Corporate identity theft is a simple ploy which may be used to illicitly
obtain valuable IPv4 address space. Actual use of this fradulent ploy
was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).
Quite simply, a party bent on undertaking this ploy may just search
the publicly available IP block WHOIS records, looking for abandoned and
unrouted IPv4 address blocks belonging to companies or organizations
which no longer exist. Upon finding any such, the thief may simply
undertake to formally register, with relevant government authorities,
a new corporate entity with the same or a very similar name as the now
defunct entity that is still listed in the WHOIS records as the registrant
of the coveted IPv4 address block(s).
Note that so-called "legacy" address blocks, i.e. those which were
assigned prior to the formation of ARIN in early 1997, are especially
prized by IPv4 address thieves because such blocks may be less subject
to effective control or regulation by Regional Internet Registries.
Publicly available evidence strongly suggests that a corporate identity
theft has occurred with respect to a former Delaware corporate entity
known as Azuki, LLC and also with respect to its valuable legacy IPv4
address block, 22.214.171.124/17.
The corporate search function of the Delaware Secretary of State's web
site may be used to obtain records relevant to corporate entities
registered in Delaware:
At present, the Delaware SoS's web site indicates that there are or have
been two different corporate entities, both named Azuki, LLC, that have
been registered in the State of Delaware. The file numbers for these
entities are 2810116 and 4751384.
The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee. My
own personal speculation is that it most likely ceased operation well
more than a decade ago.
The latter entity was registered in Delaware on or about 11/9/2009.
According to the current live ARIN WHOIS record for the 126.96.36.199/17
address block (NET-216-179-128-0-1), this block was first allocated by ARIN
to Azuki, LLC on or about 1999-01-07. Quite obviously, this assignment
must have been made by ARIN to the original 1997 Azuki, LLC because the
one that was registered in Delaware in 2009 did not yet exist at that time.
Nontheless the mailing address currently present in the ARIN WHOIS
record for the 188.8.131.52/17 IPv4 address block, and the one which
is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901,
matches exactly with the address given in Delaware corporate records
for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)
These evident inconsistancies, by themselves, are strongly indicative
of a probable case of corporate identity theft. Additional indicators
are however also present in this case.
In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (184.108.40.206/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain
which was, according to the relevant GoDaddy WHOIS record, registered
anew on or about 2011-05-12, some twelve years -after- the original
assignment, by ARIN, of the 220.127.116.11/17 block to Azuki, LLC.
The absence of evidence of the contnuous registration of this one and
only contact domain name since the original 1999 assignment, by ARIN,
of the 18.104.22.168/17 address block also tends to support the theory
that this valuable address block has been illicitly and perhaps illegally
appropriated by some party or parties unknown, and specifically via the
fradulent ruse of a corporate identity theft. Quite simply, my theory
is that following the demise of the original Azuki, LLC, sometime in
the 2000s, some enterprising crook registered the domain name azukinet.com
in order to successfully impersonate the actual and original Azuki, LLC,
specifically when interacting with ARIN staff members. This simple ruse
appears to have worked successfully for its intended purpose.
Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the
relevant IP block WHOIS records, during normal business hours, Eastern
Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.) This is
yet another indicator of possible deliberate deception.
Last but not least, the widely-respected Spamhaus anti-spam organization
has had the entirety of the 22.214.171.124/17 block listed on its anti-spam
SBL list since 2019-06-08, i.e. two full months, dating backwards from today:
This listing, together with additional data from passive DNS and reverse
DNS scans suggest that the 126.96.36.199/17 block has been and is being
used for less than entirely admirable purposes. This is yet another
persuasive indicator of the possible/probable theft of the block.
I will shortly be informing both hostmaster (at) arin.net and also the folks
at Spamhaus of all of the above factual findings. I did however want to
share this information also with the NANOG community. Some or all of
you may wish to drop all packets from addresses currently announced by
AS13389, and/or may wish to encourage the direct peers of AS13389 to
review those peering arrangements. Of course, my exposition of all of
the above facts and indicators may perhaps also serve to further educate
members of the community regarding what to look for when and if suspicions
are cast upon a particular IP block or ASN.
In the 2008 case referenced above, which involved self-evident corporate
identity theft as a ruse to steal IPv4 address assets, ARIN apparently
elected not to actively seek the involvement of law enforcement, even
though the multiple clearly fraudulent actions undertaken in that case
were altogether apparent and were clearly perpetrated quite deliberately
and directly against ARIN.
In multiple more recent instances in which ARIN has, allegedly, been
targeted and defrauded, ARIN appears to have become more proactive in
seeking the involvement of criminal law enforcement. Specifically,
in addition to the well-publicized, notorious, and ongoing "Micfo"
case, a less well reported federal criminal case (3:18-cr-04683-GPC),
filed the Southern District of California last year, is currently
ongoing. This case also and likewise attempts to hold to account,
criminally, a different set of actors who also are alleged to have
perpetrated a rather elaborate fraud against ARIN for the purpose of
illicitly obtaining control over a number of IPv4 address blocks.
Personally, I am gratified that ARIN is nowadays taking this more forward
leaning posture towards those criminal actors who would attempt to use
fraud and deception to surreptitiously obtain IPv4 address blocks.
I do also hope that if the tenative conclusions of this public report
are borne out by subsequent investigation, that ARIN will again and
likewise seek an appropriate response from elements of the criminal
law enforcement community. We cannot have and should not have these
kinds of events happening again and again. Some appropriate deterrence
against ALL of these kinds of crooks is therefore no longer optional.