The Great African IP Address Heist – South African Internet resources worth R558 million usurped with shady domains
New information uncovered by MyBroadband, together with Internet investigator Ron Guilmette, has linked two men to bogus e-mail addresses found in the records of misappropriated South African Internet resources.
This follows an investigation into the apparent theft of swaths of valuable African Internet Protocol (IP) address space, said to be worth millions of dollars on the reseller market.
One part of the investigation uncovered how an insider misappropriated several large IP address blocks from the African Network Information Centre (AFRINIC), the very organisation entrusted to safeguard and maintain the integrity of the ownership database for Africa’s IP address space.
The investigation found that at least one insider stole blocks of IP address space from AFRINIC’s own free pool — the addresses that the organisation holds in trust to give out to people or organisations that legitimately qualify to receive IP address space under its rules.
This insider helped himself to these unassigned IP addresses and sold them on the black market.
Since publishing our report a year ago, AFRINIC has summarily dismissed the insider in question and has taken back a significant proportion of the IP address blocks that were stolen from its free pool.
“Legacy” South African IP address blocks with bogus e-mail contact info
Another part of our investigation involved address assignments referred to as “legacy” IP address blocks.
These blocks of addresses are particularly valuable because they do not attract AFRINIC’s annual fees, as they were assigned to companies, organisations, and government agencies in the early days of the Internet before AFRINIC existed.
While combing through Africa’s IP address space in an unrelated investigation, Guilmette discovered that various legacy IP address blocks that appeared to belong to South African companies and government entities were being routed by overseas network operators rather than local ones.
Under normal circumstances, this would have potentially pointed to what is known as “route squatting” — where an unauthorised operator “squats” on a block of IP addresses that do not belong to it.
However, a closer inspection of the IP address blocks in question through AFRINIC’s public WHOIS
database revealed that their ownership records had been manipulated.
WHOIS
, the concatenation of “who is”, is a type of database that stores information about Internet resources. It is commonly associated with domain names like mybroadband.co.za
, but regional Internet registries like AFRINIC also maintain public WHOIS
databases to track the ownership of IP address blocks.
If you think of IP addresses like online property, or Internet real estate, then AFRINIC’s WHOIS
database is like the deeds office for the whole African region.
Guilmette believed that he had uncovered evidence that the title deeds to some of Africa’s most valuable Internet resources had been tampered with.
Among other concerning changes, Guilmette noticed that the e-mail contact information of various South African legacy IP address blocks had been changed to new, misleading e-mail addresses.
For example, a block of IP addresses registered to Sasol, but which was being routed by the US-based Cogent Communications, had a former employee named Riaan Kotze as the listed contact. However, the e-mail address on file was a Gmail address ([email protected]
) — a strange occurrence for a large state-owned enterprise with its own domain (sasol.com
).
Other examples were far more overt, such as a block of IP addresses registered to Transnet with an e-mail address of [email protected]
. However, when you actually visited the transtel.co.za
website you were redirected to lv.net
— the website of a Las Vegas-based Internet service provider.
In other words, the reason these domains and email addresses were identified as “shady”, “bogus”, or “phoney” is because they are misleading.
Dois.capetown
actually has nothing to do with the City of Cape Town. Transtel.co.za
has nothing to do with the former Transtel, Transnet, Neotel, or Liquid Telecom. Noc-nampak.co.za
has nothing to do with Nampak.
Valuable Internet resources stolen from Africa
This manipulation of the AFRINIC WHOIS database using phoney domains and e-mail addresses led Guilmette to conclude that the IP address blocks in question were not merely being squatted on, but had been stolen by someone who hoped to profit from them.
The following table lists the legacy IP address blocks, along with their current registered owner, the historical owner, and the contact information in the WHOIS database that made it suspicious.
It also lists the company or government entity that our investigation identified as the most likely owner of an IP address block. Several institutions have already confirmed that they are the owners of the blocks in question.
Our initial report on this issue, published last year and titled The big South African IP address heist – How millions are made on the “grey” market, has more details on the investigation into the ownership of these blocks.
IP address block(s) | Likely / confirmed owner | Historical owner | Current registered owner | Suspicious AFRINIC WHOIS contact(s) |
---|---|---|---|---|
192.96.146.0/24 | Nedbank | Cape of Good Hope Bank Limited | Nedbank (previously: CGHB) | [email protected], [email protected] |
198.54.232.0/24 | * Link Data Solutions | Link Data Solutions | Link Data Group | [email protected], [email protected] |
196.16.0.0/14 | SITA | Infoplan | Network and Information Technology Limited | info@ networkandinformationtechnology.com |
196.4.36.0/22 | [email protected], info@ networkandinformationtechnology.com |
|||
196.4.40.0/22 | ||||
196.4.44.0/23 | ||||
196.9.0.0/16 | T-Systems | Arivia | T-Systems | [email protected] |
196.10.64.0/19 | Nampak | Nampak | Nampak | [email protected] |
196.10.61.0/24 | ||||
196.10.62.0/23 | ||||
160.121.0.0/16 | Mega Plastics | Mega Plastics | ||
155.235.0.0/16 | Afrox / Linde Group |
Afrox MIS | Afrox / Linde Group | [email protected] |
152.108.0.0/16 | Liquid Telecom | Transtel | Transtel | [email protected] |
155.237.0.0/16 | Sasol | Sasol | Sasol | [email protected] |
169.129.0.0/16 | ||||
165.25.0.0/16 | City of Cape Town | Directorate of Information Services (Cape Town) | City of Cape Town | [email protected] |
160.122.0.0/16 | Goodyear | Tredcor | Trentyre | [email protected] |
168.80.0.0/15 | DXC Technology | AECI Information Services | AECI Information Services | [email protected] |
165.3.0.0/16 | Woolworths | Wooltru | Woolworths | [email protected] |
165.4.0.0/16 | ||||
165.5.0.0/16 | ||||
160.115.0.0/16 | Columbus Stainless | Columbus Stainless | Columbus Stainless (formerly: Infinite Telecoms and Connectivity Internet) | hennie.vandermerwe@ infinite-telecom.co.za, riaan.kotze@ connectivityinternet.co.za |
168.76.0.0/16 | Free State Education Department | Free State Education Department | Free State Education Department | [email protected] |
160.116.0.0/16 | Affiliated Computing Services | Affiliated Computing Services | Affiliated Computing Services | louise.mony@ affiliatedcomputingservices.co.za |
168.206.0.0/16 | NECSA | The Atomic Energy Board | The Atomic Energy Board | gerrie.van.huysteen@ atomicenergyboard.co.za |
155.159.0.0/16 | Safmarine / Maersk | Safren Computer Services | Safren Computer Services | eziervogel@ safrencomputerservices.za.com |
164.155.0.0/16 | Sentrachem Limited | Sentrachem Limited | Sentrachem Limited | [email protected] |
163.197.0.0/16 | Anglo American | Anglo American | Anglo American | [email protected], [email protected] |
196.15.64.0/18 | AT&T | Trafex | Trafex | [email protected], [email protected] |
163.198.0.0/16 | Dow Agrosciences | Agrihold | Agrihold | [email protected] |
164.88.0.0/16 | Independent Media / Sekunjalo | Argus Holdings | Argus Holdings | [email protected] |
PAIA requests
WHOIS
queries of the registration information of the domain names listed above showed that they had all been registered through Register Domain (registerdomain.co.za).
A handful of domains listed Domains.co.za and DNS.net.za as the registrar, but MyBroadband was able to establish that those had also been registered through Register Domain, as it is a reseller for Domains.co.za and DNS.net.za.
During the course of our investigation, several of these domains were transferred to GoDaddy.
MyBroadband filed Promotion of Access to Information (PAIA) requests with Register Domains, Domains.co.za, and GoDaddy.
GoDaddy declined to provide any information on the individuals who were paying for these domain registrations.
“We take our customer privacy very seriously and have a strict privacy policy against releasing their information. If you believe one of our customers is abusing our system, we encourage you to file a report. We will make sure it gets investigated,” stated Selina Bieber, the Senior Regional Director for Turkey, MENA and South Africa at GoDaddy.
“If you would like more information on who registered domain names and what payment was used, we will need a subpoena from a court in order to provide that information,” Bieber said.
The two men behind the bogus domains and emails
MyBroadband received information from an industry source that all of the domains listed above were registered with the same account, using the name of Louise Mony from Affiliated Computing Services and the e-mail address [email protected]
.
Following an investigation into these aliases, two names once again popped up: Maikel Uerlings and Elad Cohen.
A quick search on Google revealed that a user calling himself “shark95763” once asked for help on a public forum in 2007 to troubleshoot a problem with a Microsoft Exchange 2003 email server. The post repeatedly refers to [email protected]
and [email protected]
.
MyBroadband learned from the industry source that a man named Maikel Uerlings, a Dutch national, made payments for the above domain registration and hosting services using a PayPal account that uses an @inspiringnetworks.com
email address.
Inspiring Networks is Uerlings’ network services company. The company website lists Uerlings as its sole director.
Several Gmail addresses were also linked to Uerlings via the Louise Mony account that registered all these domains:
In addition, the following email addresses used elsewhere in the AFRINIC WHOIS database were also sub-contacts of the Louise Mony account:
Also of interest is that Louise Mony’s record in the AFRINIC WHOIS database (LM34-AFRINIC) contains the name “Elad Cohen”.
While the networkandinformationtechnology.com
domain was listed under a profile linked to Maikel Uerlings, the source informed MyBroadband that a man named Elad Cohen submitted a ticket to transfer the domain from Register Domain to GoDaddy.
Cohen operates a network services company called Netstyle A. Ltd, with a physical address listed in Israel.
According to the source, several of the domains listed above also appeared in a profile bearing Elad Cohen’s name and email address, [email protected]. The domains were as follows:
- dois.capetown
- linkdatagroup.co.za
- agrihold.co.za
- trafex.co.za
- noc-is.co.za
- megaplastics.joburg
- safrencomputerservices.za.com
- noc-nampak.co.za
- aecibbs.co.za
- atomicenergyboard.co.za
- affiliatedcomputingservices.co.za
MyBroadband was also able to establish that one of Maikel Uerlings’ email addresses is the backup email address for [email protected]
. This is shown in the screenshot below.
The backup email address in question is [email protected]
, the same address Uerlings has been using to communicate with MyBroadband.
Right of reply: Elad Cohen
MyBroadband asked Maikel Uerlings, Elad Cohen, and AFRINIC for comment regarding the registration and use of these domains in the WHOIS records of allegedly misappropriated legacy IP address blocks.
Cohen previously told MyBroadband that he legitimately purchased blocks of legacy IP addresses from within the AFRINIC region at great cost.
We asked Cohen why he did not use his real name for the contact information of these IP address blocks in the AFRINIC WHOIS database. We also asked him what his business relationship is with Maikel Uerlings.
He denied that he is in business with Maikel Uerlings and said that our questions were based on false assumptions.
He also continued to decline to provide documents to prove that he bought the legacy IP address blocks in question from the previous owners.
Cohen previously said that he would show the legal documents in any court and that they “are with the USA lawyer involved”.
Right of reply: Maikel Uerlings
When MyBroadband previously asked Uerlings specifically about the Trafex (196.15.64.0/18) and Columbus Stainless (160.115.0.0/16) blocks he said that he never bought them. He said he leased the 160.115.0.0/16 block from a company called Connectivity Internet.
However, the information provided to MyBroadband suggests that Uerlings himself registered the connectivityinternet.co.za
domain.
It should also be noted that the Columbus Stainless block (160.115.0.0/16) had its name changed in the AFRINIC WHOIS database to “Infinite-Telecom LTD” on 28 November 2016, with the administrative and technical contact set to [email protected]
.
The information provided to MyBroadband suggests that Uerlings also registered the domain infinite-telecom.co.za
.
The name and contact information on the Columbus Stainless block was changed to Connectivity Internet on 4 January 2017.
Columbus Stainless reclaimed ownership of the block on 3 March 2020.
Uerlings did not respond by the time of publication.
Right of reply: AFRINIC
MyBroadband asked AFRINIC for comment and the organisation thanked us for providing it with the information contained in this article.
AFRINIC CEO Eddy Kayihura explained that, when it comes to legacy resources, changes in the WHOIS database can either be done by anyone with the maintainer password of a block or by a staff member upon the user’s request and after due diligence is conducted on the documentation the user must provide to execute such a request.
“At this point however we are not yet in a position to comment further to avoid causing prejudice to an ongoing investigation,” Kayihura said.
“Besides, where the custodianship of these resources appears to be in dispute, AFRINIC encourages both parties to resolve the issue of custodianship between themselves or through competent authorities before any changes are made on its WHOIS database.”
AFRINIC is currently embroiled in a legal battle with Elad Cohen in Mauritius, where the Internet registry is headquartered.
The details of the case have thus far been kept secret from the general public, which MyBroadband has been told is standard practice in Mauritius.
AFRINIC and Cohen have declined to provide the details of the case, and the Judicial Library in Mauritius has not responded to our requests for the court documents.
AFRINIC has stated that it has undertaken a comprehensive and stringent audit of its WHOIS database.
“The detailed results from this audit will be available at the end of the year. The audit covers all existing allocations in the AFRINIC WHOIS database. We are investigating all the IPv4 space that has ever been allocated to or by AFRINIC right back to the beginning of AFRINIC’s operations in 2005,” the organisation said.
In the meantime, AFRINIC said that it has reclaimed around a million of the IP addresses that were stolen from its free pool.
It has also placed several legacy IP address blocks in quarantine. These are noted in the table below.
“These resources will remain locked until the original holder contacts AFRINIC to claim them,” the organisation stated.
South Africa’s compromised legacy IP addresses — Internet resources worth over R540 million
The following table summarises the legacy IPv4 address blocks that Guilmette identified as likely being stolen due to their WHOIS records being tampered with.
It also shows the estimated value and current status of the legacy blocks in question.
The columns labelled “WHOIS status” indicates whether a block has been quarantined by AFRINIC, reclaimed by the entity which AFRINIC believes is its rightful owner, or has remained unchanged since our investigation began.
The column labelled “Routing status” shows — broadly speaking — if an IP address block is being used.
For a detailed break-down of how Guilmette and MyBroadband established who the owners of a block might be, see the first article we published in this ongoing investigation: The big South African IP address heist – How millions are made on the “grey” market.
IP address block(s) | Likely / confirmed owner | Previous registration | Estimated value | WHOIS Status | Routing status |
---|---|---|---|---|---|
192.96.146.0/24 | Nedbank | CGHB | R80,128 | Reclaimed – Nedbank | No BGP routes |
198.54.232.0/24 | * Link Data Solutions | Link Data Group | R80,128 | AFRINIC quarantined | No BGP routes |
196.16.0.0/14 | SITA | Infoplan / NAIT | R82,852,352 | Unchanged | Active route squatters: IP Volume, others (RADb: Netstyle) |
196.4.36.0/22 | No BGP routes | ||||
196.4.40.0/22 | |||||
196.4.44.0/23 | |||||
196.9.0.0/16 | T-Systems | Arivia | R20,512,768 | Reclaimed – T-Systems | Routed by T-Systems |
196.10.64.0/19 | Nampak | Nampak | R23,317,248 | AFRINIC quarantined | Active route squatter: QT Inc. (196.10.64.0/24) |
196.10.61.0/24 | No BGP routes | ||||
196.10.62.0/23 | |||||
160.121.0.0/16 | Mega Plastics | Unchanged | Active route squatter: Clayer/ASLine | ||
155.235.0.0/16 | Afrox / Linde Group | Afrox MIS | R20,512,768 | Reclaimed – Afrox/Linde | Active route squatters |
152.108.0.0/16 | Liquid Telecom | Transtel | R20,512,768 | Reclaimed – Liquid Telecom | Routed by Liquid and MTN |
155.237.0.0/16 | Sasol | Sasol | R41,025,536 | Reclaimed – Sasol | Routed by Internet Solutions |
169.129.0.0/16 | No BGP routes | ||||
165.25.0.0/16 | City of Cape Town | Directorate of Information Services | R20,512,768 | Reclaimed – CoCT | No BGP routes |
160.122.0.0/16 | Trentyre / Goodyear | Tredcor | R20,512,768 | Reclaimed – Trentyre and Goodyear | Routed by Clayer Limited |
168.80.0.0/15 | DXC Technology | AECI Information Services | R41,025,536 | Unchanged – DXC claims ownership | Active route squatters |
165.3.0.0/16 | Woolworths | Wooltru | R61,538,304 | Reclaimed – Woolworths | Active route squatters |
165.4.0.0/16 | Routed by Internet Solutions | ||||
165.5.0.0/16 | Routed by Telkom and Woolworths | ||||
160.115.0.0/16 | Columbus Stainless | Infinite Telecoms / Connectivity Internet | R20,512,768 | Reclaimed – Columbus Stainless | No BGP routes |
168.76.0.0/16 | Free State Education Department | Free State Education Department | R20,512,768 | Unchanged | Active route squatter: Clayer Limited |
160.116.0.0/16 | Affiliated Computing Services | Affiliated Computing Services | R20,512,768 | Unchanged | Active route squatters, incl. Netstyle (RADb: [email protected]) |
168.206.0.0/16 | NECSA | The Atomic Energy Board | R20,512,768 | Unchanged | Active route squatters: Clayer/ASLine |
155.159.0.0/16 | Safmarine / Maersk | Safren Computer Services | R20,512,768 | Unchanged | Active route squatter: Clayer/ASLine (IRR: [email protected]) |
164.155.0.0/16 | Sentrachem Limited | Sentrachem Limited | R20,512,768 | Unchanged | Active route squatters, incl. Internet Keeper |
163.197.0.0/16 | Anglo American | Anglo American | R20,512,768 | Unchanged | Active route squatters, incl. Citis Cloud |
196.15.64.0/18 | AT&T | Trafex | R5,128,192 | Unchanged | Active squatters, incl. Network Dedicated SAS (IRR: inspiringnetworks.com) |
163.198.0.0/16 | Dow Agrosciences | Agrihold | R20,512,768 | Unchanged | Active squatters, incl. Network Dedicated SAS (IRR: [email protected]) |
164.88.0.0/16 | Independent Media / Sekunjalo | Argus Holdings | R20,512,768 | AFRINIC quarantined | Active router sqatters, incl. Clayer/ASLine |
* Linkdata Solutions appears to have been shut down in 2007. |
The price of an IPv4 address
IP addresses are numbers assigned to devices on the Internet that allows them to communicate with each other. Older, but widely used IP version 4 (IPv4) addresses take the form of four numbers between 0 and 255 separated by full stops.
For example, one of the IPv4 addresses that google.com points to in South Africa is 172.217.170.14.
The reason IPv4 addresses have grown so expensive on the open market is that they are in short supply.
When you take into account special “reserved” addresses, there are only around 3.7 billion public IPs, and there is effectively no way to get your hands on one without buying or leasing it from someone else nowadays.
A new standard called IPv6 stands ready to make this reseller market obsolete, as it has room for 340 undecillion addresses. That’s 340 with 36 zeroes behind it.
However, IPv6 has not yet been adopted widely enough, which means the reseller market for IPv4 addresses will be going strong for a few years yet.
Based on feedback from people in the industry, the price of a single IP address is over $20 (US).
In May 2019, Krebs on Security reported that criminal charges were brought against one alleged fraudster who had scammed his way into controlling 735,000 IP addresses that are administered by the American Registry for Internet Numbers.
His last sale, which was blocked in 2018, would have been for 327,680 IP addresses at $19 per address, for a total of $6.23 million. The price of an IP address has only increased in the years since then.
The estimates in this article are based on a price of $20 per IP address, at an exchange rate of R15.65 per US dollar.