Man connected to African IP address heist running for board position at European IP address organisation
The Regional Internet Registry for the European region, RIPE NCC, is holding elections to fill three seats on its executive board. The elections will be held at RIPE NCC’s annual general meeting on 13-15 May 2020, with the results live streamed at 10:45 on 15 May.
Among the candidates for the three seats available on the RIPE NCC Executive Board is Elad Cohen, who operates a networking company called Netstyle.
Internet investigator Ron Guilmette has linked Netstyle and Cohen’s e-mail address to suspicious activity in the South African Internet Protocol address space. This included a block of IP addresses that belongs to Sasol, and blocks which appear to belong to Tredcor, Afrox, Woolworths, and SITA.
Regional Internet Registries, like the RIPE Network Coordination Centre, provide Internet resources to their members in their service region. These resources include Internet Protocol (IP) addresses.
The Great African IP Address Heist
Over several months, MyBroadband worked with Guilmette to look into the apparent theft of, and squatting on, vast swaths of valuable Internet Protocol (IP) addresses.
One portion of the investigation uncovered how an insider at Africa’s Regional Internet Registry, AFRINIC, misappropriated large IP address blocks from AFRINIC’s free pool of addresses.
This free pool is the IP address space that AFRINIC holds in trust to give out to people or organisations that legitimately qualify to receive IP address space under its rules.
At least one person inside AFRINIC helped themselves to these unassigned IP addresses and sold them on the black market.
Since publishing our report, AFRINIC has summarily dismissed the insider in question and has taken back the IP address blocks that were taken from its free pool.
Legacy South African IP address blocks linked to Netstyle
Another part of our investigation involved address assignments referred to as “legacy” IP address blocks.
These blocks of addresses are particularly valuable because they do not attract AFRINIC’s annual fees, as they were assigned to companies in the early days of the Internet, before AFRINIC existed.
While combing through Africa’s IP address space, Guilmette discovered that Cohen’s Netstyle e-mail address ([email protected]) appeared in the Internet Routing Registry (IRR) records for the following IP address blocks:
- 196.16.0.0/14 — Infoplan
- 168.80.0.0/15 — AECI Information Services
- 155.237.0.0/16 — Sasol
- 160.122.0.0/16 — Tredcor
- 165.3.0.0/16 — Wooltru
- 155.235.0.0/16 — Afrox MIS
When queried about the Infoplan, AECI, Sasol, Tredcor, and Wooltru blocks, Cohen stated that they (Netstyle) are the owners of all of those ranges, except the Sasol block. He also said that he regrets ever buying them.
Cohen said he paid millions of US dollars for the blocks via a US-based broker, but did not state which broker he used.
When asked for the legal documentation regarding the purchases, he said: “The legal documents are with the USA lawyer involved, we will show them in any court.”
Cohen declined to answer questions about why his e-mail address appeared in an IRR record for a block of IP addresses which Sasol has reclaimed.
Stolen legacy IP address blocks from South Africa
The table below summarises all of the legacy IP address blocks which Guilmette’s investigation identified as “stolen”.
In this context, Guilmette chose to use the term “stolen” to specifically refer to a situation where the WHOIS records of an IP address block, stored in AFRINIC’s database, had been manipulated in a suspicious way.
This includes names, addresses, and contact information being changed in ways which Guilmette described as “obviously fake”.
WHOIS records are like the title deeds of the Internet. If a bad actor can find a way to manipulate the WHOIS record of an IP address block, it would be like being able to break into the deeds office and change the information on the title deeds of valuable property.
AFRINIC has yet to answer questions on how the changes to these legacy IP address blocks were made.
While updating the information in the table below, Netstyle and Cohen were connected to a few other blocks.
- Netstyle is currently routing IP addresses that are part of a block which belonged to a company called Affiliated Computing Services (160.116.0.0/16).
- An IRR object was added to the AFRINIC database for the block belonging to Safren Computer Services using the e-mail address “[email protected]”. The entry was last modified on 26 January 2020. Documents previously published by MyBroadband link Cohen to the name “Afri Holdings Ltd”.
- Similarly, an IRR object was added for Agrihold in the RADb database using the “[email protected]” address. The entry was last modified on 3 January 2020.
The estimated value of a block of IP addresses was calculated using an exchange rate of R18.79 per USD and a price of $20 per IP address. The price is based on feedback from industry sources who have indicated that $20 is a reasonable average to work with, but that prices can be higher or lower depending on circumstances.
IP address block(s) | Historical owner | Registered owner | Estimated value | Date of first suspicious activity | Likely true owner | Status |
---|---|---|---|---|---|---|
196.16.0.0/14 | Infoplan | Network and Information Technology Limited | R99,475,763 | 2014-03-10 | SITA | Active route squatters: IP Volume, others (IRR: Netstyle) |
196.4.36.0/22 | 2015-03-05 | Unchanged | ||||
196.4.40.0/22 | 2015-03-05 | |||||
196.4.44.0/23 | 2015-03-05 | |||||
196.10.64.0/19 | Nampak | R27,995,597 | 2014-01-19 | Nampak | Active route squatters | |
196.10.61.0/24 | Unchanged | |||||
196.10.62.0/23 | ||||||
160.121.0.0/16 | Mega Plastics | Active route squatter: ASLine | ||||
155.235.0.0/16 | Afrox MIS | R24,628,429 | 2014-02-13 | Afrox | Active route squatter: AsiaNET | |
152.108.0.0/16 | Transtel | R24,628,429 | 2015-06-18 | Liquid Telecom | Reclaimed | |
155.237.0.0/16 | Sasol | R49,256,858 | 2015-07-21 | Sasol | Reclaimed | |
169.129.0.0/16 | ||||||
165.25.0.0/16 | City of Cape Town | R24,628,429 | 2016-05-20 | City of Cape Town | Reclaimed | |
160.122.0.0/16 | Tredcor in South Africa | R24,628,429 | 2015-05-22 | Goodyear | Active route squatter: ASLine | |
168.80.0.0/15 | AECI Information Services in South Africa | R49,256,858 | 2015-01-20 | DXC Technology | Ownership confirmed, active route squatters | |
168.81.32.0/19 | R3,078,554 | 2014-04-23 | Unknown | Unchanged | ||
165.3.0.0/16 | Wooltru | R73,885,286 | 2013-01-05 | Woolworths | Partly squatted: Peg Tech Inc | |
165.4.0.0/16 | Never | Routed by Internet Solutions | ||||
165.5.0.0/16 | Partially routed by Telkom | |||||
160.115.0.0/16 | Columbus Stainless | R24,628,429 | 2016-11-28 | Columbus Stainless | Reclaimed | |
168.76.0.0/16 | Free State Education Department | R24,628,429 | 2013-11-23 | Free State Education Department | Route squatting stopped | |
160.116.0.0/16 | Affiliated Computing Services (Pty) Ltd | R24,628,429 | 2013-11-28 | Affiliated Computing Services (Pty) Ltd | Active route squatters, incl. Netstyle | |
168.206.0.0/16 | The Atomic Energy Board | R24,628,429 | 2013-11-28 | NECSA | Active route squatter: ASLine | |
155.159.0.0/16 | Safren Computer Services | R24,628,429 | 2015-06-02 | Safren Computer Services | Active route squatter: ASLine (IRR: Afri Holdings) | |
164.155.0.0/16 | Sentrachem Limited | R24,628,429 | 2015-07-06 | Sentrachem Limited | Active route squatters | |
163.197.0.0/16 | Anglo American | R24,628,429 | 2015-07-06 | Anglo American | Active route squatters | |
196.15.64.0/18 | Trafex | R6,157,107 | 2015-10-11 | AT&T | Active route squatter: Network Dedicated SAS | |
163.198.0.0/16 | Agrihold | R24,628,429 | 2015-10-26 | Dow Agrosciences | Active route squatters (IRR: Afri Holdings) | |
164.88.0.0/16 | Argus Holdings | R24,628,429 | 2016-01-03 | Independent Media / Sekunjalo | Active router sqatters: ASLine, Nanbian |
Support for Elad Cohen among RIPE members
Cohen is one of nine candidates contending for the three available seats on the RIPE NCC Executive Board. He nominated himself and he is also tied for the second-highest number of support nominations received.
The top five candidates by support nominations received are Sergey Myasoedov (35), Elad Cohen (16), Raymond Jetten (16), Jordi Palet Martinez (13), and William Sylvester (11).
It should be noted that this ranking is given for interest only. Support nominations do not necessarily determine which candidates will be voted in.
The following sixteen RIPE members supported Cohen’s nomination:
- Maikel Uerlings (Inspiring networks bv)
- Matteo Berlonghi (SeFlow s.n.c.)
- Lucas Wouters (Spectra IP)
- SK Bakker (SKB Enterprise B.V.)
- Matt Levine (CacheNetworks, LLC)
- Kurt Mackey (fly.io)
- Dennet Ingram (Haxxr Games,LLC)
- Andre Sullivan (Find Your Route LLC)
- Mike Roberts (VelocityScape Services, LLC)
- Rita Smyth (Hometown Technologies, L.L.C.)
- Mark Ferris (Cooperative Investments LLC)
- Martin Callahan (Network Dedicated SAS)
- FR van Eeden (Incrediserve LTD)
- Mykola Mitrokhin (Novogara LTD)
- Martin Bakker (FiberXpress BV)
- Alexandru Stanciu (Architecture Iq Data)
Several of these support nominations are worth highlighting.
Guilmette has connected Maikel Uerlings to suspicious activity on South African legacy IP address blocks, as published in an earlier report on MyBroadband.
Network Dedicated SAS, Novogara, and FiberXpress all advertise routes in one or more of the stolen IP address blocks listed in the table above, including ones connected to Netstyle and Cohen.
This means that they accept network traffic destined for IP addresses which Guilmette has identified as stolen.
One example is the Infoplan block (196.16.0.0/14), where Cohen’s Netstyle e-mail address is listed in the Internet Routing Registry entry. Network Dedicated SAS, Novogara, and FiberXpress all advertise routes for IP address sub-allocations contained in the Infoplan block.
Right of Reply – Elad Cohen
Elad Cohen was asked for comment regarding his campaign to join the RIPE NCC Executive Board. He declined to answer questions.
It must be noted that Cohen is not being accused of any illegal activity in this report.
RIPE NCC – We are aware of the allegations against Cohen
MyBroadband also asked RIPE NCC about Cohen’s candidacy for the Executive Board. The organisation confirmed that it was aware of the allegations against him.
“The RIPE NCC is a membership association under Dutch law. According to our rules, anyone can be supported as a candidate for the Executive Board elections,” a spokesperson for the organisation stated.
“Each member is entitled to make nominations [and] each member can support a nominee only once.”