RE: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Kevin McCormick <kmccormick () mdtc net>]

Thought you may find these connections with the 3500 South DuPont Hwy, Dover, DE, 19901 address interesting.

https://offshoreleaks.icij.org/nodes/14014038

Thank you,

Kevin McCormick

-----Original Message-----
From: NANOG <nanog-bounces () nanog org> On Behalf Of Ronald F. Guilmette
Sent: Thursday, August 8, 2019 2:54 PM
To: nanog () nanog org
Subject: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Corporate identity theft is a simple ploy which may be used to illicitly obtain valuable IPv4 address space.  Actual 
use of this fradulent ploy was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search the publicly available IP block WHOIS records, 
looking for abandoned and unrouted IPv4 address blocks belonging to companies or organizations which no longer exist.  
Upon finding any such, the thief may simply undertake to formally register, with relevant government authorities, a new 
corporate entity with the same or a very similar name as the now defunct entity that is still listed in the WHOIS 
records as the registrant of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were assigned prior to the formation of ARIN in early 
1997, are especially prized by IPv4 address thieves because such blocks may be less subject to effective control or 
regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity theft has occurred with respect to a former 
Delaware corporate entity known as Azuki, LLC and also with respect to its valuable legacy IPv4 address block, 
216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web site may be used to obtain records relevant to 
corporate entities registered in Delaware:

    https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have been two different corporate entities, both 
named Azuki, LLC, that have been registered in the State of Delaware.  The file numbers for these entities are 2810116 
and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee.  My own personal speculation is that it most likely 
ceased operation well more than a decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17 address block (NET-216-179-128-0-1), this 
block was first allocated by ARIN to Azuki, LLC on or about 1999-01-07.  Quite obviously, this assignment must have 
been made by ARIN to the original 1997 Azuki, LLC because the one that was registered in Delaware in 2009 did not yet 
exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS record for the 216.179.128.0/17 IPv4 address block, 
and the one which is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901, matches exactly with the address given in Delaware 
corporate records for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative of a probable case of corporate identity theft.  
Additional indicators are however also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain which was, according to the relevant GoDaddy 
WHOIS record, registered anew on or about 2011-05-12, some twelve years -after- the original assignment, by ARIN, of 
the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and only contact domain name since the original 1999 
assignment, by ARIN, of the 216.179.128.0/17 address block also tends to support the theory that this valuable address 
block has been illicitly and perhaps illegally appropriated by some party or parties unknown, and specifically via the 
fradulent ruse of a corporate identity theft.  Quite simply, my theory is that following the demise of the original 
Azuki, LLC, sometime in the 2000s, some enterprising crook registered the domain name azukinet.com in order to 
successfully impersonate the actual and original Azuki, LLC, specifically when interacting with ARIN staff members.  
This simple ruse appears to have worked successfully for its intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the relevant IP block WHOIS records, during normal 
business hours, Eastern Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.)  This is yet another indicator of possible deliberate 
deception.

Last but not least, the widely-respected Spamhaus anti-spam organization has had the entirety of the 216.179.128.0/17 
block listed on its anti-spam SBL list since 2019-06-08, i.e. two full months, dating backwards from today:

    https://www.spamhaus.org/sbl/query/SBL103083

This listing, together with additional data from passive DNS and reverse DNS scans suggest that the 216.179.128.0/17 
block has been and is being used for less than entirely admirable purposes.  This is yet another persuasive indicator 
of the possible/probable theft of the block.

I will shortly be informing both hostmaster (at) arin.net and also the folks at Spamhaus of all of the above factual 
findings.  I did however want to share this information also with the NANOG community.  Some or all of you may wish to 
drop all packets from addresses currently announced by AS13389, and/or may wish to encourage the direct peers of 
AS13389 to review those peering arrangements.  Of course, my exposition of all of the above facts and indicators may 
perhaps also serve to further educate members of the community regarding what to look for when and if suspicions are 
cast upon a particular IP block or ASN.

In the 2008 case referenced above, which involved self-evident corporate identity theft as a ruse to steal IPv4 address 
assets, ARIN apparently elected not to actively seek the involvement of law enforcement, even though the multiple 
clearly fraudulent actions undertaken in that case were altogether apparent and were clearly perpetrated quite 
deliberately and directly against ARIN.

In multiple more recent instances in which ARIN has, allegedly, been targeted and defrauded, ARIN appears to have 
become more proactive in seeking the involvement of criminal law enforcement.  Specifically, in addition to the 
well-publicized, notorious, and ongoing "Micfo"
case, a less well reported federal criminal case (3:18-cr-04683-GPC), filed the Southern District of California last 
year, is currently ongoing.  This case also and likewise attempts to hold to account, criminally, a different set of 
actors who also are alleged to have perpetrated a rather elaborate fraud against ARIN for the purpose of illicitly 
obtaining control over a number of IPv4 address blocks.

Personally, I am gratified that ARIN is nowadays taking this more forward leaning posture towards those criminal actors 
who would attempt to use fraud and deception to surreptitiously obtain IPv4 address blocks.
I do also hope that if the tenative conclusions of this public report are borne out by subsequent investigation, that 
ARIN will again and likewise seek an appropriate response from elements of the criminal law enforcement community.  We 
cannot have and should not have these kinds of events happening again and again.  Some appropriate deterrence against 
ALL of these kinds of crooks is therefore no longer optional.


Regards,
rfg