735,000 IPv4 addresses were taken from the scammer and returned to the registry

735,000 IPv4 addresses were taken from the scammer and returned to the registry



Regional Internet registries and their service areas. The described fraud occurred in the ARIN zone

In the early days of the Internet, IPv4 addresses were distributed to everyone by large subnets. But today, companies are lining up to a regional registrar to get at least a small address space. On the black market, one IP costs from $ 13 to $ 25, so registrars struggle with a lot of shadow brokers whose business is simple: get new blocks of IP addresses under a false pretext, and then resell to spammers. In May 2019, ARIN regional registrar succeeded take away the IP addresses from the shadow broker who is charged with criminal charges.

About 735,000 IP addresses were returned to the registry. This is the first time that IP addresses are taken from scammers after a trial.

On May 14, the prosecutor's office of South Carolina charged Amir Golestan with fraud using electronic means of communication (wire fraud), which he tested through his firm Micfo LLC and a network of dummy companies. They used IPv4 subnets, and then resold to spammers .

a criminal complaint lists 20 cases of fraud. In some cases, the price at which Golestan was selling addresses is indicated. For example, he sold one subnet of 65,536 addresses at $ 13 per share, receiving $ 851,896. He had another sale contract for 327,680 addresses at $ 19 per share for a total of $ 6.22 million, but the last transaction was blocked.

Interestingly, Micfo itself initiated a lawsuit at the end of last year, suing ARIN (American Registrar of Internet Numbers). Prior to that, the registrar informed Golestan about the discovery of dummy companies and threatened to withdraw about 735,000 IP addresses if Micfo did not agree to provide more information about their operations and customers.

Since by that time Micfo had already sold some of the addresses to spammers, she refused to provide this information. As a result, the court rejected the company's request .

But by virtue of the agreement signed by Micfo with ARIN, any further dispute had to be resolved through arbitration. On May 13, the arbitration committee ordered Micfo to pay $ 350 thousand for ARIN legal services and return 735,000 IP addresses that the company had not yet sold.

Here is a list of some dummy companies and fictional personalities that Golestan fabricated to distribute IPv4 subnets (from court documents):


For companies and fictional personalities, websites were created, email addresses were registered, and so on. On their behalf, ARIN submitted requests for IPv4 subnets. In such a statement, the company must describe its line of business, list the names of employees and other information about the company. Golestan fabricated all documents.

According to this scheme, he acquired approximately 757,760 addresses from ARIN, the prosecutor's office valued the market value from $ 9,850,880 to $ 14,397,440. The scheme has been in operation since 2014. The table below lists the successful requests to ARIN for the allocation of IP ranges, and Golestan started selling addresses in 2017.


According to the ARIN press release Micfo registered 11 dummy companies throughout the US and deliberately created false identities for the fictional leaders of these companies to fraudulently lure IPv4 resources from ARIN.

“It was a difficult operation,” said Stephen Ryan (Stephen Ryan ), a former federal prosecutor who represented ARIN in this lawsuit. - All eleven front companies for Micfo are still on the Internet, where you see all these wonderful people who supposedly work there. And we received notarized affidavits for these fictitious names. ”

Independent experts say that Micfo is not the only shadow broker who tricked the subnets off ARIN. For many years, the American Internet numbers recorder has not been very active in fighting fraud.

It is possible that schemes with fake companies are also operating in Russia, although such massive withdrawals of subnets from shadow brokers have not yet occurred. To qualify for a block/22 IPv4 address from the European registrar RIPE NCC, you need to register as a local Internet registries (LIR) and pay a membership fee. LIR status is usually obtained by Internet providers, telecommunications companies, large enterprises and academic institutions. LIRs receive address blocks from the RIPE NCC and assign IP addresses to their customers.

There are consulting companies in Russia that help clients register LIRs for a small amount in the region of 36,000 rubles. (plus 15 thousand rubles. Annual support). Obviously, the cost of a block of/22 IPv4 addresses is much higher, even at the minimum estimate of $ 12 per share. Blocks/22 are being sold and rented .

It is possible that someone engaged in such a business. According to statistics for 2012–2018 , the release rate IPv4 addresses in Europe grew by quadratic function. The RIPE NCC explains this by the fact that more and more local recorders have been registered. A record number of new LIRs are registered in the UK, Germany and Russia.



In November 2015, RIPE prohibited the registration of additional local registrars members of the RIPE NCC , but this did not help, so in May 2016 the restriction was lifted. At this point, organizations started registering new legal entities in order to receive blocks/22. Reportedly, a member of the RIPE NCC managed to get 66 units/22, although they only issued one for each local registrar.

A year ago, RIPE announced the distribution of the last block/22 of the last block/8 , but in the RIPE NCC pool 9 million “recovered” addresses (that is, addresses seized from former owners). According to the calculations of the Coordination Center, this is enough for about two more years, if issued to local registrars of/22 each.

A great many organizations have registered IPv4 ranges that are huge in their current times, which are practically not used and are not going to be given (for example, 16.8 million addresses in block 44.0.0.0/8 registered allegedly for amateur radio , or 218 million IP addresses from the Ministry of Defense United States: 11.0.0.0/8, 22.0.0.0/8, 26.0.0.0/8, 28.0.0.0/8, 29.0.0.0/8, 30.0.0.0/8 and 33.0.0.0/8).

Other blocks are used very intensively. For example, visualization of the Hilbert curves well shows how the address space of approximately 4.2 billion (2³²) addresses.


IPv4 address space allocation, April 2018 ( clickable )

For comparison, here’s what the IPv6 address space allocation looks like.


IPv6 Address Space Distribution, April 2018



Source text: 735,000 IPv4 addresses were taken from the scammer and returned to the registry