[anti-abuse-wg] The Great AFRINIC Heist -- The Enablers

As the primary investigator pursuing this case, I have invested more
than a little effort into continuing to track what has been going
on as AFRINIC attempts to remediate the effects of these thefts.
I would like now to provide you all with some insight into the current
situation and status relating to the affected stolen AFRINIC blocks
and the multiple parties in your own region who are continuing, at
present, to provide routing to the various bits and pieces of the
stolen AFRINIC IPv4 space.

My hope, of course, is that you will all join with me in trying to
persuade these networks to cease all routing to all of the stolen
AFRINIC address space.

A full list of all of the stolen AFRINIC blocks that are still of
ongoing concern at the present moment is available here:

    https://pastebin.com/raw/71zNNriB

Note that many of the blocks listed at the link above have already
been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
But because routing remains almost entirely decoupled from RIR WHOIS
data bases, much of this "reclaimed" space is still being routed as
I write this.  The only difference is that now the space is being
routed as bogons, rather than as "legitimately" allocated space.

A summary of all of the current routing for all of the stolen AFRINIC
IPv4 address space that is still of concern (including routing for
recently reclaimed address space that AFRINIC will eventually be
returning to its free pool) is provided below.  This list is sorted
by the number of constituent stolen /24 blocks being routed by each
listed network, thus showing the most major offenders at the top.
A few footnotes concerning specific ASNs in this list follow below
the listing.

I urge everyone on this mailing list to share this data as widely as
possible in and among the global networking community.  In all cases
noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals.  In many and perhaps most cases listed below, the
relevant networks appear to have been more than happy to accept some
cash in exchange for their services, while not looking all that
carefully at the purported (but fradulent) "LOA" documents that they
were given in order to persuade them to announce routes to stolen IP
space.  (Repeated use of blatantly fradulent documents has been one
of the consistant features of this entire ongoing criminal enterprise.)

I would also like to request the assistance of every person on this
mailing list in the task of informing all of the networks that are
mentioned in the list below, and that are within your own geographic
region, that they are each currently announcing routes to stolen IP
space.  Of course, it is my hope that you will also encourage them,
in no uncertain terms, to stop doing this immediately, if not sooner.

As you can see below, this Internet crime spree is a globe-spanning
and ongoing disaster.  There is no way that I can get all of this
mess cleaned up on my own.  I am therefore relying on all people of
honesty and good will, in all regions, to assist me in getting the
word to the networks mentioned below, and telling them, very directly,
that they are each facilitating a colossal fraud that affects the
whole of the global Internet community.  (I know for a fact that
there is ongoing criminal activity which is being perpetrated from
at least some of this provably stolen IP address space, so it is in
the self interest of every honest netizen to get this all turned
off and shut down.)

All routing data is derived from current data published by RIPEstat.

======================================================================
  3719  0       ??  UNROUTED IP SPACE
   629  132165  PK  Connect Communication
   512  18013   HK  Asline Limited
   504  19969   US  Joe's Datacenter, LLC
   500  62355   CO  Network Dedicated SAS
   423  202425  SC  IP Volume inc
   286  58895   PK  Ebone Network (PVT.) Limited
   250  136525  PK  Wancom (Pvt) Ltd.
   192  18530   US  Isomedia, Inc.
   186  9009    GB  M247 Ltd
   134  262287  BR  Maxihost LTDA
   132  204655  NL  Novogara LTD
    79  132116  IN  Ani Network Pvt Ltd
    75  136384  PK  Optix Pakistan (Pvt.) Limited
    68  132422  HK  Hong Kong Business Telecom Limited
    60  137443  HK  Anchnet Asia Limited
    48  63956   AU  Colocation Australia Pty Ltd
    26  132335  IN  LeapSwitch Networks Pvt Ltd
    21  131284  AF  Etisalat Afghan
    20  139043  PK  WellNetworks (Private) Limited
    19  43092   JP  OSOA Corporation., LTD
    17  36351   US  SoftLayer Technologies Inc.
    16  56611   NL  REBA Communications BV
    16  199267  IL  Netstyle A. Ltd
    16  23679   ID  Media Antar Nusa PT.
    14  137085  IN  Nixi
    10  63018   US  Dedicated.com
     9  136782  JP  Pingtan Hotline Co., Limited
     8  45671   AU  Servers Australia Pty. Ltd
     8  57717   NL  FiberXpress BV
     7  49335   RU  LLC "Server v arendy"
     7  134451  SG  NewMedia Express Pte Ltd
     6  49367   IT  Seflow S.N.C. Di Marco Brame' & C.
     6  26754   ??  {{unknown organization}}
     5  198504  AE  Star Satellite Communications Company - PJSC
     5  198381  AE  Star Satellite Communications Company - PJSC
     4  38001   SG  NewMedia Express Pte Ltd
     4  263812  AR  TL Group SRL ( IPXON Networks )
     4  30827   GB  Extraordinary Managed Services Ltd
     4  42831   GB  UK Dedicated Servers Limited
     4  37200   NG  SimbaNET Nigeria Limited
     4  133495  PK  Vision telecom Private limited
     4  198394  AE  Star Satellite Communications Company - PJSC
     2  44066   DE  First Colo GmbH
     2  198247  AE  Star Satellite Communications Company - PJSC
     2  133933  PK  NetSat Private Limited
     2  328096  UG  truIT Uganda Limited
     2  38713   PK  Satcomm (Pvt.) Ltd.
     2  31122   IE  Digiweb ltd
     2  46562   US  Total Server Solutions L.L.C.
     2  13737   US  Riverfront Internet Systems LLC
     2  11990   US  Unlimited Net, LLC
     2  20860   GB  Iomart Cloud Services Limited
     2  45382   KR  Ehostict
     2  17216   US  Dc74 Llc
     2  16637   ZA  Mtn Sa
     2  53999   CA  Priority Colo Inc
     1  23470   US  ReliableSite.Net LLC
     1  35074   NG  Cobranet Limited
     1  19832   ZA  Link Data Group
     1  43945   IL  Netstyle A. Ltd
     1  134917  IN  Ragsaa Communication pvt. ltd.
     1  203833  DE  First Colo GmbH
======================================================================

The actual current route announcements corresponding to all of the above
are listed in the table given here, which is sorted by ASN:

   https://pastebin.com/raw/XQyJ8EK2

Footnotes:

[1]  AS62355 gives all indications of being a false front fradulent
network, possibly one that was set up by one or more of the black
market dealers involved in this case.  There is no actual web site
associated with its contact domain (networkdedicated.com) at present,
the alleged contact phone number in the associated AS WHOIS record
was non-working when I tried it, and the street address given for
this entity in Bogotá, Columbia, is one that Google maps cannot
locate.  Traceroutes to the one and only IPv4 block that is being
routed by this AS and that is actually registed to the company itself
(185.39.8.0/22 -- issued by RIPE NCC) do not terminate in Columbia,
South America, as one would expect based on the WHOIS, but rather
such traceroutes dead-end somwhere on the network of core-backbone.com
(Core-Backbone GmbH, Germany) in the general vicinity of Amsterdam,
Netherlands.

Please note also that AS62355 appears to be a "leaf" ASN which is
connected to the Internet only via AS202425, IP Volume, Ltd. --
Seyhelles.  (See below.)

    https://bgp.he.net/AS62355


[2] The networks of AS202425 (IP volume, Inc. - Seychelles), AS204655
(Novogara, Ltd. - Netherlands), AS56611 (REBA Communications BV -
Netherlands), and AS57717 (FiberXpress BV - Netherlands), are all
believed by me to be onwed and controled by a certain pair of Dutch
gentlemen named Mr. Ferdinand Reinier Van Eeden and Mr. Bartholomeus
Johannes ("Bap") Karreman, both of whom I have previously posted about
to the NANOG mailing list.  For more information on these characters,
please google for "Ecatel" and/or "Quasi Networks".  Both of those are,
I believe, demonstratably the predecessors of what is nowadays being
called "IP volume, Inc."

[3] AS199267 (Netstyle A. Ltd. - Israel) and AS43945 (Netstyle A. Ltd. -
Israel) belongs to the Israeli gentleman featured in Jan Vermeulen's
detailed December 4th report on this whole AFRINIC caper. This is the
specific fellow who has been going around passing out fradulent LOAs
of such shockingly low quality that one wonders why he even bothers.
(But I guess they work well enough in the case of many cash-starved
networks hungry fo new customers.)

[4] AS26754 was formerly an AFRINIC-assigned ASN which was assigned
to the entirely fictitious business entity called "ITC'.  That entity
appears to have just been an imaginary concoction of Mr. Ernest
Byaruhanga, formerly a senior employee of AFRINIC (and now the target
of an ongoing crimininal investigation) and/or other AFRINIC insiders
who worked with or along side Mr. Byaruhanga to criminally strip
assets from AFRINIC and its legacy block holders.  The registration
for this AS number has now been withdrawn by AFRINIC, thus rendering
the ASN itself a bogon.

[5] AS19832 ("Link Data Group") is yet another fiction that was
manufactured out of (nearly) whole cloth, either by Mr. Byaruhanga
and/or by other AFRINIC insiders who were working with him.  It is
not immediately clear why this ASN is still registered, let alone why
its route announcements are still being accepted or propagated
anywhere.