company’s trademarks, logos, domain name <osec.io>, website, social media accounts, code, and computers. The Complainants assert
that those assets were then transferred to RC Security LLC, which has licensed the intellectual property
rights including the OTTERSEC unregistered trademark to Otter Audits LLC. This latter company is engaged
in the business of security audits in a similar manner to the now-dissolved OtterSec LLC. The Complainants
state that OtterSec LLC continues to exist for the purpose of defending and prosecuting lawsuits pursuant to
United States law.

The Complainant RC Security LLC claims unregistered trademark rights in the OTTERSEC mark previously owned by OtterSec LLC. This mark was used prominently on the public audit reports delivered by OtterSec LLC from February 2022. The mark gained significant goodwill, embodied in its notoriety and multiple

positive testimonials, which the Complainants assert was transferred to RC Security LLC, and licensed in “ receives around 200,000 unique visitors every month, that the brand is frequently recommended on “Reddit” for security audits, and that it has been prominently used and displayed in sponsorship for international hacking tournaments and cybersecurity conferences. The audits prepared under the mark are said to be promoted by the subject blockchain companies to their millions of customers as proof of reliability and security, often being published as part of their own marketing.

turn to Otter Audits LLC. Evidence of such notoriety which the Complainants produce includes the fact that

The Complainants (with the exception of OtterSec LLC) are engaged in litigation in the United States District Court, District of Maryland, with the administrator of the estate of the late Sam Chen. The civil action was filed by the latter on March 31, 2023. The case originally included a variety of claims by the said estate arising out of the activities leading up to and during Robert Chen's dissolution of OtterSec LLC, namely a claim of violation of the United States Lanham Act, a breach of contract claim, and multiple state law tort claims, including breach of fiduciary duty, fraud, misappropriation and conversion, and tortious interference. On January 27, 2025, the Complainant’s Motion for Judgment on the Pleadings was granted in part, dismissing the Lanham Act claim, certain claims of breach of fiduciary duty against the company defendants, and certain claims against Robert Chen relating to alleged duties owed to OtterSec LLC and the estate of Sam Chen, or relating to the dissolution of OtterSec LLC, a misappropriation and conversion claim, and a tortious interference claim. The Motion was denied in part, and the case continues, in respect of certain other claims. Although this litigation does not relate to the disputed domain name itself, and paragraph 18 of the Rules (Effect of Court Proceedings) is not engaged, the Panel has narrated these details at some length because they are relevant to the content of the website associated with the disputed domain name.

The disputed domain name was registered on September 21, 2022. Nothing is known as to the identity of the Respondent, which remains hidden behind a privacy service, and whose identity has not been disclosed by the Registrar. According to the Complainant’s uncontradicted assertion, the website associated with the disputed domain name did not go live until August 2024, at a point where the Complainants had moved for

page 3

Judgment on the Pleadings in the above-described litigation. The website associated with the disputed domain name is headed with a banner taking the form of a disclaimer stating that it “is a non-profit site dedicated to the sharing of publicly available court records concerning OtterSec”. The banner adds that

these records can be found online on PACER (the United States Public Access to Court Electronic Records). The disclaimer also states that the website is in no way affiliated with the Complainants and provides a link to <osec.io>. Thereafter, the website contains what appear to be selected pleadings and/or exhibits from the
above litigation, including the reproduction of a partially complete civil docket list for the litigation, suggesting

that it has not been updated since July 26, 2024, being the date of the last entry in the list.

5. Parties’ Contentions

A. Complainants

The Complainants submit that they have unified interests in ensuring the protection of and clear title to the OTTERSEC trademark, and associated rights and interests, adding that they have a common grievance against the Respondent because its website appears to have been created to disparage the Complainants and harm their business through misrepresentation.

The Complainants assert that the disputed domain name is identical to the unregistered trademark OTTERSEC which they contend is well established through use in commerce and international business in the realm of security testing and audits, and which belongs to the Complainant RC Securities LLC, adding that the disclaimer on the website associated with the disputed domain name indicates that the Respondent expects viewers to be confused and misled by the disputed domain name. The Complainants narrate the basis on which the intellectual property of OtterSec LLC was transferred to RC Securities LLC as outlined in the factual background section above.

The Complainants contend that the website associated with the disputed domain name does not pretend to be a business, to offer any goods or services, or to stand for any enterprise, and has no legitimate noncommercial use, adding that its goal is to misleadingly divert consumers to a website aimed at tarnishing the reputation of the Complainants and the OTTERSEC trademark. The Complainants assert that the said website’s contents appear to be aimed at pushing a false and misleading narrative in support of a lawsuit against several of them which has already been substantially dismissed, noting that the Respondent has hidden its identity both on the website and in the WhoIs registration data.

The Complainants submit that the disputed domain name was registered in bad faith on the basis that it was registered at the precise time that OtterSec LLC was in the process of auctioning its trademarks and other intellectual property assets, adding that it appears that the Respondent registered the disputed domain name as part of a scheme to infringe on the goodwill and intellectual property assets being sold rather than bidding and purchasing those assets as part of the dissolution auction.

The Complainants contend that the disputed domain name is being used in bad faith to further allegations
made in a lawsuit, already substantially dismissed, which was filed against some of the Complainants. The
Complainants state that the substantially identical nature of the disputed domain name to the OTTERSEC
trademark is intentional, and that the Respondent knew that it would cause confusion and attract viewers
who intended to reach the website of the OtterSec security and auditing business, adding that the
piggybacking on the Complainants’ reputation is transparent because the Complainants are mentioned in the
banner on the website associated with the disputed domain name. The Complainants add that the content of
the website associated with the disputed domain name is curated to disparage the Complainants to viewers
who mistakenly and misleadingly end up on the site.

The Complainants conclude that the use of the disputed domain name must be in bad faith because the website contents, in full and without misleading editing, are publicly available on the Court’s website, which official site also reveals that the claims have been largely dismissed.

page 4

B. Respondent

The Respondent did not reply to the Complainant’s contentions.

6. Discussion and Findings

6.1. Procedural Consideration: Consolidation of Multiple Complainants

[1]).

[1] Noting the substantial substantive similarities between the Policy and the Uniform Domain Name Dispute Resolution Policy (“UDRP”)

As noted above, the Complainants request consolidation of their respective complaints into a single section 4.11.1
proceeding. Such consolidation is permissible when “(i) the complainants have a specific common grievance
against the respondent, or the respondent has engaged in common conduct that has affected Complainants
in a similar fashion, and (ii) it would be equitable and procedurally efficient to permit the consolidation”
(see SIX Swiss Exchange AG, and SIX Group AG v. Emrah Ucan, WIPO Case No. DIO2022-0044, and

Here, the Panel is satisfied that the Complainants are affiliates which have a common interest in protecting the OTTERSEC trademark and likewise a common grievance against the Respondent. Furthermore, the Respondent’s conduct has affected all of the Complainants in a similar fashion in light of their said common interest, and it cannot be overlooked that the banner on the website associated with the disputed domain name specifically references all of the Complainants by name, suggesting that the Respondent itself sees them as such affiliates or connected entities with a common interest. The Panel notes in addition that it appears equitable and procedurally efficient to permit the consolidation, and that the Respondent has raised no objection thereto.

In all of these circumstances, the Panel approves the consolidation request. For convenience, and unless the context otherwise requires, the Panel will refer to the Complainants as “the Complainant” in the remainder of this Decision.

6.2. Substantive Issues

A. Identical or Confusingly Similar

The Panel finds that the Complainant has established that it has rights in the OTTERSEC unregistered trademark for the purposes of the Policy. The Panel is satisfied that the Complainant’s social media presence, its public audits branded under said mark since February 2022, its testimonials and general prominence in the cybersecurity space, and its sponsorship of relevant industry events meet the standard that is typically required for the establishment of secondary meaning in the term concerned. WIPO Overview 3.0, section 1.3.

It may be seen that the second level of the disputed domain name is alphanumerically identical to the Complainant’s said unregistered mark. The applicable Top-Level Domain in a domain name is viewed as a standard registration requirement and as such is typically disregarded under the first element confusing similarity test. WIPO Overview 3.0, 1.11.1.

The Panel finds the first element of the Policy has been established.

page 5

B. Rights or Legitimate Interests

Panels under the Policy have recognized that where a complainant makes out a prima facie case that the respondent lacks rights or legitimate interests in the domain name concerned, the burden of production on this element shifts to the respondent to come forward with relevant evidence demonstrating rights or

legitimate interests in such domain name (although the burden of proof always remains on the complainant).
If the respondent fails to come forward with such relevant evidence, the complainant is deemed to have
satisfied the second element (WIPO Overview 3.0, section 2.1, and Corning Incorporated v. Michael Nava,
Domain Nerdz LLC, WIPO Case No. DIO2025-0002).

Here, the Complainant submits that the website associated with the disputed domain name does not appear to be a business or to offer any goods or services, does not stand for any enterprise, and has no legitimate noncommercial use, adding that it seems to be pushing a false and misleading narrative in support of the lawsuit described in the factual background section above, and that the Respondent has hidden its identity both on the website and in the WhoIs registration data. The Panel is satisfied that this reaches the requisite standard for the establishment of a prima facie case and therefore turns to the Respondent’s case in rebuttal.

International School of Temple Arts v. Eyal Shaham, WIPO Case No. D2025-1552, “While it is true that an Internet user accessing (at least the current version of) the Respondent’s website will see that it is a criticism site, that does not change the fact that the user will only be there because of the misleading nature of the disputed domain name (what the Respondent itself acknowledges to constitute ‘initial interest confusion’)”).

The Respondent has chosen to remain silent and has produced neither submissions nor evidence in support present on the website, given that, by the time any Internet user arrives at the website, a deception has already occurred by the disputed domain name impersonating the Complainant (see, for example,
of any rights or legitimate interests that it might have chosen to assert. Consequently, the Panel is left with
the disputed domain name and the associated website as the only items that might be capable of giving rise
to a rebuttal case. The disputed domain name is an exact match of the Complainant’s distinctive
unregistered trademark, and it is clear from the website banner that the Respondent is seeking to refer to
that trademark. The identity between the disputed domain name and the Complainant’s mark means that the
disputed domain name falsely signals an affiliation with the trademark owner where none exists. There are
no additional words in the disputed domain name (for example, any word or words signaling the presence of

noncommercial criticism; examples in previous cases being terms such as “sucks” or expletives).

materials arising from the litigation described in the factual background section above. It is difficult for the
Panel to characterize this as noncommercial criticism, whether genuinely intended or otherwise, given that
they appear mainly to be direct extracts from the pleadings and, possibly, from exhibits produced in the said
litigation. There is no commentary present, for example, and while some of the selections and the
highlighting of certain text may have been made in an attempt to cast the Complainant in a poor light, it is not
certain that this was the Respondent’s intention. Crucially, the Respondent has not appeared to explain
what point it intended to make via the website content. On the one hand, the website may be attempting to
engage in noncommercial criticism or a non-critical exercise in free speech, while on the other, the website
may be a pretext for cybersquatting in that the disputed domain name may have been intended to disrupt the

The content on the website associated with the disputed domain name consists of reproductions of selected discussed in the section on registration in bad faith below.

If the Panel were to view the website associated with the disputed domain name as a criticism site, further
considerations would arise. First, such criticism would have to be genuine and noncommercial
(see WIPO Overview 3.0, section 2.6.1). Here, there is some ambiguity as to what the content is trying to do
and whether it represents a genuine attempt at free speech, although the Panel notes that the site is
expressed to be noncommercial in the banner heading. The content appears to consist of selected text from
the litigation, which is highlighted in some passages, but that is as far as it goes. In any case, panels under
the Policy typically find that even a general right to legitimate criticism does not necessarily extend to
registering or using a domain name that is identical to a trademark (i.e., <trademark.tld>), as here. Even

page 6

where such a domain name is used in relation to genuine noncommercial free speech, panels tend to find
that this creates an impermissible risk of user confusion through impersonation. WIPO Overview 3.0,
section 2.6.2.

For completeness, the Panel notes that it declines to apply United States First Amendment principles to its analysis of the website associated with the disputed domain name, insofar as these might be applicable or relevant within that jurisdiction, noting in particular that the Respondent is based in Iceland rather than in

taking place in the United States between United States-based parties (see also the discussions in 1066
Housing Association Ltd. v. Mr. D. Morgan, WIPO Case No. D2007-1461 and The Chemours Company
LLC v. WhoIs Agent, Domain Protection Services, Inc. / Gabriel Joseph, Clearer Technology, WIPO Case

the United States even though the content of the website appears to refer to litigation that is currently proceedings under domain name dispute resolution policies).

In light of the above analysis, the Panel finds that the second element under the Policy has been established.
C. Registered or Used in Bad Faith

Unlike the UDRP, which requires that a complainant prove both bad faith registration and use, under the .IO Policy it is sufficient for a complainant to prove that either registration or use of the disputed domain name is in bad faith to succeed under the third element.

Paragraph 4(b) of the Policy sets out a list of non-exhaustive circumstances that may indicate that a domain name was registered or used in bad faith, but other circumstances may be relevant in assessing whether a respondent’s registration or use of a domain name is in bad faith. WIPO Overview 3.0, section 3.2.1.

Given the incorporation of an exact match of the Complainant’s OTTERSEC mark in the disputed domain name, supported by the reference to the Complainant in the banner on the associated website, the Panel finds it established that the disputed domain name was registered in the knowledge of the Complainant’s unregistered mark. The date of registration of the disputed domain name was September 21, 2022. This date is of some significance within the factual matrix as it comes shortly after the dissolution process in

respect of OtterSec LLC had been commenced and shortly before that company’s assets were put up for
auction. By contrast, the first filing in the litigation subsequently referred to on the website associated with
the disputed domain name did not take place until March 31, 2023, and, according to the Complainant’s
uncontradicted submission, no content on that subject or otherwise was published on such website until as
late as August 2024.

In these circumstances, the Panel finds that the timing of the registration of the disputed domain name is likely to have had more to do with the then imminent auction of the Complainant’s intellectual property assets than it had anything in particular to do with an intent to publish criticism or make some other exercise of freedom of speech at a much later date (noting also the ambiguity in the nature of the website content as discussed in the preceding section). The Panel therefore accepts the general thrust of the Complainant’s submissions that in registering a domain name that was identical to the Complainant’s well established unregistered mark, at the material time, the Respondent was more probably than not seeking in some way to disrupt the orderly dissolution of OtterSec LLC, and/or the then imminent and pre-publicized auction of its assets. To the Panel’s mind, that cannot be a good faith motivation for the registration of the disputed domain name.

While the Respondent’s failure to file a Response does not automatically result in a decision in favor of the Complainant, the Panel may draw appropriate inferences from the Respondent’s default (see, for example, Mr. Piers Morgan, Wake Up Productions Limited v. W NA, H, WIPO Case No. D2025-0882). The Panel finds

it to be particularly notable in the present case that the Respondent has chosen neither to attempt to
contradict any of the Complainant’s submissions, nor to explain its position, nor to attempt to shed any light
upon why it registered the disputed domain name at the material date. The nature of the Respondent’s
website content, which was published almost two years after registration of the disputed domain name, does

page 7

recent times was itself not commenced until some six months after the disputed domain name was
registered. In all the circumstances of the present case, the Panel makes an adverse inference against the
Respondent in light of its failure to address the Complainant’s case on registration in bad faith.
Consequently, and in the absence of any clarification by way of submissions or evidence from the

not assist the Panel on this issue. It must be borne in mind that the litigation described on the site in more bad faith.
In all of these circumstances, the Panel determines that the third element of the Policy is established. It is not necessary within the framework of the Policy for the Panel to go on to consider whether the Respondent is using the disputed domain name in bad faith and, for reasons of economy in decision-making, the Panel declines to do so.
7. Decision
For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name, <ottersec.io>, be transferred to the Complainant RC Security LLC.
/Andrew D. S. Lothian/
Andrew D. S. Lothian
Sole Panelist
Date: July 14, 2025

(except to the extent of relevant differences between the policies, such as the absence of a conjunctive requirement for bad faith), the
Panel has referred to the WIPO Overview 3.0 and prior UDRP cases, where appropriate (see also Corning Incorporated v. Michael
Nava, Domain Nerdz LLC, WIPO Case No. DIO2025-0002).

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

0

Cases Cited

0

Statutory Material Cited

0