More than four million Internet Procol addresses have been misappropriated in what has been called Africa’s greatest internet heist.
The extent of the theft, which first drew red flags back in 2016, has now been fully uncovered, revealing a trail of corruption, coverups, and a burgeoning black-market trade.
The results of an internal audit undertaken by the African Network Information Centre (AFRINIC) have finally been made public after almost two years of waiting.
AFRINIC, which is responsible for the allocation and management of IP addresses on the continent, began its investigation after being contacted by the United States’ Federal Investigation Bureau (FBI) in 2019.
Four years before the FBI drew attention to the numerous anomalies – and the Supreme Court of Mauritius, where it is headqaurtered, served AFRINIC with an order to investigate – the information centre was tipped off by internet investigator Ron Guilmette.
Guilmette’s collaboration with local tech publication, MyBroadband, resulted in a report which implicated AFRINIC co-founder and engineer Ernest Byaruhanga as the mastermind behind the heist.
In total, 4.1 million IP addresses were stolen, 2.3 million from AFRINIC’s “free pool” and a further 1.7 million “legacy” IP addresses. They were worth around R1.3 billion, according to MyBroadband.
An IP, or Internet Protocol, address allows devices to communicate with each other, by assigning a unique number to each device.
The current generation IPv4 addresses are, however, in seriously short supply. This shortage has, in turn, made IP addresses valuable.
AFRINIC tracks and manages IP addresses through the WHOIS system, which, as the title describes, records who or what is using a specific address. As part of its latest report on the theft, AFRINIC admits that its WHOIS database was severely compromised by internal staff who “acted in collusion with other third parties”.
IPv4 addresses, which were already reserved and in use by major organisations, were effectively hijacked and sold. These reappropriated IP addresses were used to forward spam, breach data records, and compromise websites.
Dozens of South African-based companies and organisations were impacted.
The Free State Department of Education and Anglo American both lost IP addresses to the value of almost R20 million, while the now-defunct Infoplan, which previously managed the Department of Defence’s information systems, was the worst hit, losing addresses worth approximately R80 million.
Three whole IP blocks, equating to almost 200,000 individual addresses, belonging to Woolworths were misappropriated. MyBroadband estimates the value of these stolen addresses to exceed R58 million.
Similarly, three IP blocks belonging to Nedbank – historically associated with Cape of Good Hope Bank Limited, Syfrets, and NBS Bank – were also part of the heist.
Other major South African organisations that had their IP addresses misappropriated include Nampak, Sasol, the City of Cape Town’s Directorate of Information Services, Transnet, and Independent Media’s Argus Holdings.
Approximately 1.5 million IP addresses have been reversed or reclaimed as part of AFRINIC’s audit. Most other addresses are still pending, as the result of a review process determining rightful custodianship.