Man connected to African IP address heist sues AFRINIC

The African Network Information Centre (AFRINIC) is being taken to court by one of the men whose name and company has been linked to the alleged misappropriation of African Internet resources.

AFRINIC is a Regional Internet Registry, one of five organisations around the world whose task it is to keep track of Internet Protocol (IP) addresses in their respective regions.

In a notice sent to individuals and organisations that hold IP addresses in the African region, AFRINIC CEO Eddy Kayihura stated that an application for an interim injunction against AFRINIC was brought before the Commercial Division of the Supreme Court of Mauritius.

Kayihura informed AFRINIC members that the application was lodged by Afri Holdings Ltd, Netstyle A. Ltd, and Elad Cohen.

Internet investigator Ron Guilmette has linked Netstyle and Cohen’s e-mail address to suspicious activity in the South African IP address space.

Affected IP addresses include a block that belongs to Sasol, and blocks which appear to belong to Tredcor, Afrox, Woolworths, and SITA.

Documents obtained in August 2019 also showed that Cohen is a director and shareholder of Afri Holdings Ltd.

The Great African IP Address Heist

Over several months, MyBroadband worked with Guilmette to look into the apparent theft of, and squatting on, vast swaths of valuable African IP addresses.

One portion of the investigation uncovered how an insider misappropriated large IP address blocks from AFRINIC’s free pool of addresses.

This free pool is the IP address space that AFRINIC holds in trust to give out to people or organisations that legitimately qualify to receive IP address space under its rules.

At least one person inside AFRINIC helped themselves to these unassigned IP addresses and sold them on the black market.

Since publishing our report, AFRINIC has summarily dismissed the insider in question and has taken back the IP address blocks that were taken from its free pool.

Legacy South African IP address blocks linked to Netstyle

Another part of our investigation involved address assignments referred to as “legacy” IP address blocks.

These blocks of addresses are particularly valuable because they do not attract AFRINIC’s annual fees, as they were assigned to companies in the early days of the Internet before AFRINIC existed.

While combing through Africa’s IP address space for an unrelated investigation, Guilmette discovered that Cohen’s Netstyle e-mail address ([email protected]) appeared in the RADb Internet Routing Registry (IRR) records for the following IP address blocks:

  • — Infoplan
  • — AECI Information Services
  • — Sasol
  • — Tredcor
  • — Wooltru
  • — Afrox MIS

When queried about the Infoplan, AECI, Sasol, Tredcor, and Wooltru blocks, Cohen stated that they (Netstyle) are the owners of all of those ranges, except the Sasol block. He also said that he regrets ever buying them.

Cohen said he paid millions of US dollars for the blocks via a US-based broker but did not state which broker he used.

When asked for the legal documentation regarding the purchases, he said: “The legal documents are with the USA lawyer involved, we will show them in any court.”

Cohen declined to answer questions about why his e-mail address appeared in an IRR record for a block of IP addresses which Sasol has reclaimed.

Application for injunction against AFRINIC

In his notice to AFRINIC members, Kayihura said that he was unable to divulge details regarding the contents of Cohen’s application as the matter is sub judice.

“The gist thereof concerns actions, i.e., both the reclaiming and reversal exercises, undertaken by AFRINIC so far in its endeavour to maintain the accuracy of the WHOIS database as well as preventing legacy resources appearing on its WHOIS database from being misappropriated,” Kayihura stated.

“Kindly note that AFRINIC still considers that we acted in good faith and in line with our mandate to provide accurate registration services. We have retained the services of legal advisers to defend the interests of AFRINIC.”

Kayihura also informed members that AFRINIC will be sending a notice to the “registered contacts” of the affected IP addresses so that they may take such action that they deem appropriate to protect their interests.

However, through the investigation that MyBroadband and Guilmette conducted we discovered that the registered contact information of many of the affected IP address blocks had already been changed to Cohen’s contact details.

Cohen confirmed this in a comment to MyBroadband.

“Changes of phone numbers fields to me were done after my purchases because I’m the new owner,” Cohen said.

When this was raised with Kayihura, he acknowledged the new information but declined to provide further comment as the matter is before the court.

MyBroadband also asked Cohen regarding his decision to take legal action against AFRINIC.

He also declined to comment and provided the following statement: “You are a liar, you are spreading lies, you are part of the illegal anonymous organization ‘The Spamhaus Project'”.

MyBroadband is not affiliated in any way with Spamhaus.

Now read: Man connected to African IP address heist running for board position at European IP address organisation

Latest news

Partner Content

Show comments


Share this article
Man connected to African IP address heist sues AFRINIC