Skip to content
Naked Security Naked Security

CEO told to hand back 757,000 fraudulently obtained IP addresses

A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back.

A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back after the American Registry for Internet Numbers (ARIN) won a landmark judgment against it.

The dispute began in late 2018 when ARIN, which allocates IPv4 addresses in the US, Canada and parts of the Caribbean on a non-profit basis, discovered that a company called Micfo and its owner Amir Golestan had fraudulently tricked it into handing over the IP blocks.

IPv4 addresses are in incredibly short supply (see below), which means that getting hold of them involves waiting lists. Scarcity also makes them valuable on resale – between $13 and $19 each. That would make the IP addresses Micfo obtained worth between $9.8 million and $14.3 million.

Not surprisingly, cases of pocket-lining IP address fraud have risen, as ARIN’s senior director of global registry knowledge, warned about in a conference presentation in 2016.

Second-hand addresses

How do the fraudsters get hold of the addresses? By using the simple technique ARIN accused Micfo of deploying.

The key is that a lot of IPv4 addresses were handed out in the past when nobody worried about shortages, and a surprising proportion of those addresses fell into disuse.

Criminals attempt to detect these dormant ranges using public data from ARIN and Whois, checking which ones are still being used (i.e. routed).

If they’re not, and no longer have an active admin, they attempt to take them over using re-registration, claiming rights to them from ARIN.

According to ARIN, from 2014 onwards Golestan and Micfo used 11 ‘shelf’ companies across the US as fronts to obtain the 757,760 IP addresses, backing this up with faked notarised affidavits from staff who turned out not to exist.

Even when ARIN detected the fraud, Micfo continued to resist, seeking a restraining court order against the organisation. It also filed for arbitration, the first time this has happened in such a case.

On 1 May 2019, Micfo lost this arbitration and was ordered to hand back the addresses and pay ARIN $350,000 to cover legal fees. Golestan now faces charges of wire fraud carrying a possible 20-year sentence.

Some of the addresses are being used by bona fide buyers and probably won’t be returned. Nevertheless, the case has highlighted the growing problem of IP address fraud. Said ARIN president and CEO, John Curran:

We are stepping up our efforts to actively investigate suspected cases of fraud against ARIN and will revoke resources and report unlawful activity to law enforcement whenever appropriate.

Why the shortage?

As a 32-bit addressing scheme, IPv4 is limited to a maximum of 232, or 4,294,967,296, possibilities. (Several hundred million of those are reserved, so the true number available is actually somewhat lower.)

When IPv4 was defined decades ago, billions of routable addresses seemed plenty.

Not every device needs a public-facing, routable IP number – computers on a LAN can freely use one of several million different private numbers reserved for local networks.

But every network, even if it’s just one laptop at home, needs at least one public IP if it’s to make it onto the internet.

Warnings about the imminent exhaustion of these IPv4 addresses go back years, with IANA announcing that it was running out in 2011, followed by Europe’s RIPE in 2012, and North America’s ARIN in 2015.

What they meant by ‘running out’ is that as time passes they are managing scarcity by handing out smaller and smaller blocks of addresses to organisations requesting them.

As mentioned above, a lot of already allocated IPv4 addresses are still out there and have merely fallen into disuse, which is where address recycling comes in.

The long-term solution is supposed to be IPv6, finalised in 1998, which increases the address space to 128 bits.

That bumps the theoretical number of possible IP addresses to the enormous number 2128 – a stash that’s trillions of trillions times bigger than the number of grains of sand on earth and should therefore never run out.

But if you already have a website registered at an IPv4 address, why bother firing up an IPv6 equivalent? Many networks just haven’t bothered, so even those who have adopted IPv6 generally need to do IPv4 networking as well for backward compatibility.

What might eventually drive people to IPv6 is economics. As soon as the cost of IPv4 addresses crosses a threshold, IPv6 will suddenly look more attractive.

Unfortunately, exactly the same thing will draw criminals to second-hand IPv4 addresses. ARIN’s latest case is unlikely to be its last.


Seems to me that this is an issue that ARIN/ICANN should have addressed a long time ago. We’ve known we were running out of IPv4 for quite a while now. Why have they not bothered to investigate any of this fraud that whole time? It’s pretty sad.


This has been going on for a long _long_ time.

I first detected spam from a stolen /16 in 2001 (It was returned to the rightful owners within days) and was about the time that procedures started tightening up regarding claims over blocks – the company in question was very much active, but not using the block and the thief merely told his provider he had rights to the block.

At least one /8 (10 million addresses) is in the hands of someone who was merely an employee (some say only a consultant) of a software company which failed back in the late 1980s – supposedly he simply helped himself to the address space as he walked out the door. Compared to that, 757k addresses is inconsequential – but the lengths that scammers are prepared to go to for such small amounts of address space shows how overdue moving to IPv6 really is.
(Disclosure: I’m sitting on 2 dormant /21s allocated in the early 1990s and keep an eye out in case they ever go Zombie. They are unlikely to ever be active again and shouldn’t be. IPv4 is done. Stick a fork in it)


Stoat, You are sitting on 2 /21 blocks? This is what makes me sick. I’m trying to grown and ISP but can’t get even the addresses I need but yet you have unused addresses. Even running dual stack IPv6 I still need some IPv4 until thing have transitioned. I think everyone that owns addresses either has to use them within a certain time or give them back for us that still need them as we grow our businesses. ARIN/ICANN Needs to reclaim unused addresses. Are you willing to sell the blocks?


Much as I dislike goggle throwing its weight around, might be time for them to start downranking sites that don’t support IPv6 into oblivion.

With a nice long warning period, the damage will be limited to those who are not willing to play as part of a team, and those don’t matter.


What about breaking up unused parts of class B ranges? The state government of South Australia still seems to own As was asigned in the early nineties before the government and accademic internet became public. They eventually had a single gateway and used NAT 10.x.x.x there for almost everything inside, with just a few 143.216.x.x hosts poking through the firewall.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!