November 17, 2021

The CEO of a South Carolina technology firm has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of phony companies set up to obtain more than 735,000 Internet Protocol (IP) addresses from the nonprofit organization that leases the digital real estate to entities in North America.

In 2018, the American Registry for Internet Numbers (ARIN), which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean, notified Charleston, S.C. based Micfo LLC that it intended to revoke 735,000 addresses.

ARIN said they wanted the addresses back because the company and its owner — 38-year-old Amir Golestan — had obtained them under false pretenses. A global shortage of IPv4 addresses has massively driven up the price of these resources over the years: At the time of this dispute, a single IP address could fetch between $15 and $25 on the open market.

Micfo responded by suing ARIN to try to stop the IP address seizure. Ultimately, ARIN and Micfo settled the dispute in arbitration, with Micfo returning most of the addresses that it hadn’t already sold.

But the legal tussle caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.

Each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, Lydon was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.

Amir Golestan, CEO of Micfo.

On Nov. 16, just two days into his trial, Golestan changed his “not guilty” plea, agreeing to plead guilty to all 20 wire fraud charges. KrebsOnSecurity interviewed Golestan about his case at length last year, but he has not responded to requests for comment on his plea change.

By 2013, a number of Micfo’s customers had landed on the radar of Spamhaus, a group that many network operators rely upon to help block junk email. But shortly after Spamhaus began blocking Micfo’s IP address ranges, Micfo shifted gears and began reselling IP addresses mainly to companies marketing “virtual private networking” or VPN services that help customers hide their real IP addresses online.

In a 2020 interview, Golestan told KrebsOnSecurity that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers. Throughout that conversation, Golestan maintained his innocence, even as he explained that the creation of the phony companies was necessary to prevent entities like Spamhaus from interfering with his business going forward.

Stephen Ryan, an attorney representing ARIN, said Golestan changed his plea after the court heard from a former Micfo employee and public notary who described being instructed by Golestan to knowingly certify false documents.

“Her testimony made him appear bullying and unsavory,” Ryan said. “Because it turned out he had also sued her to try to prevent her from disclosing the actions he’d directed.”

Golestan’s rather sparse plea agreement (first reported by The Wall Street Journal) does not specify any sort of leniency he might gain from prosecutors for agreeing to end the trial prematurely. But it’s worth noting that a conviction on a single act of wire fraud can result in fines and up to 20 years in prison.

The courtroom drama comes as ARIN’s counterpart in Africa is embroiled in a similar, albeit much larger dispute over millions of African IP addresses. In July 2021, the African Network Information Centre (AFRINIC) took back more than six million IP addresses from Cloud Innovation, a company incorporated in the African offshore entity haven of Seychelles (pronounced, quite aptly — “say shells”).

AFRINIC revoked the addresses — valued at around USD $120 million — after an internal review found that most of them were being used outside of Africa by various entities in China and Hong Kong. Like ARIN, AFRINIC’s policies require those who are leasing IP addresses to demonstrate that the addresses are being used by entities within their geographic region.

But just weeks later, Cloud Innovation convinced a judge in AFRINIC’s home country of Mauritius to freeze $50 million in AFRINIC bank accounts, arguing that AFRINIC had “acted in bad faith and upon frivolous grounds to tarnish the reputation of Cloud Innovation,” and that it was obligated to protect its customers from disruption of service.

That financial freeze has since been partially lifted, but the legal wrangling between AFRINIC and Cloud Innovation continues. The company’s CEO is also suing the CEO and board chair of AFRINIC in an $80 million defamation case.

Ron Guilmette is a security researcher who spent several years tracing how tens of millions of dollars worth of AFRINIC IP addresses were privately sold to address brokers by a former AFRINIC executive. Guilmette said Golestan’s guilty plea is a positive sign for AFRINIC, ARIN and the three other Regional Internet Registries (RIRs).

“It’s good news for the rule of law,” Guilmette said. “It has implications for the AFRINIC case because it reaffirms the authority of all RIRs, including AFRINIC and ARIN.”


23 thoughts on “Tech CEO Pleads to Wire Fraud in IP Address Scheme

  1. Mike Jackson

    Iranian?….hmmmmm….no foolin’……to paraphrase Frank Zappa from “Camarillo Brillo”…..

    Reply
  2. an_n

    If he had figured out a way to do this without deliberately lying in the notary process, somehow…
    no wire fraud charges?

    Reply
    1. Bill

      The Notary process in the US is a joke. In many states you pay the fee and get someone to say you’re a good person in front of a magistrate and *POOF*, you’re a notary.

      Reply
  3. Rod Fuller

    It’s kind of sad that these obviously bright people think that the only way they can make money is to be unscrupulous. OK, maybe not the only way, but the only way to make ‘huge’ amounts of money. If they put as much effort into legitimate efforts, they probably wouldn’t make quite as much, but they would sure as hell get to keep it longer! And, seriously, when is enough enough $1MM/yr, $200MM/yr???? The average person can live on $50K/yr. I’d think they are bright enough to figure out how to live on $500K/yr. If they can’t then they aren’t as bright as they think they are.

    Reply
  4. The Sunshine State

    Most hosting companies are now charging about $20 a month for a dedicated IP number now and days, because of the IP4 shortage

    Reply
  5. Amino Mann

    If he’s a green card holder, then he can be deported if convicted. He’d probably be a hero back in Iran and treated well if he can continue scamming from there.

    If he’s a US citizen, then he should become a televangelist, after studying the techniques of the masters of con, e.g. Ernest Angley, Peter Popoff, Reverend Ike, Robert Tilton, Jim Bakker and their like. He has already has the hair and the wardrobe. He could end up making more than he was making, tax free.

    Reply
  6. Bryan Curbs

    Why are all these retarded political comments being accepted? Is moderation broke? Half of the comments here are reddit-tier ‘troll’ posts.

    Reply
  7. Pilgrim

    Thanks to Krebs for the great work. Please keep exposing things like this.

    Reply
  8. Brian Fiori (AKA The Dean)

    Brian, did you publish the 2020 interview of Golestan? It would be interesting to read. I can’t seem to locate it.

    Thanks

    Reply
    1. BrianKrebs Post author

      No I did not. Most of the several hours we spoke he spent talking about why it was unfair he was being criminally prosecuted for a matter that was civil and was settled with ARIN. His contention was that ARIN was the only victim here, and that since ARIN settled the matter out of court that should be the end of it.

      Reply
  9. White Hat Team

    arin et afrinic we see that they have no qualms about helping crooks we must not forget all the others like apnic, lacnic , Ripe ncc , rirns.arin.net , ca -servers.ca , nic.expert , nic.art , dnsowl , ultradns , registrar -servers , cloudflare and etc … And above all we must not forget the hosts selling armored vps like frantech.ca buyvm.net which are used a lot by pedophile forums, zoophiles, phishing sites, botnets and etc … are they all accomplices or not? me on what I could see on their servers I said to myself that it might be time to step up and investigate them!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *