After a long negotiation process between my DNS provider and the registrar of the domain thieves, virtual.net is back where it has belonged since early 1993: with me. Huzzah!
My advice, in retrospect, is that if your domain is hijacked, immediately file with ICANN, over the protests of your registrar if necessary. Fortunately I got my domain back, but if the remote registrar had not finally given it back (after making my registrar send some kind of “we won’t sue you” papers), I’d have been SOL, as the ICANN waiting period for opening a case had already expired.
How did I eventually lose the domain? My provider offers both secure and non-secure login pages, and I believe that I accidentally logged into a non-secure page while at a public wireless location. At first we thought my email provider had been compromised, but we found nothing but my home network access in the logs, and no suspicious activity. The fact that the thieves had to change the contact email to “email@example.com” to get the transfer key is further proof that they had no access to my email.
If your provider offers non-secure login pages, make a bookmark to their secure page and only use that bookmark for login, never surf there directly or use a sidebar login on a provider’s main page– unless it says “secure login”. There’s really no excuse for offering non-secure logins in this age of ubiquitous wireless– I’ve mentioned to my provider that they’re a bad idea, we’ll see if they go away. I was on my laptop, with a new hard drive, and I hadn’t pulled over my bookmarks yet, so I think that’s how I screwed up.