The big South African IP address heist – How millions are made on the “grey” market
Large chunks of South African Internet Protocol address space, worth millions of dollars on the open reseller market, has been stolen or is being squatted on by unscrupulous overseas network operators.
There are people now profiting off South African resources, and the only way to shut it down is if government agencies and corporate South Africa take it seriously.
These revelations were uncovered by Ron Guilmette, a California-based Internet sleuth who has been investigating the misappropriation of African IP address space since 2016.
Guilmette caught wind of the issue and reported it to various network operator mailing lists, but little came of it.
Over the past three months, he built a dossier on how Internet resources were being misappropriated in Africa and around the world.
He contacted two technology journalists in South Africa to help him chase leads from the southern tip of the world to see if his conclusions were accurate.
This article is a summary of the work we have been doing together for the past month.
What is at stake
The table below summarises the IP address blocks we have investigated so far.
“Registered owner” indicates who the registered owner was on the block when we started our investigation. Where a block has been reclaimed by its rightful owner, this has been noted.
For the sake of simplicity, we calculated the value of the IP addresses belonging to someone at $20 per address. This can be higher or lower.
One industry source told me that they have seen some blocks move for the equivalent of $30 per address.
An exchange rate of R14.25 per US dollar was used.
Altogether, the value of the blocks we investigated is at least R433 million. Considering that many of these addresses are “legacy” blocks, they may well be worth more.
IP address block(s) | Historical owner | Registered owner | Likely or confirmed current owner | Value of block(s) | Status |
---|---|---|---|---|---|
196.16.0.0/14 | Infoplan | Network and Information Technology Limited | SITA | R75,440,640 | Ownership denied |
196.4.36.0/22 | |||||
196.4.40.0/22 | |||||
196.4.44.0/23 | |||||
165.52.0.0/14 | Cape of Good Hope Bank | CGHB / Cape of Good Hope Bank | Nedbank | R130,808,730 | Investigating |
137.171.0.0/16 | |||||
160.184.0.0/16 | |||||
168.211.0.0/16 | |||||
192.96.146.0/24 | |||||
196.10.64.0/19 | Nampak / Mega Plastics | Nampak / Mega Plastics | Nampak | R21,231,360 | Investigating |
196.10.61.0/24 | |||||
196.10.62.0/23 | |||||
160.121.0.0/16 | |||||
155.235.0.0/16 | Afrox MIS | Afrox MIS | Afrox | R18,677,760 | No feedback |
152.108.0.0/16 | Transtel | Liquid Telecom | Liquid Telecom | R18,677,760 | Reclaimed |
155.237.0.0/16 | Sasol | Sasol | Sasol | R37,355,520 | Reclaimed |
169.129.0.0/16 | |||||
165.25.0.0/16 | City of Cape Town | City of Cape Town | City of Cape Town | R18,677,760 | Reclaimed |
160.122.0.0/16 | Tredcor in South Africa | Tredcor in Seychelles | Goodyear | R18,677,760 | Declined to comment |
168.80.0.0/15 | AECI Information Services in South Africa | AECI Information Services in Seychelles | DXC Technology | R37,355,520 | Ownership confirmed |
165.3.0.0/16 | Wooltru | Wooltru | Woolworths | R56,033,280 | No feedback |
165.4.0.0/16 | |||||
165.5.0.0/16 | |||||
160.115.0.0/16 | Columbus Stainless | Columbus Stainless | Columbus Stainless | R18,677,760 | Investigating |
Why is an IPv4 address worth so much?
IP addresses are numbers assigned to devices on the Internet that allows them to communicate with each other. They take the form of four digits between 0 and 255 separated by full stops.
These are known as IPv4 addresses, and the reason they have grown so expensive on the reseller market is because they are in short supply.
When you take into account special “reserved” addresses, there are only around 3.7 billion public IPs, and there is effectively no way to get your hands on one without buying or leasing it from someone else nowadays.
A new standard called IPv6 will likely make this market obsolete, as it has room for 340 undecillion addresses. That’s 340 with 36 zeroes behind it.
However, IPv6 has not yet been adopted widely enough, which means the reseller market for IPv4 addresses will be going strong for a few years yet.
Another factor that affects the price of an IP address is whether they are considered “legacy” IP address blocks. Legacy address ranges were given out in the early days of the Internet, before regional registries like AFRINIC existed.
Those who hold legacy blocks do not have to pay AFRINIC annual fees for those IP addresses, whereas blocks that AFRINIC allocated attract membership or maintenance fees.
It should be noted that AFRINIC is not the only Regional Internet Registry facing challenges like this, and South Africa is not the only region targeted by unscrupulous IP address resellers.
In May, Krebs on Security reported that criminal charges were brought against one alleged fraudster who had scammed his way into controlling 735,000 IP addresses administered by ARIN — the American Registry for Internet Numbers.
His last sale, which was blocked in 2018, would have been for 327,680 IP addresses at $19 per address, for a total of $6.23 million.
Based on feedback from people in the industry, the price of an individual IP has grown substantially since then.
IP address theft and IP address squatting
For the purposes of this article, we’ll be talking about two distinct phenomena we’ve seen in the AFRINIC region, which we’ll be calling “theft” and “squatting”.
IP address theft is where someone has altered the Whois records at AFRINIC to change or obscure the ownership of an IP address block.
Whois, the concatenation of “who is”, is a type of database that stores information about Internet resources. It is commonly associated with domain names, but AFRINIC also maintains a Whois database for IP address blocks.
IP address squatting is where someone has taken control of a block of addresses, but has left the core Whois registration details intact.
Infoplan — 196.16.0.0/14
Infoplan was merged into SITA at the end of 1998, taking over the Infoplan building and physical assets as well as 751 full-time staff and 306 contractors. The SITA act of 1998 also explicitly names Infoplan as one of the departments that the agency was initially comprised of.
SITA acting CEO Ntutule Tshenye declined to comment on MyBroadband’s questions regarding ownership of the Infoplan IP address range, noting that it was never recorded as a SITA asset at the time of the merger.
The registration of the Infoplan organisation in the AFRINIC Whois database was altered in 2015.
First, the address was changed to point to a location in the Seychelles, then the name was changed to “Network and Information Technology Limited”.
The domain in the contact e-mail addresses used in the Whois database is “networkandinformationtechnology.com”. This points to 197.189.206.186, a shared hosting server at Hetzner, but it redirects to “nit.ae” — a company in Dubai, not the Seychelles.
A lookup in the Routing Assets Dabatase (RADb) reveals “[email protected]” as the email address connected to the block for routing purposes.
Cape of Good Hope Bank — 165.52.0.0/14
Much like SITA, Nedbank remains sceptical that it became the owner of valuable swaths of Internet resources when it acquired Cape of Good Hope Bank in 2003.
“Nedbank took control of Cape of Good Hope Bank and its business (including all assets) a few years ago. If this IP address block belonged to Cape of Good Hope Bank, Nedbank will be the rightful owner of the IP address block,” a spokesperson for the bank told MyBroadband.
“We are in the process of determining if the IP block indeed belonged to Cape of Good Hope Bank. Nedbank as a matter of course does everything within its control to protect its assets, including IP addresses. We are engaging with AFRINIC to establish ownership.”
The version history of AFRINIC’s Whois database clearly shows that these IP address blocks belonged to the Cape of Good Hope Bank.
The designated administrator for one of the blocks is Andrew Beverley, who Nedbank confirmed was an employee.
“We can confirm that Andrew Beverley was contracted to Nedbank for a period of 10 months from 1 July 2005 to 30 April 2006. It is understood that Beverley worked at Cape of Good Hope Bank but we are unable to confirm tenure,” the bank said.
196.10.64.0/19 — Nampak
Nampak also remains sceptical, but their name is on the block. All they have to do is take control of it and have their network services provider route it for them — in this case, Internet Solutions.
“Thank you for bringing this matter to Nampak’s attention that a number of IP addresses that were historically registered by Nampak and/or divisions of Nampak are being used by parties that are not authorised to use nor legally own them,” a spokesperson for the company told MyBroadband.
“Nampak is looking into this and our Information Management Services team is investigating the matter to be resolved in due course.”
At the time of publication, Cogent Communications was still advertising routes for Nampak’s IP address space, and traceroutes show that the traffic to the block goes through the network of FDCservers.net.
Afrox MIS — 155.235.0.0/16
Like the Nampak block, Afrox’s IP address space is routed into the network of FDCservers.net, with Cogent Communications advertising the routes for their client.
Afrox did not respond to multiple requests for comment on whether it had sold its block.
The RADb listings for this block were updated on 29 August, and pointed to [email protected]. This was after our e-mail interview with Elad Cohen, which is reproduced later in this article.
Transtel — 152.108.0.0/16
A network operator called LasVegas.net has been squatting on Transtel’s IP address space since at least 2018.
MyBroadband contacted Liquid Telecom for comment regarding the matter, as the company had acquired Neotel’s assets.
Liquid Telecom said that it reviewed the historical transaction documentation and came to the conclusion that it owns the block.
Sasol — 155.237.0.0/16
Duncan McLeod from TechCentral did the initial legwork with Guilmette, and met with Sasol staff regarding the squatters on its IP address block.
Like the Afrox and Nampak block, routing was being advertised by Cogent Communications and passing through the network of FDCservers.net.
Unlike the other two, the Sasol block had a RADb entry which pointed to [email protected]. (Since then, Cohen has created an RADb entry for the Afrox block. His RADb listing for Sasol’s block has also been deleted.)
Upon further prompting from MyBroadband, Alex Anderson, the senior manager for group external communications, provided the following statement:
Sasol confirms that it has regained control of its two US-registered IP address blocks that had been fraudulently advertised publicly without its knowledge. Sasol discovered the fraudulent activity during a routine control check in May this year.
The company’s Information Management team launched an investigation into the matter immediately. Working with its IT partners locally and in the United States, Sasol discovered that hackers temporarily took control of the IP address ranges by making unauthorized changes to registration records, including falsifying ownership documents of the blocks.
Sasol has owned the address blocks since 1990s and has never announced their routes publicly. The dormant blocks are part of C-Class IP address ranges that Sasol has registered in the United States and Southern Africa, and has kept for future growth.
The address ranges were originally registered with ARIN and later transferred to Afrinic, which is the African regional Internet registry.
Sasol, working with its partners, has managed to regain control of its IP address blocks and switch off the advertisement of the assets.
We continue to work with investigation teams in the United States to safeguard the ownership of our dormant IP address blocks and protect them from further fraudulent activities by hackers.
Anderson also confirmed that the person listed as the administrative contact in the Whois record for its IP address block, Riaan Kotze, was an employee at Sasol years ago.
When asked, Anderson said that to the best of their knowledge, Kotze was not involved in helping squatters occupy Sasol’s IP address block.
“The hackers proceeded with a fraudulent letter in Mr Kotze’s name,” said Anderson.
“The IP addresses are still registered to Sasol on Afrinic, the contact details are outdated. The hackers provided a fraudulent letter to Cogent taking claim of the IP address, stating Kotze gave them permission to take the IP address.”
Sasol said it would not be possible for MyBroadband to see the fraudulent letter of authority, as it is still closing out its investigation as a matter of governance.
After MyBroadband asked Elad Cohen about the routing object for Sasol’s IP address listed in the RADb (embedded below), the route was deleted. This can be seen in the RADb record, where the keyword “route” has been changed to “*xxte”.
City of Cape Town — 165.25.0.0/16
An IP address block belonging to the City of Cape Town was being routed by Cogent Communications, with traffic going into the network of FDCservers.net.
When MyBroadband contacted Cape Town for comment it said that it was busy setting up its own Autonomous System (AS) and will be using its IP addresses in its network.
In simple terms, an AS is a way for networks to advertise the IP addresses that they will accept traffic to. It’s part of a system to help more efficiently route traffic over the Internet called Border Gateway Protocol.
Since MyBroadband first asked Cape Town for comment, it has launched AS328109 and is advertising routes to this block.
Tredcor — 160.122.0.0/16
Goodyear (Tredcor) declined to comment on whether it will try to secure an R18-million asset for its shareholders.
“Goodyear follows internal processes in dealing with matters pertaining to the Company. As this is an internal matter, we cannot comment further nor furnish you with detailed responses to your questions,” a spokesperson for the company told MyBroadband.
The changes in the AFRINIC Whois database for Tredcor’s block followed a similar pattern to what has been discussed before: The address was modified to point to the Seychelles, and the email address for the admin contact points to what appears to be a fake domain.
Unlike other Whois records, the Tredcor block is reporting conflicting addresses: one in South Africa for the actual block of addresses, and one in the Seychelles for the organisation object attached to the block.
An RADb lookup points to [email protected].
AECI Information Services — 168.80.0.0/15
Brian Krebs investigated a block which once belonged to AECI Information Services in South Africa, and which Guilmette suspected ended up in the hands of a US company after a series of acquisitions.
“The IP in question was the property of [Hewlett Packard Enterprise] allocated to transfer as part of the merger of the Enterprise Services business of HPE and CSC to form DXC Technology,” said Richard Adamonis, DXC’s vice president of corporate communications, global marketing and communications.
“We continue to assess the transfer and intend to address any remediation appropriately.”
As with many of the other blocks we investigated, the AECI’s addressing information in the AFRINIC Whois database was changed to the Seychelles in 2015.
The e-mail address that comes up in RADb queries is [email protected].
Wooltru — 165.3.0.0/16
Wooltru’s history was difficult to untangle, and establishing ownership could be tricky.
However, all indications are that the block should have gone to Woolworths after it was unbundled from Wooltru on 26 June 2002.
Woolworths is also using some of the IP address space registered to the old Wooltru, while another IP address allocation is being squatted on.
If you ping woolworths.co.za, it resolves to 165.4.7.124. That IP address is part of the 165.4.0.0/16 block, which is registered to Wooltru in the AFRINIC database.
The 165.3.0.0/16 block is being routed by Cogent Communications, and traceroutes linked back to FDCservers.net. An RADb lookup, once again, points to [email protected].
Woolworths did not provide comment by the time of publication.
Meet the buyers and ASN operators
During the course of this investigation, several names came up regularly, and two stood out:
- Elad Cohen, who operates Netstyle
- Maikel Uerlings, who operates Inspiring Networks
Netstyle
Cohen said he bought all the blocks that we connected his name to, except for Sasol’s block (155.237.0.0/16). He also said he regrets ever buying them.
MyBroadband and Guilmette found Cohen’s e-mail address ([email protected]) connected to following blocks in the global Internet routing database:
- 196.16.0.0/14 — Infoplan
- 168.80.0.0/15 — AECI Information Services
- 155.237.0.0/16 — Sasol
- 160.122.0.0/16 — Tredcor
- 165.3.0.0/16 — Wooltru
Note that the Afrox block was only linked to Cohen after we interviewed him.
“We’re the owners of these ranges except 155.237.0.0/16, we purchased them through very big loans that we are still paying for and the transaction was made through a USA broker,” Cohen told MyBroadband via e-mail.
“Due to current issues with Spamhaus and all the damage that was caused to us due to Spamhaus’ actions, we’re very sorry that we purchased Afrinic Legacy ranges at the first place, currently we’re working on paying all the loans that we took, we have legal documents for our purchases.”
Cohen said he paid millions of US dollars for the blocks, but did not state which US-based broker he used.
When asked for the legal documentation regarding the purchases, he said: “The legal documents are with the USA lawyer involved, we will show them in any court.”
MyBroadband also asked Cohen why his e-mail address is listed with Sasol’s block in the Internet routing database if he said he does not own it.
His response:
Would you care about also the damage that Spamhaus is causing us after we took very high loans and made the transaction in a legitimate way? (with a lawyer, broker and escrow services)
If you don’t mind, we need to take care to pay back all the loans that we took to finance these purchases.
A source provided MyBroadband with documents which they say Cohen used to illegitimately take control of several IP Blocks. These documents are embedded at the end of the article. Cohen also declined to comment on the documents.
It is also worth noting that Cohen’s claims are at odds with those of DXC Technology. Cohen states that he legally purchased the 168.80.0.0/15 block, but DXC Technology said that those IP addresses belonged to Hewlett Packard Enterprise, and now they belong to DXC.
Inspiring Networks
In the case of Uerlings, through a chance encounter MyBroadband was able to establish that he has relocated from the Netherlands to South Africa.
MyBroadband and Guilmette found his networking company, Inspiring Networks, linked to the following blocks:
- 196.10.64.0/19 — Nampak
- 160.115.0.0/16 — Columbus Stainless
Uerlings told MyBroadband that he didn’t buy any of these IP addresses, but leased addresses in the Columbus Stainless block from Connectivity Internet.
As far as he was concerned, it was legitimate, he said.
“[Connectivity Internet] gave me a letter of authorisation and also counter-signed a route object in the AFRINIC database,” he said.
However, Uerlings soon got a call saying that he was not allowed to use the address space. He said that he was under the impression that Connectivity Internet could legitimately use the block and that the update of the Whois registration information was pending.
With regards to the Nampak block, Uerlings said that he has nothing to do with them at the moment.
Historical data shows that servers on the inspiringnetworks.com domain were configured as the reverse DNS of the Nampak block.
Uerlings was asked to provide documentation detailing his business arrangement with Connectivity Internet, but he did not provide feedback by the time of publication.
AFRINIC
MyBroadband reached out to AFRINIC about the issues relating to the manipulation of records in its Whois database.
A very curious anomaly we spotted was that in 2012, an AFRINIC employee was the designated administrative contact for the Cape of Good Hope Bank organisation in the Whois database.
He remained the administrative contact until 2013.
AFRINIC acknowledged our query but said that it will need some time to work through everything and provide a response.
“We shall come back to you in due course with a timeline,” said AFRINIC’s acting head of member services, Madhvi Gokool.
Afri Holdings Ltd Documents