Internet11.05.2020

Man connected to African IP address heist running for board position at European IP address organisation

Africa internet connectivity

The Regional Internet Registry for the European region, RIPE NCC, is holding elections to fill three seats on its executive board. The elections will be held at RIPE NCC’s annual general meeting on 13-15 May 2020, with the results live streamed at 10:45 on 15 May.

Among the candidates for the three seats available on the RIPE NCC Executive Board is Elad Cohen, who operates a networking company called Netstyle.

Internet investigator Ron Guilmette has linked Netstyle and Cohen’s e-mail address to suspicious activity in the South African Internet Protocol address space. This included a block of IP addresses that belongs to Sasol, and blocks which appear to belong to Tredcor, Afrox, Woolworths, and SITA.

Regional Internet Registries, like the RIPE Network Coordination Centre, provide Internet resources to their members in their service region. These resources include Internet Protocol (IP) addresses.

The Great African IP Address Heist

Over several months, MyBroadband worked with Guilmette to look into the apparent theft of, and squatting on, vast swaths of valuable Internet Protocol (IP) addresses.

One portion of the investigation uncovered how an insider at Africa’s Regional Internet Registry, AFRINIC, misappropriated large IP address blocks from AFRINIC’s free pool of addresses.

This free pool is the IP address space that AFRINIC holds in trust to give out to people or organisations that legitimately qualify to receive IP address space under its rules.

At least one person inside AFRINIC helped themselves to these unassigned IP addresses and sold them on the black market.

Since publishing our report, AFRINIC has summarily dismissed the insider in question and has taken back the IP address blocks that were taken from its free pool.

Legacy South African IP address blocks linked to Netstyle

Another part of our investigation involved address assignments referred to as “legacy” IP address blocks.

These blocks of addresses are particularly valuable because they do not attract AFRINIC’s annual fees, as they were assigned to companies in the early days of the Internet, before AFRINIC existed.

While combing through Africa’s IP address space, Guilmette discovered that Cohen’s Netstyle e-mail address ([email protected]) appeared in the Internet Routing Registry (IRR) records for the following IP address blocks:

  • 196.16.0.0/14 — Infoplan
  • 168.80.0.0/15 — AECI Information Services
  • 155.237.0.0/16 — Sasol
  • 160.122.0.0/16 — Tredcor
  • 165.3.0.0/16 — Wooltru
  • 155.235.0.0/16 — Afrox MIS

When queried about the Infoplan, AECI, Sasol, Tredcor, and Wooltru blocks, Cohen stated that they (Netstyle) are the owners of all of those ranges, except the Sasol block. He also said that he regrets ever buying them.

Cohen said he paid millions of US dollars for the blocks via a US-based broker, but did not state which broker he used.

When asked for the legal documentation regarding the purchases, he said: “The legal documents are with the USA lawyer involved, we will show them in any court.”

Cohen declined to answer questions about why his e-mail address appeared in an IRR record for a block of IP addresses which Sasol has reclaimed.

Stolen legacy IP address blocks from South Africa

The table below summarises all of the legacy IP address blocks which Guilmette’s investigation identified as “stolen”.

In this context, Guilmette chose to use the term “stolen” to specifically refer to a situation where the WHOIS records of an IP address block, stored in AFRINIC’s database, had been manipulated in a suspicious way.

This includes names, addresses, and contact information being changed in ways which Guilmette described as “obviously fake”.

WHOIS records are like the title deeds of the Internet. If a bad actor can find a way to manipulate the WHOIS record of an IP address block, it would be like being able to break into the deeds office and change the information on the title deeds of valuable property.

AFRINIC has yet to answer questions on how the changes to these legacy IP address blocks were made.

While updating the information in the table below, Netstyle and Cohen were connected to a few other blocks.

  • Netstyle is currently routing IP addresses that are part of a block which belonged to a company called Affiliated Computing Services (160.116.0.0/16).
  • An IRR object was added to the AFRINIC database for the block belonging to Safren Computer Services using the e-mail address “[email protected]”. The entry was last modified on 26 January 2020. Documents previously published by MyBroadband link Cohen to the name “Afri Holdings Ltd”.
  • Similarly, an IRR object was added for Agrihold in the RADb database using the “[email protected]” address. The entry was last modified on 3 January 2020.

The estimated value of a block of IP addresses was calculated using an exchange rate of R18.79 per USD and a price of $20 per IP address. The price is based on feedback from industry sources who have indicated that $20 is a reasonable average to work with, but that prices can be higher or lower depending on circumstances.

IP address block(s) Historical owner Registered owner Estimated value Date of first suspicious activity Likely true owner Status
196.16.0.0/14 Infoplan Network and Information Technology Limited R99,475,763 2014-03-10 SITA Active route squatters: IP Volume, others (IRR: Netstyle)
196.4.36.0/22 2015-03-05 Unchanged
196.4.40.0/22 2015-03-05
196.4.44.0/23 2015-03-05
196.10.64.0/19 Nampak R27,995,597 2014-01-19 Nampak Active route squatters
196.10.61.0/24 Unchanged
196.10.62.0/23
160.121.0.0/16 Mega Plastics Active route squatter: ASLine
155.235.0.0/16 Afrox MIS R24,628,429 2014-02-13 Afrox Active route squatter: AsiaNET
152.108.0.0/16 Transtel R24,628,429 2015-06-18 Liquid Telecom Reclaimed
155.237.0.0/16 Sasol R49,256,858 2015-07-21 Sasol Reclaimed
169.129.0.0/16
165.25.0.0/16 City of Cape Town R24,628,429 2016-05-20 City of Cape Town Reclaimed
160.122.0.0/16 Tredcor in South Africa R24,628,429 2015-05-22 Goodyear Active route squatter: ASLine
168.80.0.0/15 AECI Information Services in South Africa R49,256,858 2015-01-20 DXC Technology Ownership confirmed, active route squatters
168.81.32.0/19 R3,078,554 2014-04-23 Unknown Unchanged
165.3.0.0/16 Wooltru R73,885,286 2013-01-05 Woolworths Partly squatted: Peg Tech Inc
165.4.0.0/16 Never Routed by Internet Solutions
165.5.0.0/16 Partially routed by Telkom
160.115.0.0/16 Columbus Stainless R24,628,429 2016-11-28 Columbus Stainless Reclaimed
168.76.0.0/16 Free State Education Department R24,628,429 2013-11-23 Free State Education Department Route squatting stopped
160.116.0.0/16 Affiliated Computing Services (Pty) Ltd R24,628,429 2013-11-28 Affiliated Computing Services (Pty) Ltd Active route squatters, incl. Netstyle
168.206.0.0/16 The Atomic Energy Board R24,628,429 2013-11-28 NECSA Active route squatter: ASLine
155.159.0.0/16 Safren Computer Services R24,628,429 2015-06-02 Safren Computer Services Active route squatter: ASLine (IRR: Afri Holdings)
164.155.0.0/16 Sentrachem Limited R24,628,429 2015-07-06 Sentrachem Limited Active route squatters
163.197.0.0/16 Anglo American R24,628,429 2015-07-06 Anglo American Active route squatters
196.15.64.0/18 Trafex R6,157,107 2015-10-11 AT&T Active route squatter: Network Dedicated SAS
163.198.0.0/16 Agrihold R24,628,429 2015-10-26 Dow Agrosciences Active route squatters (IRR: Afri Holdings)
164.88.0.0/16 Argus Holdings R24,628,429 2016-01-03 Independent Media / Sekunjalo Active router sqatters: ASLine, Nanbian

Support for Elad Cohen among RIPE members

Cohen is one of nine candidates contending for the three available seats on the RIPE NCC Executive Board. He nominated himself and he is also tied for the second-highest number of support nominations received.

The top five candidates by support nominations received are Sergey Myasoedov (35), Elad Cohen (16), Raymond Jetten (16), Jordi Palet Martinez (13), and William Sylvester (11).

It should be noted that this ranking is given for interest only. Support nominations do not necessarily determine which candidates will be voted in.

The following sixteen RIPE members supported Cohen’s nomination:

  1. Maikel Uerlings (Inspiring networks bv)
  2. Matteo Berlonghi (SeFlow s.n.c.)
  3. Lucas Wouters (Spectra IP)
  4. SK Bakker (SKB Enterprise B.V.)
  5. Matt Levine (CacheNetworks, LLC)
  6. Kurt Mackey (fly.io)
  7. Dennet Ingram (Haxxr Games,LLC)
  8. Andre Sullivan (Find Your Route LLC)
  9. Mike Roberts (VelocityScape Services, LLC)
  10. Rita Smyth (Hometown Technologies, L.L.C.)
  11. Mark Ferris (Cooperative Investments LLC)
  12. Martin Callahan (Network Dedicated SAS)
  13. FR van Eeden (Incrediserve LTD)
  14. Mykola Mitrokhin (Novogara LTD)
  15. Martin Bakker (FiberXpress BV)
  16. Alexandru Stanciu (Architecture Iq Data)

Several of these support nominations are worth highlighting.

Guilmette has connected Maikel Uerlings to suspicious activity on South African legacy IP address blocks, as published in an earlier report on MyBroadband.

Network Dedicated SAS, Novogara, and FiberXpress all advertise routes in one or more of the stolen IP address blocks listed in the table above, including ones connected to Netstyle and Cohen.

This means that they accept network traffic destined for IP addresses which Guilmette has identified as stolen.

One example is the Infoplan block (196.16.0.0/14), where Cohen’s Netstyle e-mail address is listed in the Internet Routing Registry entry. Network Dedicated SAS, Novogara, and FiberXpress all advertise routes for IP address sub-allocations contained in the Infoplan block.

Right of Reply – Elad Cohen

Elad Cohen was asked for comment regarding his campaign to join the RIPE NCC Executive Board. He declined to answer questions.

It must be noted that Cohen is not being accused of any illegal activity in this report.

RIPE NCC – We are aware of the allegations against Cohen

MyBroadband also asked RIPE NCC about Cohen’s candidacy for the Executive Board. The organisation confirmed that it was aware of the allegations against him.

“The RIPE NCC is a membership association under Dutch law. According to our rules, anyone can be supported as a candidate for the Executive Board elections,” a spokesperson for the organisation stated.

“Each member is entitled to make nominations [and] each member can support a nominee only once.”

Now read: How Internet resources worth R800 million were stolen and sold on the black market

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter