R1.3-billion worth of IP addresses stolen in brazen heist

The African Network Information Centre (AFRINIC) has released its long-awaited report of the internal audit it conducted after the discovery that the co-founder of the organisation had abused his position to steal large swaths of African Internet resources.

It confirmed an earlier statement from AFRINIC that a total of over 4.1 million Internet Protocol (IP) addresses had been misappropriated and provided a detailed account of the resources that were compromised.

AFRINIC revealed in the report that it only became aware that it may have an internal problem in 2019 after the United States Federal Investigation Bureau (FBI) raised red flags.

“In or about March 2019, upon receipt of a Court Order from the Supreme Court of Mauritius following an application made by the [FBI], AFRINIC became aware of certain suspicious activities regarding several IPv4 address blocks which it held,” the report stated.

The term “IPv4 address blocks” refers to blocks of Internet Protocol version 4 addresses. Devices on the Internet require IP addresses to communicate with each other.

When you try to visit a website like mybroadband.co.za, the human-readable address is first translated into an IP address for your web browser to connect to.

You also need an IP address so that servers on the Internet can communicate back to your devices.

These IPv4 blocks have grown increasingly valuable as they have become a scarce resource.

The IPv4 standard only has room for less than 4.3 billion addresses. The actual number of addresses usable for Internet routing is much lower than that because large blocks are reserved for special uses.

While a newer standard called IPv6 allows for 340 undecillion addresses (that’s 340 with 36 zeroes behind it), it has not yet become widely adopted.

Conservative estimates indicate that a single IPv4 address is selling for around $20 on the reseller market.

At R15 per USD, that brings the total value of the compromised IP address blocks to around R1.25 billion.

Deeds office for the African Internet compromised

These IP address blocks were misappropriated by manipulating their records in the AFRINIC WHOIS database.

WHOIS is the concatenation of the words “who” and “is”, and is a standard used on the Internet to keep track of resources like domain names (e.g. mybroadband.co.za) and IP address blocks.

If you think of IP addresses as Internet “land” — property, or real estate — then the WHOIS record of an IP address block’ is like its title deed.

The AFRINIC WHOIS database is then like the Internet deeds office for the entire African region. And for the better part of the last decade, it was compromised.

Investigation timeline

In addition to providing an accounting of the Internet resources that were stolen from the people of Africa, AFRINIC’s report also revealed details about the organisation’s own investigation.

As mentioned previously, AFRINIC stated that it became aware it had a problem around March 2019 thanks to the FBI approaching the Supreme Court of Mauritius regarding “certain suspicious activities”.

“A preliminary investigation carried out internally also revealed that internal staff may, without any lawful authority, have acted in collusion with other third parties,” AFRINIC stated.

What the AFRINIC report did not mention was that Internet investigator and activist Ron Guilmette had tried to call attention to the issue as far back as November 2016.

Guilmette’s crusade against spammers on the Internet had brought him to several significant chunks of IP addresses in the AFRINIC region, and he raised the issues he spotted on several public mailing lists.

For years it went ignored. Only after Guilmette set about trying to unravel for himself what was happening in the AFRINIC region, and reached out to journalists in South Africa, did the issue attract any meaningful attention.

Based on AFRINIC’s timelines, it was conducting its own investigation parallel to the one by MyBroadband and Guilmette.

However, it only took action following the publication of two major reports on MyBroadband.

AFRINIC also acknowledged that MyBroadband’s investigation exposed that the registration information for misappropriated IP address blocks had been compromised.

In essence, the title deeds of vast swaths of African Internet resources had been tampered with.

A summary of the timeline of the investigations is as follows:

  • November 2016: Ron Guilmette called attention to problems with certain IP address blocks in the African region on an AFRINIC mailing list.
  • August 2017: Guilmette once again tried to call attention to problems on a public network operator group mailing list.
  • March 2019: The FBI obtains a court order from the Supreme Court of Mauritius regarding “certain suspicious activities” in the AFRINIC region.
  • April 2019: Former AFRINIC CEO Alan Barrett informed the AFRINIC board about the manipulation of data in their WHOIS database.
  • 1 July 2019: Guilmette set about trying to unravel what had really happened in the AFRINIC region.
  • End July 2019: Barrett, now the outgoing CEO, delivered a report about the misappropriation of IP addresses to the AFRINIC board. The board commissioned an investigation with the help of APNIC, a sister organisation that looks after Internet resources in the Asia-Pacific region.
  • August 2019: Guilmette contacted South African technology journalists with the story, asking for help to track down companies, spokespeople, and former IT administrators to confirm his theory.
  • 1 September 2019: MyBroadband published its first report on the investigation titled “The big South African IP address heist – How millions are made on the ‘grey’ market“.
  • 4 December 2019: MyBroadband published its second report, titled “How Internet resources worth R800 million were stolen and sold on the black market“, presenting evidence that AFRINIC co-founder and engineer Ernest Byaruhanga had profited from the theft and sale of African Internet resources.
  • December 2019: APNIC submitted its findings of an initial internal investigation. AFRINIC stated that the findings were serious enough that it led to the dismissal of “a former AFRINIC staff [member] who was found to have made an abusive use of his rights and privileges as the then AFRINIC hostmaster.”
  • 10 December 2019: Newly-appointed AFRINIC CEO Eddy Kayihura opened a criminal case with the Mauritian Police against Byaruhanga.
  • 13 December 2019: Byaruhanga was dismissed following the outcome of a disciplinary hearing.
  • January-July 2020: During 2020 AFRINIC reclaimed, reverted, or quarantined several IPv4 blocks identified as misappropriated.
  • August 2020: AFRINIC informed its members that it was being taken to court by Afri Holdings Ltd, Netstyle A. Ltd, and Mr Elad Cohen due to its actions to recover some of the IPv4 address blocks identified as misappropriated.
  • 15 November 2020: MyBroadband published another report detailing how legacy IPv4 address blocks were misappropriated and misleading contact information inserted into their WHOIS records. Through PAIA requests and industry sources, we published evidence that the bogus email addresses trace back to two individuals: Maikel Uerlings and Elad Cohen. AFRINIC has removed these bogus emails from the WHOIS database.
  • 21 January 2021: AFRINIC published its report on the internal audit of its WHOIS database.

MyBroadband asked Maikel Uerlings and Elad Cohen to comment on the information published in our 15 November 2020 report.

Cohen denied any wrongdoing and denied that he is in business with Uerlings. He also continued to decline to provide documents to prove that he bought the legacy IP address blocks in question from the previous owners.

Cohen previously told MyBroadband that he would show the legal documents in any court and that they “are with the USA lawyer involved”.

Uerlings did not respond to requests for comment.

The Heist: Part 1 — Theft of IP addresses from the AFRINIC free pool

The following table summarises the IPv4 address blocks that were identified as stolen from AFRINIC’s “free pool” to sell on the black market.

In addition to the blocks already identified by MyBroadband in the past, AFRINIC revealed that blocks registered to Fibre Grid Inc. and LogicWeb Inc were also misappropriated.

IP address block(s) Registered entity Estimated value Status
165.52.0.0/14 CGHB R137,625,600 Reclaimed / history purged
137.171.0.0/16
160.184.0.0/16
168.211.0.0/16
196.62.0.0/16 Link Data Group R71,270,400 Reclaimed / history purged
160.181.0.0/16
160.255.0.0/16
196.192.192.0/18
196.207.64.0/18
213.247.0.0/19
196.45.112.0/20 ITC R109,363,200 Reclaimed / history purged
196.194.0.0/15
196.193.0.0/16
196.246.0.0/16
196.63.0.0/16
196.42.128.0/17
196.196.0.0/14 Fiber Grid Inc R314,572,800 Under review
196.56.0.0/14
196.240.0.0/13
196.52.0.0/14 LogicWeb Inc R80,845,209.60 Reclaimed / history purged

The Heist: Part 2 — Misappropriation of legacy IP address blocks

So-called “legacy” IPv4 address blocks are particularly valuable because they do not attract AFRINIC’s annual fees.

This is because they were assigned to companies, organisations, and government agencies in the early days of the Internet before AFRINIC existed.

The following table summarises the legacy IPv4 address blocks that were identified as misappropriated.

In addition to the blocks MyBroadband previously identified, AFRINIC added an additional block for Trafex, the Syfrets, NBS Bank, Fibre Grid / Afriq*Access, and Netconnect blocks.

Where a block is tagged as “status quo”, AFRINIC has stated that the status quo is being maintained on that block until its custodian can be determined.

Blocks tagged as “disputed” indicate that a dispute over custodianship is underway. The status quo will be maintained until the matter is resolved.

“Pending” means that an investigation into a block’s custodianship is underway.

A block flagged as “Status quo” has had bogus email addresses removed from its WHOIS record, but otherwise the status quo is being maintained until the rightful custodian of the block can be determined.

IP address block(s) Historical owner Currently registered owner Estimated value Likely or confirmed owner Status
192.96.146.0/24 Cape of Good Hope Bank Limited Nedbank (previously: CGHB) R76,800 Nedbank Reclaimed – Nedbank
163.201.0.0/16 Syfrets Nedbank R1,228,800 Reclaimed – Nedbank
163.199.0.0/16 NBS Bank Nedbank R1,228,800 Reclaimed – Nedbank
198.54.232.0/24 Link Data Solutions Link Data Group R76,800 * Link Data Solutions AFRINIC quarantined
165.231.0.0/16 Afriq*Access Fibre Grid Inc R19,660,800 Unknown Pending Fibre Grid response
196.16.0.0/14 Infoplan Network and Information Technology Limited R79,411,200 SITA Status quo
196.4.36.0/22
196.4.40.0/22
196.4.44.0/23
196.9.0.0/16 Arivia T-Systems R19,660,800 T-Systems Reclaimed – T-Systems
196.10.64.0/19 Nampak Nampak R22,348,800 Nampak AFRINIC quarantined
196.10.61.0/24
196.10.62.0/23
160.121.0.0/16 Mega Plastics Mega Plastics Status quo
155.235.0.0/16 Afrox MIS Afrox / Linde Group R19,660,800 Afrox / Linde Group Reclaimed – African Oxygen Limited
152.108.0.0/16 Transtel Liquid Telecom R19,660,800 Liquid Telecom Reclaimed – Liquid Telecom
155.237.0.0/16 Sasol Sasol R39,321,600 Sasol Reclaimed – Sasol
169.129.0.0/16
165.25.0.0/16 Directorate of Information Services (Cape Town) City of Cape Town R19,660,800 City of Cape Town Reclaimed – City of Cape Town
160.122.0.0/16 Tredcor in South Africa Trentyre R19,660,800 Goodyear/Trentyre Reclaimed – Trentyre and Goodyear
168.80.0.0/15 AECI Information Services in South Africa AECI Information Services in South Africa R39,321,600 DXC Technology Status quo – DXC/HP claims ownership
165.3.0.0/16 Wooltru Woolworths R58,982,400 Woolworths Reclaimed – Woolworths
165.4.0.0/16
165.5.0.0/16
160.115.0.0/16 Columbus Stainless Columbus Stainless R19,660,800 Columbus Stainless Reclaimed – Columbus
168.76.0.0/16 Free State Education Department Free State Education Department R19,660,800 Free State Education Department Pending due diligence
160.116.0.0/16 Affiliated Computing Services (Pty) Ltd Affiliated Computing Services (Pty) Ltd R19,660,800 Affiliated Computing Services (Pty) Ltd Status quo
168.206.0.0/16 The Atomic Energy Board The Atomic Energy Board R19,660,800 NECSA Disputed
155.159.0.0/16 Safren Computer Services Safren Computer Services R19,660,800 Safmarine / Maersk Status quo
164.155.0.0/16 Sentrachem Limited Sentrachem Limited R19,660,800 Sentrachem Limited Status quo
163.197.0.0/16 Anglo American Anglo American R19,660,800 Anglo American Status quo
196.15.64.0/18 Trafex Trafex R4,992,000 AT&T Status quo
192.96.148.0/24
163.198.0.0/16 Agrihold Agrihold R19,660,800 Dow Agrosciences Status quo
164.88.0.0/16 Argus Holdings Argus Holdings R19,660,800 Independent Media / Sekunjalo AFRINIC quarantined
196.3.112.0/22 Netconnect South Africa Netconnect CC R307,200 Netconnect CC Reclaimed – Netconnect

AFRINIC WHOIS database accuracy report — overview

Full AFRINIC WHOIS database accuracy report

Now read: The Great African IP Address Heist – South African Internet resources worth R558 million usurped with shady domains

Latest news

Partner Content

Show comments

Recommended

Share this article
R1.3-billion worth of IP addresses stolen in brazen heist