Security15.11.2020

The Great African IP Address Heist – South African Internet resources worth R558 million usurped with shady domains

New information uncovered by MyBroadband, together with Internet investigator Ron Guilmette, has linked two men to bogus e-mail addresses found in the records of misappropriated South African Internet resources.

This follows an investigation into the apparent theft of swaths of valuable African Internet Protocol (IP) address space, said to be worth millions of dollars on the reseller market.

One part of the investigation uncovered how an insider misappropriated several large IP address blocks from the African Network Information Centre (AFRINIC), the very organisation entrusted to safeguard and maintain the integrity of the ownership database for Africa’s IP address space.

The investigation found that at least one insider stole blocks of IP address space from AFRINIC’s own free pool — the addresses that the organisation holds in trust to give out to people or organisations that legitimately qualify to receive IP address space under its rules.

This insider helped himself to these unassigned IP addresses and sold them on the black market.

Since publishing our report a year ago, AFRINIC has summarily dismissed the insider in question and has taken back a significant proportion of the IP address blocks that were stolen from its free pool.

“Legacy” South African IP address blocks with bogus e-mail contact info

Another part of our investigation involved address assignments referred to as “legacy” IP address blocks.

These blocks of addresses are particularly valuable because they do not attract AFRINIC’s annual fees, as they were assigned to companies, organisations, and government agencies in the early days of the Internet before AFRINIC existed.

While combing through Africa’s IP address space in an unrelated investigation, Guilmette discovered that various legacy IP address blocks that appeared to belong to South African companies and government entities were being routed by overseas network operators rather than local ones.

Under normal circumstances, this would have potentially pointed to what is known as “route squatting” — where an unauthorised operator “squats” on a block of IP addresses that do not belong to it.

However, a closer inspection of the IP address blocks in question through AFRINIC’s public WHOIS database revealed that their ownership records had been manipulated.

WHOIS, the concatenation of “who is”, is a type of database that stores information about Internet resources. It is commonly associated with domain names like mybroadband.co.za, but regional Internet registries like AFRINIC also maintain public WHOIS databases to track the ownership of IP address blocks.

If you think of IP addresses like online property, or Internet real estate, then AFRINIC’s WHOIS database is like the deeds office for the whole African region.

Guilmette believed that he had uncovered evidence that the title deeds to some of Africa’s most valuable Internet resources had been tampered with.

Among other concerning changes, Guilmette noticed that the e-mail contact information of various South African legacy IP address blocks had been changed to new, misleading e-mail addresses.

For example, a block of IP addresses registered to Sasol, but which was being routed by the US-based Cogent Communications, had a former employee named Riaan Kotze as the listed contact. However, the e-mail address on file was a Gmail address ([email protected]) — a strange occurrence for a large state-owned enterprise with its own domain (sasol.com).

Other examples were far more overt, such as a block of IP addresses registered to Transnet with an e-mail address of [email protected]. However, when you actually visited the transtel.co.za website you were redirected to lv.net — the website of a Las Vegas-based Internet service provider.

In other words, the reason these domains and email addresses were identified as “shady”, “bogus”, or “phoney” is because they are misleading.

Dois.capetown actually has nothing to do with the City of Cape Town. Transtel.co.za has nothing to do with the former Transtel, Transnet, Neotel, or Liquid Telecom. Noc-nampak.co.za has nothing to do with Nampak.

Valuable Internet resources stolen from Africa

This manipulation of the AFRINIC WHOIS database using phoney domains and e-mail addresses led Guilmette to conclude that the IP address blocks in question were not merely being squatted on, but had been stolen by someone who hoped to profit from them.

The following table lists the legacy IP address blocks, along with their current registered owner, the historical owner, and the contact information in the WHOIS database that made it suspicious.

It also lists the company or government entity that our investigation identified as the most likely owner of an IP address block. Several institutions have already confirmed that they are the owners of the blocks in question.

Our initial report on this issue, published last year and titled The big South African IP address heist – How millions are made on the “grey” market, has more details on the investigation into the ownership of these blocks.

IP address block(s) Likely / confirmed owner Historical owner Current registered owner Suspicious AFRINIC WHOIS contact(s)
192.96.146.0/24 Nedbank Cape of Good Hope Bank Limited Nedbank (previously: CGHB) [email protected], [email protected]
198.54.232.0/24 * Link Data Solutions Link Data Solutions Link Data Group [email protected], [email protected]
196.16.0.0/14 SITA Infoplan Network and Information Technology Limited info@
networkandinformationtechnology.com
196.4.36.0/22 [email protected],
info@
networkandinformationtechnology.com
196.4.40.0/22
196.4.44.0/23
196.9.0.0/16 T-Systems Arivia T-Systems [email protected]
196.10.64.0/19 Nampak Nampak Nampak [email protected]
196.10.61.0/24
196.10.62.0/23
160.121.0.0/16 Mega Plastics Mega Plastics
155.235.0.0/16 Afrox / Linde Group
Afrox MIS Afrox / Linde Group [email protected]
152.108.0.0/16 Liquid Telecom Transtel Transtel [email protected]
155.237.0.0/16 Sasol Sasol Sasol [email protected]
169.129.0.0/16
165.25.0.0/16 City of Cape Town Directorate of Information Services (Cape Town) City of Cape Town [email protected]
160.122.0.0/16 Goodyear Tredcor Trentyre [email protected]
168.80.0.0/15 DXC Technology AECI Information Services AECI Information Services [email protected]
165.3.0.0/16 Woolworths Wooltru Woolworths [email protected]
165.4.0.0/16
165.5.0.0/16
160.115.0.0/16 Columbus Stainless Columbus Stainless Columbus Stainless (formerly: Infinite Telecoms and Connectivity Internet) hennie.vandermerwe@
infinite-telecom.co.za,
riaan.kotze@
connectivityinternet.co.za
168.76.0.0/16 Free State Education Department Free State Education Department Free State Education Department [email protected]
160.116.0.0/16 Affiliated Computing Services Affiliated Computing Services Affiliated Computing Services louise.mony@
affiliatedcomputingservices.co.za
168.206.0.0/16 NECSA The Atomic Energy Board The Atomic Energy Board gerrie.van.huysteen@
atomicenergyboard.co.za
155.159.0.0/16 Safmarine / Maersk Safren Computer Services Safren Computer Services eziervogel@
safrencomputerservices.za.com
164.155.0.0/16 Sentrachem Limited Sentrachem Limited Sentrachem Limited [email protected]
163.197.0.0/16 Anglo American Anglo American Anglo American [email protected],
[email protected]
196.15.64.0/18 AT&T Trafex Trafex [email protected], [email protected]
163.198.0.0/16 Dow Agrosciences Agrihold Agrihold [email protected]
164.88.0.0/16 Independent Media / Sekunjalo Argus Holdings Argus Holdings [email protected]

PAIA requests

WHOIS queries of the registration information of the domain names listed above showed that they had all been registered through Register Domain (registerdomain.co.za).

A handful of domains listed Domains.co.za and DNS.net.za as the registrar, but MyBroadband was able to establish that those had also been registered through Register Domain, as it is a reseller for Domains.co.za and DNS.net.za.

During the course of our investigation, several of these domains were transferred to GoDaddy.

MyBroadband filed Promotion of Access to Information (PAIA) requests with Register Domains, Domains.co.za, and GoDaddy.

GoDaddy declined to provide any information on the individuals who were paying for these domain registrations.

“We take our customer privacy very seriously and have a strict privacy policy against releasing their information. If you believe one of our customers is abusing our system, we encourage you to file a report. We will make sure it gets investigated,” stated Selina Bieber, the Senior Regional Director for Turkey, MENA and South Africa at GoDaddy.

“If you would like more information on who registered domain names and what payment was used, we will need a subpoena from a court in order to provide that information,” Bieber said.

The two men behind the bogus domains and emails

MyBroadband received information from an industry source that all of the domains listed above were registered with the same account, using the name of Louise Mony from Affiliated Computing Services and the e-mail address [email protected].

Following an investigation into these aliases, two names once again popped up: Maikel Uerlings and Elad Cohen.

A quick search on Google revealed that a user calling himself “shark95763” once asked for help on a public forum in 2007 to troubleshoot a problem with a Microsoft Exchange 2003 email server. The post repeatedly refers to [email protected] and [email protected].

MyBroadband learned from the industry source that a man named Maikel Uerlings, a Dutch national, made payments for the above domain registration and hosting services using a PayPal account that uses an @inspiringnetworks.com email address.

Inspiring Networks is Uerlings’ network services company. The company website lists Uerlings as its sole director.

Several Gmail addresses were also linked to Uerlings via the Louise Mony account that registered all these domains:

In addition, the following email addresses used elsewhere in the AFRINIC WHOIS database were also sub-contacts of the Louise Mony account:

Also of interest is that Louise Mony’s record in the AFRINIC WHOIS database (LM34-AFRINIC) contains the name “Elad Cohen”.

While the networkandinformationtechnology.com domain was listed under a profile linked to Maikel Uerlings, the source informed MyBroadband that a man named Elad Cohen submitted a ticket to transfer the domain from Register Domain to GoDaddy.

Cohen operates a network services company called Netstyle A. Ltd, with a physical address listed in Israel.

According to the source, several of the domains listed above also appeared in a profile bearing Elad Cohen’s name and email address, [email protected]. The domains were as follows:

  • dois.capetown
  • linkdatagroup.co.za
  • agrihold.co.za
  • trafex.co.za
  • noc-is.co.za
  • megaplastics.joburg
  • safrencomputerservices.za.com
  • noc-nampak.co.za
  • aecibbs.co.za
  • atomicenergyboard.co.za
  • affiliatedcomputingservices.co.za

MyBroadband was also able to establish that one of Maikel Uerlings’ email addresses is the backup email address for [email protected]. This is shown in the screenshot below.

The backup email address in question is [email protected], the same address Uerlings has been using to communicate with MyBroadband.

Right of reply: Elad Cohen

MyBroadband asked Maikel Uerlings, Elad Cohen, and AFRINIC for comment regarding the registration and use of these domains in the WHOIS records of allegedly misappropriated legacy IP address blocks.

Cohen previously told MyBroadband that he legitimately purchased blocks of legacy IP addresses from within the AFRINIC region at great cost.

We asked Cohen why he did not use his real name for the contact information of these IP address blocks in the AFRINIC WHOIS database. We also asked him what his business relationship is with Maikel Uerlings.

He denied that he is in business with Maikel Uerlings and said that our questions were based on false assumptions.

He also continued to decline to provide documents to prove that he bought the legacy IP address blocks in question from the previous owners.

Cohen previously said that he would show the legal documents in any court and that they “are with the USA lawyer involved”.

Right of reply: Maikel Uerlings

When MyBroadband previously asked Uerlings specifically about the Trafex (196.15.64.0/18) and Columbus Stainless (160.115.0.0/16) blocks he said that he never bought them. He said he leased the 160.115.0.0/16 block from a company called Connectivity Internet.

However, the information provided to MyBroadband suggests that Uerlings himself registered the connectivityinternet.co.za domain.

It should also be noted that the Columbus Stainless block (160.115.0.0/16) had its name changed in the AFRINIC WHOIS database to “Infinite-Telecom LTD” on 28 November 2016, with the administrative and technical contact set to [email protected].

The information provided to MyBroadband suggests that Uerlings also registered the domain infinite-telecom.co.za.

The name and contact information on the Columbus Stainless block was changed to Connectivity Internet on 4 January 2017.

Columbus Stainless reclaimed ownership of the block on 3 March 2020.

Uerlings did not respond by the time of publication.

Right of reply: AFRINIC

MyBroadband asked AFRINIC for comment and the organisation thanked us for providing it with the information contained in this article.

AFRINIC CEO Eddy Kayihura explained that, when it comes to legacy resources, changes in the WHOIS database can either be done by anyone with the maintainer password of a block or by a staff member upon the user’s request and after due diligence is conducted on the documentation the user must provide to execute such a request.

“At this point however we are not yet in a position to comment further to avoid causing prejudice to an ongoing investigation,” Kayihura said.

“Besides, where the custodianship of these resources appears to be in dispute, AFRINIC encourages both parties to resolve the issue of custodianship between themselves or through competent authorities before any changes are made on its WHOIS database.”

AFRINIC is currently embroiled in a legal battle with Elad Cohen in Mauritius, where the Internet registry is headquartered.

The details of the case have thus far been kept secret from the general public, which MyBroadband has been told is standard practice in Mauritius.

AFRINIC and Cohen have declined to provide the details of the case, and the Judicial Library in Mauritius has not responded to our requests for the court documents.

AFRINIC has stated that it has undertaken a comprehensive and stringent audit of its WHOIS database.

“The detailed results from this audit will be available at the end of the year. The audit covers all existing allocations in the AFRINIC WHOIS database. We are investigating all the IPv4 space that has ever been allocated to or by AFRINIC right back to the beginning of AFRINIC’s operations in 2005,” the organisation said.

In the meantime, AFRINIC said that it has reclaimed around a million of the IP addresses that were stolen from its free pool.

It has also placed several legacy IP address blocks in quarantine. These are noted in the table below.

“These resources will remain locked until the original holder contacts AFRINIC to claim them,” the organisation stated.

South Africa’s compromised legacy IP addresses — Internet resources worth over R540 million

The following table summarises the legacy IPv4 address blocks that Guilmette identified as likely being stolen due to their WHOIS records being tampered with.

It also shows the estimated value and current status of the legacy blocks in question.

The columns labelled “WHOIS status” indicates whether a block has been quarantined by AFRINIC, reclaimed by the entity which AFRINIC believes is its rightful owner, or has remained unchanged since our investigation began.

The column labelled “Routing status” shows — broadly speaking — if an IP address block is being used.

For a detailed break-down of how Guilmette and MyBroadband established who the owners of a block might be, see the first article we published in this ongoing investigation: The big South African IP address heist – How millions are made on the “grey” market.

IP address block(s) Likely / confirmed owner Previous registration Estimated value WHOIS Status Routing status
192.96.146.0/24 Nedbank CGHB R80,128 Reclaimed – Nedbank No BGP routes
198.54.232.0/24 * Link Data Solutions Link Data Group R80,128 AFRINIC quarantined No BGP routes
196.16.0.0/14 SITA Infoplan / NAIT R82,852,352 Unchanged Active route squatters: IP Volume, others (RADb: Netstyle)
196.4.36.0/22 No BGP routes
196.4.40.0/22
196.4.44.0/23
196.9.0.0/16 T-Systems Arivia R20,512,768 Reclaimed – T-Systems Routed by T-Systems
196.10.64.0/19 Nampak Nampak R23,317,248 AFRINIC quarantined Active route squatter: QT Inc. (196.10.64.0/24)
196.10.61.0/24 No BGP routes
196.10.62.0/23
160.121.0.0/16 Mega Plastics Unchanged Active route squatter: Clayer/ASLine
155.235.0.0/16 Afrox / Linde Group Afrox MIS R20,512,768 Reclaimed – Afrox/Linde Active route squatters
152.108.0.0/16 Liquid Telecom Transtel R20,512,768 Reclaimed – Liquid Telecom Routed by Liquid and MTN
155.237.0.0/16 Sasol Sasol R41,025,536 Reclaimed – Sasol Routed by Internet Solutions
169.129.0.0/16 No BGP routes
165.25.0.0/16 City of Cape Town Directorate of Information Services R20,512,768 Reclaimed – CoCT No BGP routes
160.122.0.0/16 Trentyre / Goodyear Tredcor R20,512,768 Reclaimed – Trentyre and Goodyear Routed by Clayer Limited
168.80.0.0/15 DXC Technology AECI Information Services R41,025,536 Unchanged – DXC claims ownership Active route squatters
165.3.0.0/16 Woolworths Wooltru R61,538,304 Reclaimed – Woolworths Active route squatters
165.4.0.0/16 Routed by Internet Solutions
165.5.0.0/16 Routed by Telkom and Woolworths
160.115.0.0/16 Columbus Stainless Infinite Telecoms / Connectivity Internet R20,512,768 Reclaimed – Columbus Stainless No BGP routes
168.76.0.0/16 Free State Education Department Free State Education Department R20,512,768 Unchanged Active route squatter: Clayer Limited
160.116.0.0/16 Affiliated Computing Services Affiliated Computing Services R20,512,768 Unchanged Active route squatters, incl. Netstyle (RADb: [email protected])
168.206.0.0/16 NECSA The Atomic Energy Board R20,512,768 Unchanged Active route squatters: Clayer/ASLine
155.159.0.0/16 Safmarine / Maersk Safren Computer Services R20,512,768 Unchanged Active route squatter: Clayer/ASLine (IRR: [email protected])
164.155.0.0/16 Sentrachem Limited Sentrachem Limited R20,512,768 Unchanged Active route squatters, incl. Internet Keeper
163.197.0.0/16 Anglo American Anglo American R20,512,768 Unchanged Active route squatters, incl. Citis Cloud
196.15.64.0/18 AT&T Trafex R5,128,192 Unchanged Active squatters, incl. Network Dedicated SAS (IRR: inspiringnetworks.com)
163.198.0.0/16 Dow Agrosciences Agrihold R20,512,768 Unchanged Active squatters, incl. Network Dedicated SAS (IRR: [email protected])
164.88.0.0/16 Independent Media / Sekunjalo Argus Holdings R20,512,768 AFRINIC quarantined Active router sqatters, incl. Clayer/ASLine
* Linkdata Solutions appears to have been shut down in 2007.

The price of an IPv4 address

IP addresses are numbers assigned to devices on the Internet that allows them to communicate with each other. Older, but widely used IP version 4 (IPv4) addresses take the form of four numbers between 0 and 255 separated by full stops.

For example, one of the IPv4 addresses that google.com points to in South Africa is 172.217.170.14.

The reason IPv4 addresses have grown so expensive on the open market is that they are in short supply.

When you take into account special “reserved” addresses, there are only around 3.7 billion public IPs, and there is effectively no way to get your hands on one without buying or leasing it from someone else nowadays.

A new standard called IPv6 stands ready to make this reseller market obsolete, as it has room for 340 undecillion addresses. That’s 340 with 36 zeroes behind it.

However, IPv6 has not yet been adopted widely enough, which means the reseller market for IPv4 addresses will be going strong for a few years yet.

Based on feedback from people in the industry, the price of a single IP address is over $20 (US).

In May 2019, Krebs on Security reported that criminal charges were brought against one alleged fraudster who had scammed his way into controlling 735,000 IP addresses that are administered by the American Registry for Internet Numbers.

His last sale, which was blocked in 2018, would have been for 327,680 IP addresses at $19 per address, for a total of $6.23 million. The price of an IP address has only increased in the years since then.

The estimates in this article are based on a price of $20 per IP address, at an exchange rate of R15.65 per US dollar.

Now read: The Great African IP address heist – Engineer fired from AFRINIC

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter