Tech CEO pleads for wire fraud in IP address scheme – Krebs on Security
The CEO of a South Carolina tech company has pleaded guilty to 20 counts of wire fraud in connection with an elaborate network of bogus companies set up to obtain more than 735,000 Internet Protocol (IP) addresses from the non-profit organization that leases digital real estate to entities in North America.
In 2018, the U.S. Internet Number Registry (ARIN), which oversees IP addresses assigned to entities in the United States, Canada and parts of the Caribbean, notified Charleston, SC based Micfo LLC that he intended to revoke 735,000 addresses.
ARIN said they wanted the addresses back because the company and its owner – 38 years old Amir Golestan – had obtained them under false pretenses. A global shortage of IPv4 addresses has driven the price of these resources up massively over the years: at the time of this dispute, a single IP address could sell for between $ 15 and $ 25 on the open market.
Micfo responded by suing ARIN in an attempt to stop the entry of the IP address. In the end, ARIN and Micfo settled the dispute through arbitration, with Micfo returning most of the addresses it had not yet sold.
But the legal standoff caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed wire fraud charges against Golestan, alleging he had orchestrated a network of shell companies and fake identities to prevent ARIN from knowing that the addresses all went to the same buyer.
Each of these shell companies involved producing notarized affidavits on behalf of people who did not exist. As a result, Lydon was able to charge Golestan with 20 counts of wire fraud, one for each payment made by the bogus companies that bought the IP addresses from ARIN.
On November 16, just two days after the start of his trial, Golestan changed his plea to “not guilty”, agreeing to plead guilty to 20 counts of wire fraud. KrebsOnSecurity asked Golestan at length about his case last year, but he did not respond to requests for comment on his change in plea.
In 2013, a number of Micfo customers had fallen on the radar of Spam house, a group that many network operators rely on to block spam. But soon after Spamhaus started blocking Micfo’s IP address ranges, Micfo changed course and began reselling IP addresses primarily to companies marketing “virtual private networks” or VPN services that help. customers to hide their real IP addresses online.
But in a 2020 interview, Golestan told KrebsOnSecurity that Micfo was at one point responsible for brokering around 40% of the IP addresses used by the world’s largest VPN providers. Throughout this conversation, Golestan maintained his innocence, although he explained that the creation of bogus companies was necessary to prevent entities like Spamhaus from interfering with his business in the future.
Stephen ryan, a lawyer representing ARIN, said Golestan changed its plea after the court heard from a former Micfo employee and notary public who described being instructed by Golestan to knowingly certify false documents.
“His testimony made him seem intimidating and unsavory,” Ryan said. “Because it turned out that he also sued her to try to prevent her from disclosing the actions he ordered. “
Golestan’s rather sparse plea deal (first reported by The Wall Street Journal) does not specify any kind of leniency he could earn from prosecutors for agreeing to end the trial prematurely. But it should be noted that a conviction for a single act of wire fraud can result in fines and up to 20 years in prison.
The courtroom drama comes as ARIN’s counterpart in Africa is embroiled in a similar, albeit much larger, dispute over millions of temperamental African IP addresses. In July 2021, the African Network Information Center (AFRINIC) confiscated more than six million IP addresses from Innovation in the cloud, a company incorporated in the paradise of the African offshore entities of the Seychelles (pronounced, rightly – “say shells”).
AFRINIC revoked the addresses – valued at around US $ 120 million – after an internal review found most of them were in use outside Africa by various entities in China and Hong Kong. Like ARIN, AFRINIC policies require that those who lease IP addresses demonstrate that the addresses are used by entities in their geographic region.
But a few weeks later, Cloud Innovation convinced a judge in Mauritius, AFRINIC’s country of origin, to freeze $ 50 million in AFRINIC’s bank accounts, arguing that AFRINIC had “acted in bad faith and for futile reasons to tarnish the reputation of Cloud Innovation ”, and that it had an obligation to protect its customers against service interruptions.
This financial freeze has since been partially lifted, but legal disputes between AFRINIC and Cloud Innovation continue. The CEO of the company is also suing the CEO and chairman of AFRINIC in an $ 80 million libel case.
Ron Guilmette is a security researcher who has spent several years tracking how tens of millions of dollars of AFRINIC IP addresses were privately sold to address brokers by a former AFRINIC executive. Guilmette said Golestan’s guilty plea is a positive sign for AFRINIC, ARIN and the other three regional Internet registries (RIRs).
“This is good news for the rule of law,” said Guilmette. “This has implications for the AFRINIC case as it reaffirms the authority of all RIRs, including AFRINIC and ARIN.”