AFRINIC: The Saga Continues

My apologies to all. Certain of the blocks mentioned in my prior
posting here have already been reclaimed, and are currently being
routed by appropriate parties. In particular, these ones:

Also, I somehow managed to miss mentioning a few blocks that were also
quite clearly stolen as part of this extensive and elaborate scheme,
specifically these ones:

A full list of all of the stolen AFRINIC blocks that are still of
ongoing concern at the present moment, taking into account the above
adjustments, is available here:

Note that many of the blocks listed at the link above have already
been "reclaimed" as far as the AFRINIC WHOIS records are concerned.
But because routing remains almost entirely decoupled from RIR WHOIS
data bases, much of this "reclaimed" space is still being routed as
I write this. The only difference is that now the space is being
routed as bogons, rather than as "legitimately" allocated space.

A summary of all of the current routing for all of the stolen AFRINIC
IPv4 address space that is still of concern, including routing for
recently reclaimed address space that AFRINIC will eventually be
returning to its free pool is provided below. This list is sorted
by the number of constituent stolen /24 blocks being routed by each
listed network, thus showing the most major offenders at the top.
A few footnotes concerning specific ASNs in this list follow below
the listing.

I urge everyone on this mailing list to share this data as widely as
possible in and among the global networking connunity. In all cases
noted below, the networks in question are unambiguously routing IP
blocks that were obtained, in the first instance, via thefts perpetrated
by one or more AFRINIC insiders and then resold on the black market
in secretive deals. In many and perhaps most cases listed below, the
relevant networks appear to have been more than happy to accept some
cash in exchange for their services, while not looking all that
carefully at the purported (but fradulent) "LOA" documents they were
handed. (Repeated use of blatantly fradulent documents has been one
of the consistant features of this entire ongoing criminal enterprise.)

All routing data is derived from current data published by RIPEstat.

Rightful owners should create RPKI ROAs, what can help, since some
large networks have deployed origin validation and drop RPKI invalids.

What can or should be done when a registry goes rogue?


In message <>,

What can or should be done when a registry goes rogue?

Answering that question is a task which is above my pay grade. I would
be remiss however if I did not take this opportunity to make a few brief
and relevant points.

*) There are other and additional shoes yet to drop with respect to
AFRINIC. I am not free to go into more details regarding that assertion
at this time.

*) It is implausible on the face of it that only one AFRINIC insider was
stealing all of this stuff and spiriting it all out the backdoor at midnight
while all other AFRINIC employees, management, and board were entirely
clueless and totally in the dark about the fact that any of this was going
on, right under their own roof and right under their noses. And I have
some not-entirely-speculative reasons to believe that others were involved.

*) Throughout my investigation, AFRINIC officials and board members have,
almost without exception, avoided answering many simple and relevant
questions regarding this and other matters, even when the questions quite
obviously do not have any relevance whatsoever to AFRINIC's contractual
confidentiality commitments to its member organizations. If you ask
AFRINIC what time of day it is, they will tell you that that is covered
under an NDA, and that thus, they can't tell you.

It really is almost that bad, and there appears to me to be a pervasive
culture of secrecy within the organization which effectively thwarts
reasonable inquiry and any and all outside accountability. This appeared
to me to be the case even well before AFRINIC became fully aware of
the activities of their rogue employee, and now, the existance of what
is supposedly a serious police inquiry by the crack Mauritian police
investigators is being used as a basis for AFRINIC to answer even fewer
questions than before, since the whole matter is now said to be "under
police investigation".

(It is left as an exercise for the reader to deduce whether or not the
high-tech crimes investigative unit of the Mauritian national police is
at all likely to obtain or expose more answers in this case than I and
journalist Jan Vermeulen already have done. In estimating the odds of
that, it may be of value to keep in mind that the entire nation of
Mauritius, known primarily for sunny beaches and tax avoidance schemes,
has a total population of slighty less than the city of Dallas, Texas.)

*) Ever since the publication of Jan Vermeulen's first article on this
matter on September 1, 2019, it has been alleged that AFRINIC has been
conducting its own internal investigation. More recently Jan has learned
that AFRINIC's internal investigation may have actually started much
earlier, in April of 2019. In all this time, neither anyone from AFRINIC
nor anyone from the Mauritian national police have made any effort to ask
either Jan or myself what, if anything, we know about these matters that
has not yet appeared in print. If they had asked, as part of their
"internal investigation", we could have told them some things. They never

*) Entirely separate from the matter of the looting of IPv4 resources
from AFRINIC, it was announced some time ago the AFRINIC's auditor of
many years, PriceWaterhouseCoopers (PwC), has effectively fired its client,
AFRINIC, for reasons that have yet to be revealed, either to the AFRINIC
membership or to the public at large. This is the same accounting firm
that has been named in numerous recent press reports as having possibly
played some role in the large scale looting of the state coffers of the
southern African country of Angola:

This raises the almost unavoidable question: How bad must AFRINIC's books
be in order to cause even the likes of PriceWaterhouseCoopers to walk away
from their client, AFRINIC, after so many years? And what is it in those
books that AFRINIC and its board would prefer everyone not know about?

*) At the present time, and reportedly even well before Jan Vermeulen's
September 1st article which suggested, unambiguously, that there was
something rotten going on within AFRINIC, AFRINIC has been allegedly
endeavoring to investigate itself. I problems with that are, I believe,
self-evident to any unbiased observer.

I personally have no faith that the full truth or the full facts relating
either to the IPv4 pilfering or to the other and unrelated accounting
issues, whatever they may be, are at all likely to emerge from AFRINIC's
investigation of itself. Furthermore, I believe that this is itself
considered by the AFRINIC board to be a feature rather than a bug.

If anyone were seriously motivated to get to the full truth of these matters
then the solution is quite obvious. There should be an independent outside
investigation. And to be clear, I am most definitely *not* talking about
an investigation performed by what is effectively AFRINIC's parent company,
ICANN. That organization also has more than a little vested interest in
seeing to it that both of these matters, the IP thefts and the accounting
irregularities, are all swept under the rug as quickly and as quietly as

For this reason, I have no doubt whatsoever that both AFRINIC and ICANN
would vigorously oppose the notion of an independent outside investigation.
And since ICANN calls the tune with respect to all Internet governance
matters I also have no doubt at all that there will be no indepndent
inquiry into any of this abundant funny business, and that the full facts
will never be known to the public, and most likely not even to the few
AFRINIC staff members who are, at present, and reportedly since last April,



Speaking only for myself…

As I’ve recently seen complaints about RIRs directed to ICANN (in a different context than the issues at AfriNIC), a bit of clarification may be in order:

In my view, it is primarily the responsibility of the community served the the RIR to reign it in if it goes rogue.

And to be clear, I am most definitely not talking about

ICANN is not the parent company of AfriNIC (or any other RIR, some of which existed prior to ICANN being created). While ICANN recognizes new RIRs (according to and recognizes “global policies” that reach consensus across all RIRs, there are no policies, processes, or mechanisms by which ICANN can exert any form of control over the RIRs. ICANN performs a set of functions for the RIRs at their request via the IANA functions and can be seen in that light as a service provider to the RIRs.

It is probably most accurate to view ICANN and the RIRs as peer organizations, connected operationally via the IANA functions, which primarily focus on different universes (domain names in ICANN’s case, IP addresses in the RIRs’ case).

I’ll admit some curiosity as to what this “more than a little vested interest” might be, however this is simply wrong. Like pretty much everybody else, we have an interest in an accurate and trustable registration database.

As RIR operational matters are outside ICANN’s remit as defined by our Bylaws, at least by my reading, I am skeptical ICANN would even have an opinion.

I suspect the folks at the RIRs, Internet Society, IGF, ITU, W3C, ETSI, IETF, IAB, etc. may not agree with this assertion.

ICANN CTO, but speaking only for myself.

It is sad to see this statement coming from someone so high up in ICANN…

So often ICANN has focused strictly on that first N.

I would say it is more accurate to refer to ICANN in the context of the RIRs as a vendor and little more. ICANN performs services (maintenance of the central registry and coordination of large blocks of number resources being delegated to the individual RIRs from that central registry). Technically, I believe this is done through PTI, though I admit that I still haven’t managed to gain 100% clarity on how the PTI<->ICANN relationship functions or whether the RIRs are contracted to ICANN or to PTI or to both.

Speaking only for myself, I certainly don’t agree with this assertion.