R1.3-billion worth of IP addresses stolen in brazen heist
The African Network Information Centre (AFRINIC) has released its long-awaited report of the internal audit it conducted after the discovery that the co-founder of the organisation had abused his position to steal large swaths of African Internet resources.
It confirmed an earlier statement from AFRINIC that a total of over 4.1 million Internet Protocol (IP) addresses had been misappropriated and provided a detailed account of the resources that were compromised.
AFRINIC revealed in the report that it only became aware that it may have an internal problem in 2019 after the United States Federal Investigation Bureau (FBI) raised red flags.
“In or about March 2019, upon receipt of a Court Order from the Supreme Court of Mauritius following an application made by the [FBI], AFRINIC became aware of certain suspicious activities regarding several IPv4 address blocks which it held,” the report stated.
The term “IPv4 address blocks” refers to blocks of Internet Protocol version 4 addresses. Devices on the Internet require IP addresses to communicate with each other.
When you try to visit a website like mybroadband.co.za, the human-readable address is first translated into an IP address for your web browser to connect to.
You also need an IP address so that servers on the Internet can communicate back to your devices.
These IPv4 blocks have grown increasingly valuable as they have become a scarce resource.
The IPv4 standard only has room for less than 4.3 billion addresses. The actual number of addresses usable for Internet routing is much lower than that because large blocks are reserved for special uses.
While a newer standard called IPv6 allows for 340 undecillion addresses (that’s 340 with 36 zeroes behind it), it has not yet become widely adopted.
Conservative estimates indicate that a single IPv4 address is selling for around $20 on the reseller market.
At R15 per USD, that brings the total value of the compromised IP address blocks to around R1.25 billion.
Deeds office for the African Internet compromised
These IP address blocks were misappropriated by manipulating their records in the AFRINIC WHOIS database.
WHOIS is the concatenation of the words “who” and “is”, and is a standard used on the Internet to keep track of resources like domain names (e.g. mybroadband.co.za) and IP address blocks.
If you think of IP addresses as Internet “land” — property, or real estate — then the WHOIS record of an IP address block’ is like its title deed.
The AFRINIC WHOIS database is then like the Internet deeds office for the entire African region. And for the better part of the last decade, it was compromised.
Investigation timeline
In addition to providing an accounting of the Internet resources that were stolen from the people of Africa, AFRINIC’s report also revealed details about the organisation’s own investigation.
As mentioned previously, AFRINIC stated that it became aware it had a problem around March 2019 thanks to the FBI approaching the Supreme Court of Mauritius regarding “certain suspicious activities”.
“A preliminary investigation carried out internally also revealed that internal staff may, without any lawful authority, have acted in collusion with other third parties,” AFRINIC stated.
What the AFRINIC report did not mention was that Internet investigator and activist Ron Guilmette had tried to call attention to the issue as far back as November 2016.
Guilmette’s crusade against spammers on the Internet had brought him to several significant chunks of IP addresses in the AFRINIC region, and he raised the issues he spotted on several public mailing lists.
For years it went ignored. Only after Guilmette set about trying to unravel for himself what was happening in the AFRINIC region, and reached out to journalists in South Africa, did the issue attract any meaningful attention.
Based on AFRINIC’s timelines, it was conducting its own investigation parallel to the one by MyBroadband and Guilmette.
However, it only took action following the publication of two major reports on MyBroadband.
AFRINIC also acknowledged that MyBroadband’s investigation exposed that the registration information for misappropriated IP address blocks had been compromised.
In essence, the title deeds of vast swaths of African Internet resources had been tampered with.
A summary of the timeline of the investigations is as follows:
- November 2016: Ron Guilmette called attention to problems with certain IP address blocks in the African region on an AFRINIC mailing list.
- August 2017: Guilmette once again tried to call attention to problems on a public network operator group mailing list.
- March 2019: The FBI obtains a court order from the Supreme Court of Mauritius regarding “certain suspicious activities” in the AFRINIC region.
- April 2019: Former AFRINIC CEO Alan Barrett informed the AFRINIC board about the manipulation of data in their WHOIS database.
- 1 July 2019: Guilmette set about trying to unravel what had really happened in the AFRINIC region.
- End July 2019: Barrett, now the outgoing CEO, delivered a report about the misappropriation of IP addresses to the AFRINIC board. The board commissioned an investigation with the help of APNIC, a sister organisation that looks after Internet resources in the Asia-Pacific region.
- August 2019: Guilmette contacted South African technology journalists with the story, asking for help to track down companies, spokespeople, and former IT administrators to confirm his theory.
- 1 September 2019: MyBroadband published its first report on the investigation titled “The big South African IP address heist – How millions are made on the ‘grey’ market“.
- 4 December 2019: MyBroadband published its second report, titled “How Internet resources worth R800 million were stolen and sold on the black market“, presenting evidence that AFRINIC co-founder and engineer Ernest Byaruhanga had profited from the theft and sale of African Internet resources.
- December 2019: APNIC submitted its findings of an initial internal investigation. AFRINIC stated that the findings were serious enough that it led to the dismissal of “a former AFRINIC staff [member] who was found to have made an abusive use of his rights and privileges as the then AFRINIC hostmaster.”
- 10 December 2019: Newly-appointed AFRINIC CEO Eddy Kayihura opened a criminal case with the Mauritian Police against Byaruhanga.
- 13 December 2019: Byaruhanga was dismissed following the outcome of a disciplinary hearing.
- January-July 2020: During 2020 AFRINIC reclaimed, reverted, or quarantined several IPv4 blocks identified as misappropriated.
- August 2020: AFRINIC informed its members that it was being taken to court by Afri Holdings Ltd, Netstyle A. Ltd, and Mr Elad Cohen due to its actions to recover some of the IPv4 address blocks identified as misappropriated.
- 15 November 2020: MyBroadband published another report detailing how legacy IPv4 address blocks were misappropriated and misleading contact information inserted into their WHOIS records. Through PAIA requests and industry sources, we published evidence that the bogus email addresses trace back to two individuals: Maikel Uerlings and Elad Cohen. AFRINIC has removed these bogus emails from the WHOIS database.
- 21 January 2021: AFRINIC published its report on the internal audit of its WHOIS database.
MyBroadband asked Maikel Uerlings and Elad Cohen to comment on the information published in our 15 November 2020 report.
Cohen denied any wrongdoing and denied that he is in business with Uerlings. He also continued to decline to provide documents to prove that he bought the legacy IP address blocks in question from the previous owners.
Cohen previously told MyBroadband that he would show the legal documents in any court and that they “are with the USA lawyer involved”.
Uerlings did not respond to requests for comment.
The Heist: Part 1 — Theft of IP addresses from the AFRINIC free pool
The following table summarises the IPv4 address blocks that were identified as stolen from AFRINIC’s “free pool” to sell on the black market.
In addition to the blocks already identified by MyBroadband in the past, AFRINIC revealed that blocks registered to Fibre Grid Inc. and LogicWeb Inc were also misappropriated.
IP address block(s) | Registered entity | Estimated value | Status |
---|---|---|---|
165.52.0.0/14 | CGHB | R137,625,600 | Reclaimed / history purged |
137.171.0.0/16 | |||
160.184.0.0/16 | |||
168.211.0.0/16 | |||
196.62.0.0/16 | Link Data Group | R71,270,400 | Reclaimed / history purged |
160.181.0.0/16 | |||
160.255.0.0/16 | |||
196.192.192.0/18 | |||
196.207.64.0/18 | |||
213.247.0.0/19 | |||
196.45.112.0/20 | ITC | R109,363,200 | Reclaimed / history purged |
196.194.0.0/15 | |||
196.193.0.0/16 | |||
196.246.0.0/16 | |||
196.63.0.0/16 | |||
196.42.128.0/17 | |||
196.196.0.0/14 | Fiber Grid Inc | R314,572,800 | Under review |
196.56.0.0/14 | |||
196.240.0.0/13 | |||
196.52.0.0/14 | LogicWeb Inc | R80,845,209.60 | Reclaimed / history purged |
The Heist: Part 2 — Misappropriation of legacy IP address blocks
So-called “legacy” IPv4 address blocks are particularly valuable because they do not attract AFRINIC’s annual fees.
This is because they were assigned to companies, organisations, and government agencies in the early days of the Internet before AFRINIC existed.
The following table summarises the legacy IPv4 address blocks that were identified as misappropriated.
In addition to the blocks MyBroadband previously identified, AFRINIC added an additional block for Trafex, the Syfrets, NBS Bank, Fibre Grid / Afriq*Access, and Netconnect blocks.
Where a block is tagged as “status quo”, AFRINIC has stated that the status quo is being maintained on that block until its custodian can be determined.
Blocks tagged as “disputed” indicate that a dispute over custodianship is underway. The status quo will be maintained until the matter is resolved.
“Pending” means that an investigation into a block’s custodianship is underway.
A block flagged as “Status quo” has had bogus email addresses removed from its WHOIS record, but otherwise the status quo is being maintained until the rightful custodian of the block can be determined.
IP address block(s) | Historical owner | Currently registered owner | Estimated value | Likely or confirmed owner | Status |
---|---|---|---|---|---|
192.96.146.0/24 | Cape of Good Hope Bank Limited | Nedbank (previously: CGHB) | R76,800 | Nedbank | Reclaimed – Nedbank |
163.201.0.0/16 | Syfrets | Nedbank | R1,228,800 | Reclaimed – Nedbank | |
163.199.0.0/16 | NBS Bank | Nedbank | R1,228,800 | Reclaimed – Nedbank | |
198.54.232.0/24 | Link Data Solutions | Link Data Group | R76,800 | * Link Data Solutions | AFRINIC quarantined |
165.231.0.0/16 | Afriq*Access | Fibre Grid Inc | R19,660,800 | Unknown | Pending Fibre Grid response |
196.16.0.0/14 | Infoplan | Network and Information Technology Limited | R79,411,200 | SITA | Status quo |
196.4.36.0/22 | |||||
196.4.40.0/22 | |||||
196.4.44.0/23 | |||||
196.9.0.0/16 | Arivia | T-Systems | R19,660,800 | T-Systems | Reclaimed – T-Systems |
196.10.64.0/19 | Nampak | Nampak | R22,348,800 | Nampak | AFRINIC quarantined |
196.10.61.0/24 | |||||
196.10.62.0/23 | |||||
160.121.0.0/16 | Mega Plastics | Mega Plastics | Status quo | ||
155.235.0.0/16 | Afrox MIS | Afrox / Linde Group | R19,660,800 | Afrox / Linde Group | Reclaimed – African Oxygen Limited |
152.108.0.0/16 | Transtel | Liquid Telecom | R19,660,800 | Liquid Telecom | Reclaimed – Liquid Telecom |
155.237.0.0/16 | Sasol | Sasol | R39,321,600 | Sasol | Reclaimed – Sasol |
169.129.0.0/16 | |||||
165.25.0.0/16 | Directorate of Information Services (Cape Town) | City of Cape Town | R19,660,800 | City of Cape Town | Reclaimed – City of Cape Town |
160.122.0.0/16 | Tredcor in South Africa | Trentyre | R19,660,800 | Goodyear/Trentyre | Reclaimed – Trentyre and Goodyear |
168.80.0.0/15 | AECI Information Services in South Africa | AECI Information Services in South Africa | R39,321,600 | DXC Technology | Status quo – DXC/HP claims ownership |
165.3.0.0/16 | Wooltru | Woolworths | R58,982,400 | Woolworths | Reclaimed – Woolworths |
165.4.0.0/16 | |||||
165.5.0.0/16 | |||||
160.115.0.0/16 | Columbus Stainless | Columbus Stainless | R19,660,800 | Columbus Stainless | Reclaimed – Columbus |
168.76.0.0/16 | Free State Education Department | Free State Education Department | R19,660,800 | Free State Education Department | Pending due diligence |
160.116.0.0/16 | Affiliated Computing Services (Pty) Ltd | Affiliated Computing Services (Pty) Ltd | R19,660,800 | Affiliated Computing Services (Pty) Ltd | Status quo |
168.206.0.0/16 | The Atomic Energy Board | The Atomic Energy Board | R19,660,800 | NECSA | Disputed |
155.159.0.0/16 | Safren Computer Services | Safren Computer Services | R19,660,800 | Safmarine / Maersk | Status quo |
164.155.0.0/16 | Sentrachem Limited | Sentrachem Limited | R19,660,800 | Sentrachem Limited | Status quo |
163.197.0.0/16 | Anglo American | Anglo American | R19,660,800 | Anglo American | Status quo |
196.15.64.0/18 | Trafex | Trafex | R4,992,000 | AT&T | Status quo |
192.96.148.0/24 | |||||
163.198.0.0/16 | Agrihold | Agrihold | R19,660,800 | Dow Agrosciences | Status quo |
164.88.0.0/16 | Argus Holdings | Argus Holdings | R19,660,800 | Independent Media / Sekunjalo | AFRINIC quarantined |
196.3.112.0/22 | Netconnect South Africa | Netconnect CC | R307,200 | Netconnect CC | Reclaimed – Netconnect |