December 11, 2019

A top executive at the nonprofit entity responsible for doling out chunks of Internet addresses to businesses and other organizations in Africa has resigned his post following accusations that he secretly operated several companies which sold tens of millions of dollars worth of the increasingly scarce resource to online marketers. The allegations stemmed from a three-year investigation by a U.S.-based researcher whose findings shed light on a murky area of Internet governance that is all too often exploited by spammers and scammers alike.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IP can fetch between $15-$25 on the open market. This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

Perhaps the most dogged chronicler of this trend is California-based freelance researcher Ron Guilmette, who since 2016 has been tracking several large swaths of IP address blocks set aside for use by African entities that somehow found their way into the hands of Internet marketing firms based in other continents.

Over the course of his investigation, Guilmette unearthed records showing many of these IP addresses were quietly commandeered from African businesses that are no longer in existence or that were years ago acquired by other firms. Guilmette estimates the current market value of the purloined IPs he’s documented in this case exceeds USD $50 million.

In collaboration with journalists based in South Africa, Guilmette discovered tens of thousands of these wayward IP addresses that appear to have been sold off by a handful of companies founded by the policy coordinator for The African Network Information Centre (AFRINIC), one of the world’s five regional Internet registries which handles IP address allocations for Africa and the Indian Ocean region.

That individual — Ernest Byaruhanga — was only the second person hired at AFRINIC back in 2004. Byaruhanga did not respond to requests for comment. However, he abruptly resigned from his position in October 2019 shortly after news of the IP address scheme was first detailed by Jan Vermeulen, a reporter for the South African tech news publication Mybroadband.co.za who assisted Guilmette in his research.

KrebsOnSecurity sought comment from AFRINIC’s new CEO Eddy Kayihura, who said the organization was aware of the allegations and is currently conducting an investigation into the matter.

“Since the investigation is ongoing, you will understand that we prefer to complete it before we make a public statement,” Kayihura said. “Mr. Byauhanga’s resignation letter did not mention specific reasons, though no one would be blamed to think the two events are related.”

Guilmette said the first clue he found suggesting someone at AFRINIC may have been involved came after he located records suggesting that official AFRINIC documents had been altered to change the ownership of IP address blocks once assigned to Infoplan (now Network and Information Technology Ltd), a South African company that was folded into the State IT Agency in 1998.

“This guy was shoveling IP addresses out the backdoor and selling them on the streets,” said Guilmette, who’s been posting evidence of his findings for years to public discussion lists on Internet governance. “To say that he had an evident conflict of interest would be a gross understatement.”

For example, documents obtained from the government of Uganda by Guilmette and others show Byaruhanga registered a private company called ipv4leasing after joining AFRINIC. Historic WHOIS records from domaintools.com [a former advertiser on this site] indicate Byaruhanga was the registrant of two domain names tied to this company — ipv4leasing.org and .net — back in 2013.

Guilmette and his journalist contacts in South Africa uncovered many instances of other companies tied to Byaruhanga and his immediate family members that appear to have been secretly selling AFRINIC IP address blocks to just about anyone willing to pay the asking price. But the activities of ipv4leasing are worth a closer look because they demonstrate how this type of shadowy commerce is critical to operations of spammers and scammers, who are constantly sullying swaths of IP addresses and seeking new ones to keep their operations afloat.

Historic AFRINIC record lookups show ipv4leasing.org tied to at least six sizable blocks of IP addresses that once belonged to a now defunct company from Cameroon called ITC that also did business as “Afriq*Access.”

In 2013, Anti-spam group Spamhaus.org began tracking floods of junk email originating from this block of IPs that once belonged to Afriq*Access. Spamhaus says it ultimately traced the domains advertised in those spam emails back to Adconion Direct, a U.S. based email marketing company that employs several executives who are now facing federal criminal charges for allegedly paying others to hijack large ranges of IP addresses used in wide-ranging spam campaigns.

Anyone interested in a deeper dive on Guilmette’s years-long investigation — including the various IP address blocks in question — should check out MyBroadband’s detailed Dec. 4 story, How Internet Resources Worth R800 Million (USD $54M) Were Stolen and Sold on the Black Market.


30 thoughts on “The Great $50M African IP Address Heist

  1. The Sunshine State

    I see this type of spam abuse coming out of Kenya at least once a month now

    Just today alone, from this shady company

    Mafraq Enterprises
    Mafraq Enterprises LTD: Ground Floor, Popman House, Off
    Moi Avenue Mafraq Enterprises LTD: Ground Floor, Popman House,
    Off Moi Avenue
    Nairobi Nairobi Area 00100
    Kenya

    1. Bart

      Does “Off Moi Avenue” mean around back opposite the dumpster?

      1. A-Team&T

        Street addresses like that are common in many countries.

  2. Dean

    Speaking on scarce IPv4 IPs, 13 years ago I worked for a School District that owned an entire class B. They fought tooth and nail to keep it too.

    I do not know if they still have it but if they do, they really need to move to the private IPs.

    1. JCitizen

      Maybe they consider it a good investment for the district schools, that they can sell when tax payers aren’t willing to vote for mill levy increases.

  3. RoyceP

    Time to revoke allocations of Larus (aka Cloudinnovation), the largest company who have been abusing AFRINIC IP blocks.

    1. BrianKrebs Post author

      You mean Chad Abizeid. Sub-allocations went to Laksh Cyber Security, which I mentioned in a story this summer about a guy who apparently tricked AT&T into giving up a whole mess of mobile data IPs

      https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/

      196.53.136.0/21
      196.53.148.0/22
      196.55.33.0/24
      196.55.176.0/20

      organisation: ORG-LWI1-AFRINIC
      org-name: LogicWeb Inc
      org-type: EU-PI
      country: ZA
      address: 4509 Steeplechase Dr.
      address: Easton PA, USA 18040
      phone: tel:+1-877-564-4293
      fax-no: tel:+1-718-841-7124
      e-mail: noc@logicweb.com
      e-mail: chad@logicweb.com
      admin-c: CA12-AFRINIC
      tech-c: CA12-AFRINIC
      mnt-ref: AFRINIC-HM-MNT
      mnt-ref: LOGICWEB-MNT
      notify: hostmaster@afrinic.net
      mnt-by: AFRINIC-HM-MNT
      changed: hostmaster@afrinic.net 20121005
      source: AFRINIC

      person: Chad Abizeid
      address: 4509 Steeplechase Dr.
      address: Easton, PA 18040
      phone: tel:+1-866-611-1556
      e-mail: noc@logicweb.com
      nic-hdl: CA19-AFRINIC
      notify: chad@logicweb.com
      mnt-by: GENERATED-V2TU2EAHTH8G0OOAAOXPGH35YRHYYDTO-MNT
      changed: chad@logicweb.com 20131129
      source: AFRINIC

        1. SeymourB

          Not particularly interesting, just another prosperity gospel devotee.

          1. Catwhisperer

            Rather interesting actually. Looks can be deceiving but he has the mien of a member of the French COS, Mossad, or Seals. Sometimes the truth is best hid in plain sight…

  4. johans

    Cases like this show how urgently we need the full adoption of IPv6.

      1. ipchains1

        If theres a (nearly) unlimited supply, the value of any individual address is (nearly) zero. Hence no bother, it would be like a heist to steal air.

  5. DavidD

    That there are “dormant” IPs in the scarce IPv4 address space is a subject that deserves more discussion.

    1. Readership1

      There is no scarcity. It’s a canard used to inflate costs, like it’s done in the diamond market. Universities and a handful of companies are sitting on millions of IP addresses that they’d never use for their own networks, holding out for a future sale once the prices increase further. All that’s necessary is for it to be taken from them or for them to be forced to sell now, and there will be a glut in the market .

  6. MikeOh Shark

    My ISP doesn’t appear to support ipv6 so I have it disabled on my router and firewalled via ip6tables.

    There doesn’t seem to be many good articles on how to properly firewall ipv6 and prevent data exfiltration. With ipv4, I have rules to block those attempting to connect to more than two ports, country blocks, and blocks for known cryptominers. I’d consider ipv6 but only after getting better information and lots of homework.

    1. ipchains1

      You can think of it exactly the same way you do ipv4 when it comes to sensible firewall rules. Just because it doesn’t have NAT to explicitly limit ingress doesn’t mean you can’t apply a simple stateful rule accomplishing the same. The other rules are no different, blocking common abusers at the source, and common weak spots. It’s just a different set of numbers for the same purpose.

  7. Electron 007

    Stop the politics of obstruction and move on to IPv6 already.

    It has been ready since the 1990s, and the owners, holders and tenants of historic IPv4 addresses have already lost their political investments in the artificial scarcity of a contrived electronic resource.

    1. Catwhisperer

      Artificial scarcity? Are you mathematically challenged? What is 256 to the fourth power? It is a large but finite number. IPv6 is 65536 raised to the eighth power. The address space difference is 64 bits in IPv4 to 128 bits in IPv6… To put that number in perspective, if we have 6 billion humans on the planet, they would have to have approximately 6×10^28 devices before they would run out of addresses. So there is nothing artificial about the IPv4 limitation…

  8. anony mouse

    Do you think Microsoft was duped in the same way when they purchased the block of LACNIC addresses for use in the U.S.?

  9. old journal

    These type shenanigans was resolved in 1870’s with gunfighters so I have read.

  10. Marco Belmonte

    When Ron rolls heads roll. (say that three times)

    Thank you Ron and to the other good guys out there spending their own time and resources fighting the good fight.

    For those reading this right now that are involved in the same kind of scheme(s) as this AFRINIC executive the message should be obvious: white hat > black hat.

  11. Nick Morgan

    North carolina USA crime organization has involved in 150 million identity theft embezzlement plot.
    FBI US department of Treasury notified of identity theft impersonation of J. B Hunt transportation heir near Cleveland County NC.

  12. Reward Offer

    Representatives of. Towery Maurice Burris are offering the largest reward in North Carolina USA History. The enormous reward is offered for asset recovery. In 2013 and 2014 Towery Burris was recognized for receiving the largest Trust and Inheritance in modern US History. He was introduced to Financial institutions in the US and United Arab Emirates as JmB Hunt jr in recognition of his grandfather Johnny Bryan Hunt. He reportedly acquired interest in Burj Arab and Emirates Airlines.

Comments are closed.