LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

The Curious Case of 4.1 Million Misappropriated AFRINIC IPv4 Addresses

AFRINIC is the regional internet registry (RIR) for Africa. Responsible for managing and allocating internet-based resources, like IPv4 addresses.

APNIC and ARIN (both much larger than AFRINIC) parted with some of their IPv4 space so that AFRINIC could get its start.

Since then, it’s been a bit of a troubling start.

Why do I say that?

Good question, well… the second employee ever hired at AFRINIC way back in 2004 was directly responsible for the biggest IPv4 heist in history. Right around the tune of 4.1 million IPv4 addresses; to be specific.

But, let’s not get ahead of ourselves here, we need to start from the beginning:

Meet MyBroadband and Ron Guilmette

Initially, a website that goes by the name of MyBroadband and a security researcher, Ron Guilmette, were the ones that broke the story…

Back in 2019, Ron discovered it through a spamming ring.

Specifically, these IPv4 blocks fell under his radar:

Take note of Infoplan

(Take note of Infoplan and Cape of Good Hope Bank.)

Most of those are legacy IP blocks…

Meaning they were distributed before the RIR system:

timeline of ri

Source: IPXO

If you own a legacy block, you wouldn’t be required to pay a RIR like AFRINIC annual fees.

A lot of times when it comes to legacy blocks, it’s particularly hard to identify who the owner is, too. Why?

They were often forgotten about, with inaccurate and outdated information available on the AFRINIC WHOIS database.

It’s still entirely possible for someone to control a legacy IP block un-noticed with invalid information, often used for purposes like spamming or hacking at scale.

Following the Trail

The Infoplan block mentioned above,, was a company that was merged into State Information Technology Agency way back in 1998.

It was an official branch of the South African country… however, it denied that it ever acquired IP space in the merger of Infoplan.

According to the research of Ron and MyBroadband, the AFRINIC Whois database was altered back in 2015 to a company in Seychelles, and then to a company named “Network and Information Technology Limited”.

That company led to another company in Dubai.

The Cape of Good Hope Bank,, another block mentioned above is another curious case…

A company named Nedbank acquired Cape of Good Hope Bank in 2003.

When MyBroadband questioned Nedbank about it, here’s what they said:

Nedbank took control of Cape of Good Hope Bank and its business (including all assets) a few years ago. If this IP address block belonged to Cape of Good Hope Bank, Nedbank will be the rightful owner of the IP address block.

We are in the process of determining if the IP block indeed belonged to Cape of Good Hope Bank. Nedbank as a matter of course does everything within its control to protect its assets, including IP addresses. We are engaging with AFRINIC to establish ownership.

MyBroadband told Nedbank the AFRINIC whois database shows the IP address blocks belonging to Cape of Good Hope Bank, but ultimately they were unable to acknowledge if they ever had control over the block after the acquisition.

It was clear after they followed the trail of IP addresses they were discovering, nearly all of these blocks were unaccounted for at some time for some reason or another, usually a merger or acquisition.

The Smoking Gun

MyBroadband and Ron discovered back in 2012, an AFRINIC employee was assigned as the administrative contact for the Cape Of Good Hope Bank. Who?

Ernest M. Byaruhanga.

Cape Of Good Hope Bank was sold in 2003, way before 2012.

The team already had suspicions, but couldn’t act on them… that was, of course, until they received a series of tips from their articles already generating traction on the subject.

All of these tips were leading back to a Ugandan company that goes by the name of Amiek Holdings.

Specifically, an emailing company by the name of TotalSend attempted and failed to get IPv4 space from AFRINIC.

Only then to be approached by “Inno Byaruhanga” and sold IPv4 space on behalf of Amiek Holdings.

The block in context was 1,024 IPv4 addresses,

Ron Guilmette followed this trail and discovered the only shareholders of Amiek Holdings were Ernest Byaruhanga and members of his family.

He also owned another company, ITC that operated through the “IPv4leasing.net” domain.

The following blocks contained IPv4leasing.net in the WHOIS information:

  • – Dishnet Africa Ltd (South Sudan)
  • – Dishnet Africa Ltd (South Sudan)
  • – truIT Internet Services (Kampala, Uganda)
  • – truIT Internet Services (Kampala, Uganda)

AFRINIC ended up deleting the history of the first three allocations on that list above.

MyBroadband and Ron continued:

Our technical investigation of AFRINIC’s public WHOIS records showed that there are several apparent connections between the CGHB, ITC, and Link Data entities in the AFRINIC WHOIS database.

One of the things that link them is an e-mail address with the domain “ipv4leasing.net”.

The ipv4leasing.net website was still online at the time of publication. A snapshot of the site is also available.

Byaruhanga’s name appears on the historical WHOIS lookup for “ipv4leasing.org”, which was registered seconds before “ipv4leasing.net”.

A company called IPv4 Leasing in Uganda has Byaruhanga listed as the sole partner.

Byaruhanga’s name also appears as the administrative contact in the historical data for the CGHB entity in the AFRINIC WHOIS database between 2012 and 2013.

Finally, as noted above, Byaruhanga’s name appears as a major shareholder of Amiek Holdings, which is connected to ITC through the sale of an IP address block to TotalSend.

Scans of documents obtained from the URSB and copies of the relevant WHOIS data are included at the end of the article.

Guilmette said the evidence suggests that in at least some cases, freshly allocated IP address blocks were assigned, apparently by AFRINIC, to long-dormant entities in the AFRINIC WHOIS database like ITC, Link Data, and CGHB.

AFRINIC CEO Eddy Kayihura declined to answer a question about the origins of the IP addresses assigned to ITC, Link Data, and CGHB.

Kayihura said that AFRINIC could only answer questions that do not fall within the scope of its ongoing investigation into this matter.

The Aftermath

After the connection was clearly made and the amount of attention surrounding the situation rose, Ernest Byaruhanga resigned from AFRINIC.

Former CEO of AFRINIC and close associate of Ernest, Adiel Akplogan stated: “He was not aware of IP addresses being stolen and sold on the black market.”

The current CEO stated employees of AFRINIC are not allowed to operate IP brokerages.

However, a large percentage of the blocks used in the 4.1 million IPv4 heist are legacy IP addresses…

Infoplan, ITC, Cape of Good Hope Bank, etc… not only did these not have any annual AFRINIC fees — they likely came directly from AFRINIC’S inventory of available IPv4 address space.

The main blocks used in the heist were the following:

Ron Guilmette concluded that someone with a high level of access to the AFRINIC WHOIS database had systematically edited those blocks, and by doing so, that AFRINIC individual was able to take full control over these ghost blocks.

Who would know any difference? You’re the only point of contact and the actual owner of the block forgot about it years ago.

In total, ~4.1 million IP addresses were stolen with ~2.3 million of them coming from AFRINIC’s free pool, and ~1.7 million of them being legacy IPv4 addresses.

That’s nearly a hundred million dollars worth of IPv4 addresses stolen, at today’s rates.

Anyways, how does this story end, you ask?

Well, Ernest Byaruhanga made tons and tons of money, then disappeared behind a couple of PR statements.

All after pulling off the biggest IPv4 heist, ever.

Did you expect anything different?

Sir Foxy

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *