How Internet resources worth R800 million were stolen and sold on the black market
The theft and sale of large swaths of valuable African Internet resources was an inside job, Internet investigator Ron Guilmette has concluded after five months of detective work.
Documents obtained from industry sources and public records in Uganda show that at least one insider at AFRINIC is also a shareholder of a company that received money for selling IP addresses.
That insider is Ernest M. Byaruhanga, Guilmette said. Byaruhanga was the second employee to be hired at AFRINIC in 2004, after former CEO Adiel Akplogan.
The African Network Information Centre (AFRINIC) is the Regional Internet Registry for Africa and the Indian Ocean region. It is headquartered in Mauritius and is responsible for assigning IP address blocks and keeping track of assignments within its service region.
Guilmette’s research showed that AFRINIC’s public database of IP block assignments was manipulated by one or more bad actors.
AFRINIC has confirmed that it is conducting an internal investigation regarding the allegations that its databases were tampered with and that IP address blocks were stolen.
Recently appointed AFRINIC CEO Eddy Kayihura said that the issue is complex and, as a result, AFRINIC’s independent investigation is still ongoing. Kayihura said that the investigation is reaching its conclusion.
“It would not be proper for us to either directly or indirectly comment on the said allegations,” Kayihura said.
Guilmette, who is based in California, discovered the issue afflicting the African Internet in the course of his mission to try and rid the Internet of spammers. He reported his discoveries to various network operator mailing lists in 2016 and 2017, but little came of it.
Despite the lack of action or interest, Guilmette continued his work, and over the past five months he has built a sizeable dossier on how Internet resources were being misappropriated — in Africa and around the world.
MyBroadband has been working with Guilmette since August 2019, when he presented evidence that large chunks of South African Internet Protocol address space had been stolen or squatted on by unscrupulous overseas network operators.
The IP address blocks in question are worth tens of millions of US dollars on the open reseller market.
In total, the blocks that were the subject of this article and our previous report are worth an estimated $54 million, which is over R800 million at the current exchange rate.
Title deeds for the African Internet
Internet Protocol addresses – called IP addresses, or IPs for short – are like Internet real estate.
When you type “mybroadband.co.za” into your address bar, your browser first has to translate that URL into an IP address. To access websites from your computer or phone, you also need to have an IP address from your Internet service provider.
Essentially, everyone online needs an IP address. Unfortunately, most of the Internet is still using an old addressing system, and these older type of IP addresses have become a relatively scarce resource.
This old addressing system is a standard called Internet Protocol version 4 (IPv4). It only makes provision for around 3.7 billion public IPs.
IPv4 is to be replaced with a newer system called IPv6, which has 340 undecillion addresses. That’s 340 with 36 zeroes behind it.
Internet Registries around the world have run out of available IPv4 addresses to give to organisations to use. That is why blocks of consecutive IPv4 addresses have become so valuable.
While AFRINIC still has unassigned blocks of IP addresses, it has entered what it calls “IPv4 Exhaustion”. This means that it is running out of IPv4 addresses to give out.
One of AFRINIC’s key functions is maintaining a database of IP address block assignments. It makes this information publicly available through a standard called “WHOIS”.
As the name implies, such databases are intended to answer the question of who someone (or something) on a network is.
If you think of IP addresses like Internet real estate, then the AFRINIC WHOIS database is like the deeds office for the African Internet.
However, several of the title deeds have been manipulated to give Internet real estate to entities that shouldn’t have it, Guilmette said. What happens when you can no longer trust the deeds office?
Guilmette also said that the evidence indicates that one or more bad actors manipulated numerous specific records in AFRINIC’s WHOIS database. He said that much of the IPv4 address space affected in this way was sold or leased to a variety of Internet companies.
The red flag
At the end of our previous report on The Great African IP Address Heist, we noted that there was something strange about one of the records in the AFRINIC WHOIS database.
We spotted that in 2012, an AFRINIC employee was the designated administrative contact for the Cape of Good Hope Bank (CGHB) organisation in the WHOIS database. He remained the administrative contact until 2013.
That person was Ernest M. Byaruhanga – a trace of the historical information from the AFRINIC WHOIS database is included at the end of the article.
Byaruhanga’s presence as the administrative contact person on the CGHB record was curious. Even more curious was the fact that Nedbank acquired Cape of Good Hope Bank in 2003.
This raises several questions — Why was there activity on its record in the AFRINIC WHOIS database at all, let alone involving an AFRINIC staff member? Why was the long-defunct CGHB entity awarded new IP address space on 18 July 2014, more than ten years after the company had been absorbed into Nedbank?
MyBroadband asked AFRINIC for comment on Byaruhanga’s appearance as an admin contact in the WHOIS record for CGHB back in August.
When we asked Kayihura the same question for this article, he declined to comment. He explained that AFRINIC can only provide answers to questions that are not under the framework of their ongoing investigation.
A preposterous stroke of luck
While the historical WHOIS records of CGHB raised red flags, there was any number of reasons Byaruhanga may have been attached to it as an admin contact.
At this point in our investigation, it was still necessary to assume that simple clerical errors at AFRINIC were to blame. This assumption was soon challenged by a preposterous stroke of luck.
While vacationing with their family, one of my industry contacts met a man who revealed that he was an IP address broker. For the sake of convenience, we will refer to the IP broker as Daniel (not his real name).
Daniel told my industry contact how he had uncovered corruption inside AFRINIC, and how he tried to report it to the then-CEO, Alan Barrett.
My contact offered to introduce Daniel so that he could tell his story to a journalist and possibly have it reported. He agreed to provide information on condition of anonymity.
Daniel claimed that he had sent proof to Alan Barrett that Ernest Byaruhanga was either stealing or helping to steal IP address blocks, and selling them on the black market.
When asked about Daniel’s information, Barrett confirmed he did receive such allegations. He said that Daniel contacted him from an anonymous e-mail address and that the evidence was not clear or persuasive enough to justify opening an investigation.
Daniel sent the evidence he gathered to me, but unfortunately, he did not include any verifiable documents. He also did not forward any of the original e-mails he cited as evidence.
This was to protect his anonymity, Daniel said, as he did not want to expose his myriad aliases.
All of it checked out in the end, and one piece of information turned out to push the investigation forward significantly – payments for the stolen IP address blocks were apparently going to a Ugandan company named Amiek Holdings Limited.
Another stroke of luck
Shortly after Daniel told us his story, Guilmette received documentary proof from an entirely separate and trustworthy industry source.
This included e-mails from 2012 between a person who called himself Inno Byaruhanga and an e-mail service provider called TotalSend.
The person identifying himself as Inno offered to sell TotalSend a block containing 1,024 IP addresses for $2,500 (USD).
In addition to the e-mail exchange, the documents included TotalSend’s instruction to its bank to pay a company called Amiek Holdings for the IP addresses.
MyBroadband contacted TotalSend, which confirmed that the e-mails looked authentic. It also provided additional e-mails that give context to the transaction.
These documents are included at the end of the article.
TotalSend
In 2012, TotalSend wanted to expand its business and enquired about getting its own block of IP addresses from AFRINIC.
TotalSend is incorporated in Mauritius and has offices in South Africa, but at the time its infrastructure was hosted on Linode in the United Kingdom.
As the e-mails show, for TotalSend to receive IP addresses, AFRINIC required that it move its infrastructure from London to somewhere in Africa.
“The problem the business faced at that point was that it was registered in Mauritius which falls under AFRINIC, but it had no real presence or servers based in Africa,” TotalSend general manager Duncan Land told MyBroadband.
“The business at the time was only a couple of people (based in South Africa), and needed IPs urgently to meet expansion,” he said.
“Getting these [IP addresses] from ISPs was not scalable,” said Land. “They hate hosting e-mail providers as abuse complaints come with the territory.”
“That’s when Inno popped on to the scene and offered to sell us a range, and his approach and ownership of the IPs checked out at face value,” said Land. “We proceeded and everything went smoothly, so we had no reason to doubt any legitimacy.”
TotalSend’s conversation with AFRINIC happened on 11 and 12 September 2012, and the person identifying themselves as Inno Byaruhanga made contact on 30 September 2012.
Land told MyBroadband that they didn’t think much of the timing of Inno’s contact at the time. When it became clear that TotalSend could not get IP addresses from AFRINIC directly, they had made it known far and wide that the company was looking to acquire a block of addresses.
Land said that he has no idea whether Inno was actually Ernest. He could only confirm that they received an invoice from Amiek Holdings and that they paid it.
“What I can confirm from our experience is that the company Inno represented had control over the IP range purchased,” Land said.
“When we received communication to say ITC had made the required changes to WHOIS, we received the expected notifications from AFRINIC — there was no reason to suspect a false identity.”
ITC is the entity in the AFRINIC WHOIS database which has control of the IP address block that TotalSend purchased a portion of.
TotalSend paid $2,500 (USD) to Amiek Holdings for a block of 1,024 IP addresses. The technical notation for the block in question is 196.45.112.0/22.
Amiek Holdings and IPv4 Leasing
In South Africa, if you want to know who the directors of a company are you can look it up online so long as you have an account with the CIPC. This is not the case with Uganda’s government-run company registry, the URSB.
The URSB has an online system which lets you query whether a company with a specific name or number exists, but if you want to know anything more you have to visit its offices in Kampala.
Undeterred by this complication, Guilmette found a runner in Kampala who obtained the documents we needed. Scans of those documents are included at the end of the article.
The documents show that the only shareholders of Amiek Holdings are Ernest Byaruhanga and members of his immediate family.
He and a woman named Annette are the directors and majority shareholders, holding 35% of the company each. Three minors with the surname Byaruhanga hold 10% each.
Guilmette, working with another journalist in Uganda who is also investigating this story, also queried the URSB to find out whether it has the registration for a company called “IPv4 Leasing”.
It turns out there is such a company in Uganda, and documents at the URSB appear to show that Ernest Byaruhanga has sole control over the company.
IPv4 Leasing, Link Data Group, and CGHB
Byaruhanga’s ownership of the Ugandan company IPv4 Leasing is significant, Guilmette noted, as it provides additional evidence connecting several blocks of IP addresses to a company under his control.
The domain “IPv4Leasing.net” is mentioned several times in the various WHOIS records associated with the IP address blocks that Guilmette identified as stolen.
One of the blocks was 213.247.0.0/24, which belonged to an entity called “Finance Trust Bank”. It was a sub-allocation of a larger block (213.247.0.0/19) that belonged to an entity called Link Data Group.
“Link Data Group” is also connected to CGHB in the form of an e-mail address — [email protected]. This is the same CGHB entity in the AFRINIC WHOIS database that Byaruhanga was attached to as an admin contact from 2012 to 2013.
The WHOIS information for the 213.247.0.0/24 block contained the following line: “changed: [email protected]”.
Prior to querying the URSB, Guilmette probed the historical WHOIS records of “ipv4leasing.net”, as well as all sister records. Note that the WHOIS databases for domains (e.g. “ipv4leasing.net” and “ipv4leasing.org”) are separate from the one for IP address blocks operated by AFRINIC.
According to the current records for “ipv4leasing.net”, the domain was registered on 13 September 2013 at 10:35:46.
A query of the historical WHOIS information of “ipv4leasing.org” shows that it was registered just seconds before the “ipv4leasing.net” address – at 10:35:32 on 13 September 2013.
“ipv4leasing.org” was registered by “Ernest M Byaruhanga” using a Gmail address that has also been linked to him in the AFRINIC WHOIS database.
This historical WHOIS result for “ipv4leasing.org” is not readily accessible to the public, but Guilmette obtained it from a commercial supplier of such historical data, DomainTools.com.
Data deleted from AFRINIC WHOIS database
Following an initial set of questions regarding this article from MyBroadband, AFRINIC deleted all data pertaining to the 213.247.0.0/19 block from its WHOIS database.
Our questions did not specifically mention this block.
According to the WHOIS records, the data for the 213.247.0.0/19 block was deleted at 10:56 on 14 November 2019.
AFRINIC CEO Eddy Kayihura said that data is only deleted from the WHOIS database in the case of deregistration.
“This is part of the normal lifecycle of resources,” Kayihura stated. “Any deregistration is fully documented as part of our internal procedures.”
Kayihura also said that the holder of the IP address block is notified before any records are removed from the AFRINIC WHOIS database.
IPv4 Leasing and ITC
In addition to Link Data Group, there is another organisation in the AFRINIC WHOIS database where the “ipv4leasing.net” domain appears – ITC.
ITC is the same entity that controlled the IP address block which was sold to TotalSend.
The “ipv4leasing.net” domain came up in the WHOIS information of the following blocks:
- 196.195.112.0/24 – Dishnet Africa Ltd (South Sudan)
- 196.195.113.0/24 – Dishnet Africa Ltd (South Sudan)
- 196.195.114.0/23 – AFRIKANET ONLINE SARL
- 196.195.232.0/23 – truIT Internet Services (Kampala, Uganda)
- 196.195.236.0/22 – truIT Internet Services (Kampala, Uganda)
These blocks are all sub-allocations of 196.194.0.0/15, which was still registered to ITC at the time of publication.
The histories of the first three sub-allocations in the above list have been deleted from the AFRINIC WHOIS database.
Other IP address blocks that were registered to ITC at the time of publication include 196.193.0.0/16, 196.63.0.0/16, 196.246.0.0/16, 196.42.128.0/17, and 196.45.112.0/20 — the block TotalSend’s IP addresses came from.
All connected
Our technical investigation of AFRINIC’s public WHOIS records showed that there are several apparent connections between the CGHB, ITC, and Link Data entities in the AFRINIC WHOIS database.
One of the things that link them is an e-mail address with the domain “ipv4leasing.net”.
The ipv4leasing.net website was still online at the time of publication. A snapshot of the site is also available.
Byaruhanga’s name appears on the historical WHOIS lookup for “ipv4leasing.org”, which was registered seconds before “ipv4leasing.net”.
A company called IPv4 Leasing in Uganda has Byaruhanga listed as the sole partner.
Byaruhanga’s name also appears as the administrative contact in the historical data for the CGHB entity in the AFRINIC WHOIS database between 2012 and 2013.
Finally, as noted above, Byaruhanga’s name appears as a major shareholder of Amiek Holdings, which is connected to ITC through the sale of an IP address block to TotalSend.
Scans of documents obtained from the URSB and copies of the relevant WHOIS data are included at the end of the article.
Guilmette said the evidence suggests that in at least some cases, freshly allocated IP address blocks were assigned, apparently by AFRINIC, to long-dormant entities in the AFRINIC WHOIS database like ITC, Link Data, and CGHB.
AFRINIC CEO Eddy Kayihura declined to answer a question about the origins of the IP addresses assigned to ITC, Link Data, and CGHB.
Kayihura said that AFRINIC could only answer questions that do not fall within the scope of its ongoing investigation into this matter.
Right of reply
MyBroadband contacted Ernest Byaruhanga for comment. Shortly thereafter, an industry source informed MyBroadband that Byaruhanga had resigned from AFRINIC. Several attempts were made to contact Byaruhanga by phone and e-mail, but he did not respond.
Kayihura confirmed that Byaruhanga resigned from AFRINIC and is currently serving his notice period.
MyBroadband also contacted former AFRINIC CEO Adiel Akplogan for comment, since he worked closely with Byaruhanga in the early days of the organisation.
Akplogan said he was not aware of IP addresses being stolen and sold on the black market.
AFRINIC staff may not operate IP brokerages
Responding to further questions, Kayihura told MyBroadband that neither AFRINIC staff members nor its directors are allowed to operate IP brokerages.
“This is against our policies, principles of ethics and standards,” Kayihura said.
“Hence, AFRINIC will not hesitate to take such action(s) as it may deem fit against any of its staff or director who are found to have breached those standards.”
PricewaterhouseCoopers drops AFRINIC
AFRINIC chairman Christian Bope announced to members on 31 October 2019 that AFRINIC’s external auditor, PricewaterhouseCoopers (PwC), was no longer available to conduct the audit for AFRINIC’s current financial year.
This is after PwC was reappointed as external auditor in June 2019.
When asked whether PwC’s departure was due to AFRINIC’s ongoing investigation into the theft of IP address blocks, Kayihura declined to comment.
“The relationship between AFRINIC and PwC is governed by the rules of confidentiality existing between a client and its auditor,” said Kayihura.
“It would thus not be proper for AFRINIC to comment on the reason that provoked the resignation of PwC as its auditor in the media.”
Summary: Stolen non-legacy IP address blocks
The table below summarises the IP address blocks assigned to CGHB, ITC, Link Data Group, and the former Infoplan (now Network and Information Technology Limited).
Infoplan was a South African company that was integrated into the State IT Agency in 1998. Its old organisation object in the AFRINIC WHOIS database appears to have been hijacked, and renamed to Network and Information Technology Limited (NAIT).
Guilmette’s research shows that none of the suspicious IP address blocks that were assigned to the former Infoplan corporate identity (denoted in the WHOIS database as “ORG-IA41-AFRINIC”) are “legacy” assignments — blocks of addresses that were assigned to organisations before AFRINIC existed.
Legacy blocks are a valuable resource, as they are not subject to AFRINIC’s bylaws or membership fees. If you apply for a block of IP addresses today, you will have to pay AFRINIC an annual fee to keep your block. Legacy block holders do not have to pay any fees.
Since these addresses are not legacy assignments, that raises the question – where are they from?
Guilmette said that the most likely explanation is that these blocks were taken from AFRINIC’s inventory of available IP address space.
AFRINIC has a pool of available IP addresses from which it assigns blocks of IPs to organisations who successfully apply for them.
“It is virtually self-evident that these IP address blocks [in the table below] are from the AFRINIC free pool,” Guilmette said.
Under the “Status” column, we indicate what has been done with a block since we reported the matter to AFRINIC. The historical data of one of the blocks, and the sub-allocations of another block, have been deleted from the AFRINIC WHOIS database. This is indicated in the table with the word “purged”.
It should also be noted that there is currently no evidence linking Infoplan/NAIT, or the IP address blocks assigned to it, to CGHB, Link Data Group, ITC, or IPv4 Leasing.
The Infoplan/NAIT assignments are included because of the other similarities they share with the rest of the blocks in the table.
However, Guilmette said that it is highly probable, “if not a dead certainty”, that the same single person is responsible for the theft of all of the stolen blocks listed below.
The estimated value of the blocks is calculated according to a conservative estimate of what an IP address currently sells for, according to industry insiders.
For the below calculation, we used a price of $20 per IP address and a ZAR exchange rate of R14.65.
IP address block(s) | Historical owner | Registered owner | Estimated value | Date of first suspicious activity | True owner | Status |
---|---|---|---|---|---|---|
165.52.0.0/14 | Cape of Good Hope Bank | CGHB | R134,414,336 | 2014-07-18 | Unknown | Unchanged |
137.171.0.0/16 | ||||||
160.184.0.0/16 | ||||||
168.211.0.0/16 | ||||||
196.62.0.0/16 | Link Data Solutions | Link Data Group | R69,607,424 | 2013-05-24 | Unknown | Unchanged |
160.181.0.0/16 | 2013-10-07 | |||||
160.255.0.0/16 | 2014-07-18 | |||||
196.192.192.0/18 | 2014-07-18 | |||||
196.207.64.0/18 | 2015-01-10 | |||||
213.247.0.0/19 | 2013-10-02 | History purged | ||||
196.45.112.0/20 | Afriq*Access | ITC | R106,811,392 | 2010-11-04 | Unknown | Unchanged |
196.194.0.0/15 | 2012-10-30 | Sub-allocations history purged | ||||
196.193.0.0/16 | 2012-12-04 | Unchanged | ||||
196.246.0.0/16 | 2013-01-09 | |||||
196.63.0.0/16 | 2013-05-24 | |||||
196.42.128.0/17 | 2014-07-18 | |||||
196.16.0.0/14 | Infoplan | Network and Information Technology Limited | R77,558,272 | 2014-03-10 | Unknown | Active route squatter: IP Volume (RADb: Netstyle) |
196.4.36.0/22 | 2015-03-05 | Unchanged | ||||
196.4.40.0/22 | 2015-03-05 | |||||
196.4.44.0/23 | 2015-03-05 | |||||
* Linkdata Solutions appears to have been shut down in 2007. |
Summary: Stolen legacy IP address blocks
The IP address blocks in the following table all represent legacy allocations that have been taken over by unscrupulous overseas network operators.
Guilmette explained that although the WHOIS registration data appears intact, someone with a high level of access to the AFRINIC WHOIS database has systematically altered the administrative and technical contact information on these blocks.
This was done by altering the e-mail addresses and phone numbers of administrative and technical contact persons connected to each block in the AFRINIC WHOIS database, he said.
For example, the e-mail address on Nampak was changed to use the domain “noc-nampak.co.za”.
When you visit that domain, you are redirected to “nampak.com”. However, closer investigation revealed that there is a separate webserver behind the “noc-nampak.co.za” domain which is hosted on a server named “freemail.registerdomain.co.za” at the IP address 197.242.150.38.
“The actual and legitimate web site for the actual Nampak.com domain, on the other hand, is hosted somewhere else entirely, on an entirely different and unrelated web server located on an entirely different and unrelated network,” Guilmette said.
Sometimes the fake domains are not even redirected in this way, as is the case of “argusholdings.co.za”, which simply brings up the directory listing of the webserver.
“By so doing, someone was able to very cleverly take effective control over each of these blocks, simply by making themselves the only known points of contact for any questions or comments about these blocks,” Guilmette said.
Guilmette explained that the dates shown in the following table represent the dates on which replacement domain names were registered as part of the overall scheme to fraudulently modify the administrative and technical contact email addresses for each block.
IP address block(s) | Historical owner | Estimated value | Date of first suspicious activity | Likely or confirmed owner | Status |
---|---|---|---|---|---|
196.10.64.0/19 | Nampak | R21,827,328 | 2014-01-19 | Nampak | Route squatting stopped |
196.10.61.0/24 | |||||
196.10.62.0/23 | |||||
160.121.0.0/16 | Mega Plastics | ||||
155.235.0.0/16 | Afrox MIS | R19,202,048 | 2014-02-13 | Afrox | Active route squatter: Cogent (RADb: DiViNetworks) |
152.108.0.0/16 | Transtel | R19,202,048 | 2015-06-18 | Liquid Telecom | Reclaimed |
155.237.0.0/16 | Sasol | R38,404,096 | 2015-07-21 | Sasol | Reclaimed |
169.129.0.0/16 | |||||
165.25.0.0/16 | City of Cape Town | R19,202,048 | 2016-05-20 | City of Cape Town | Reclaimed |
160.122.0.0/16 | Tredcor in South Africa | R19,202,048 | 2015-05-22 | Goodyear | Active route squatter: ASLine |
168.80.0.0/15 | AECI Information Services in South Africa | R38,404,096 | 2015-01-20 | DXC Technology | Ownership confirmed |
168.81.32.0/19 | R2,400,256 | 2014-04-23 | Unknown | Unchanged | |
165.3.0.0/16 | Wooltru | R57,606,144 | 2013-01-05 | Woolworths | Route squatting stopped |
165.4.0.0/16 | Never | ||||
165.5.0.0/16 | |||||
160.115.0.0/16 | Columbus Stainless | R19,202,048 | 2016-11-28 | Columbus Stainless | Reclaimed |
168.76.0.0/16 | Free State Education Department | R19,202,048 | 2013-11-23 | Free State Education Department | Route squatting stopped |
160.116.0.0/16 | Affiliated Computing Services (Pty) Ltd | R19,202,048 | 2013-11-28 | Affiliated Computing Services (Pty) Ltd | Active route squatter: Netstyle |
168.206.0.0/16 | The Atomic Energy Board | R19,202,048 | 2013-11-28 | NECSA | Route squatting stopped |
155.159.0.0/16 | Safren Computer Services | R19,202,048 | 2015-06-02 | Safren Computer Services | Active route squatters |
164.155.0.0/16 | Sentrachem Limited | R19,202,048 | 2015-07-06 | Sentrachem Limited | Routes reclaimed by IS |
163.197.0.0/16 | Anglo American | R19,202,048 | 2015-07-06 | Anglo American | Routes reclaimed by IS |
196.15.64.0/18 | Trafex | R4,800,512 | 2015-10-11 | AT&T | Active route squatter: Network Dedicated SAS |
163.198.0.0/16 | Agrihold | R19,202,048 | 2015-10-26 | Dow Agrosciences | Active route squatters |
164.88.0.0/16 | Argus Holdings | R19,202,048 | 2016-01-03 | Independent Media / Sekunjalo | Route squatting stopped |
Document: CGHB entity historical AFRINIC WHOIS data
Document: E-mails between TotalSend and AFRINIC
TotalSend provided the following e-mail exchange showing its request for information to apply for an IP address block from AFRINIC.