Bloke accused of conning ARIN out of 750,000 IPv4 addresses worth $9m+ to peddle on black market

A fella who allegedly conned his way into pocketing 750,000 IPv4 addresses has not only lost them, but now faces a lengthy stretch behind bars in America, if convicted.

Amir Golestan, 36, of Charleston, South Carolina, was charged [PDF] on Wednesday with 20 counts of wire fraud, each punishable by up to 20 years in jail: he is accused of grabbing the internet addresses worth between $9.8m and $14.4m through an elaborate series of shell companies.

The criminal indictments come after the organization that provided Golestan with the addresses – American Registry for Internet Numbers (ARIN) – ran checks on a transfer of network addresses he had already acquired after he made a paperwork error. Staff at ARIN suspected something was up, and starting digging into the transfer, eventually finding what was claimed to be a network of shell companies with fake directors that had been used to acquire small blocks of IPv4 addresses before repackaging them and selling them to third parties.

The scheme started in 2014 and over the next four years Golestan used 11 companies – with names varying from Cloudiac to Univera Network – to acquire a total of 757,760 IPv4 addresses, it is claimed.

Despite their current market value of between $13 and $19 per IP addresses, ARIN continues to provide IP addresses to its "members" for no direct cost, a holdover from the early days of the internet when IP allocation was literally a free-for-all. Depending on the size of a company, you pay ARIN an annual membership fee that starts at just $250. Members then pay between $100 and $500 for an address block with an annual maintenance fee of $150 per block.

Companies can request address IPv4 block allocations from ARIN, which quickly assesses whether the request is legitimate and then hands them over. As IPv4 addresses have grown more scarce, the process has been tightened up, though Golestan allegedly figured out how to game the system by setting up small companies with different directors and putting in repeat requests for as little as 8,000 addresses at a time.

The directors – who varied from Yong Wook-Kwan to Ahmad Al Bandi to Brian Sherman – were, it is claimed, entirely fictitious. And the various fees were negligible compared to the market value when Golestan apparently started selling the IPv4 addresses through a third party broker in 2017 and 2018.

Money in them there addresses

He sold 65,536 addresses for $851,896 (at $13 an address) and then another block the same size for $1m, it is claimed. As time went on, the addresses grew in value, and in 2018 he sold a big chunk of his remaining addresses – 327,680 – for $19 an address, netting $6.2m, it is alleged.

Officially, companies are not allowed to sell their IP addresses but in practice that rule is widely flouted by peddling them through brokers and then putting a transfer through ARIN's systems. ARIN is, of course, aware of the black market in addresses, but decided, after long debate, not to change the fundamental way it distributes and shifts them. It does, however, scrutinize transfers, and in this case an error in one of Golestan's transfer requests caused ARIN to take a closer look.

It grew increasingly suspicious, and when its lawyers started pressing the issue, it received an angry response. "The entities that defrauded ARIN adopted an aggressive posture after ARIN requested that it produce certain documents and explain its conduct," the organization reported in a blog post this week.

Golestan's corporate entity filed for a restraining order and injunction against ARIN, presumably in an effort to scare the company off. And at the same time, it filed an arbitration claim against the organization – the first time that has happened in ARIN's existence. But that process ultimately opened Golestan up to criminal charges, since he seemingly provided affidavits under the names of the different company directors.

False notarizations violate both state civil and criminal laws, and using the internet to send them breaks federal law.

"The individual who controlled the entities obtained and utilized previously created shelf companies spread out across the nation and used aliases to conceal his identity, including providing ARIN with falsely notarized affidavits of officers who did not exist to induce ARIN to issue approximately 735,000 IPv4 addresses to 11 companies and approve transfers and reassignments of these addresses," ARIN alleged.

Taking the Fifth

The issue came to a head when Golestan was due to be deposed under oath but rather than talk about what had happened, invoked the Fifth. That led to ARIN winning its arbitration [PDF] at the start of this month and led to the criminal prosecution announced this week. Golestan and his corporate entity, Micfo LLC, was ordered to foot ARIN's $350,000 legal fees, and all remaining IP addresses under his control were revoked.

As for the IP addresses that were already transferred? They stay with the organizations that bought them because they are now outside ARIN's jurisdiction. "Some of the resources sought and fraudulently obtained had been transferred to bona-fide purchasers out of the ARIN region," the organization noted. "ARIN has not interfered with the recipients of those completed transactions."

ARIN is at pains to note that this wasn't a simple smash-and-grab. "As a former federal prosecutor, I was impressed with the skillful design and tradecraft used in the fraud," its general counsel said.

As for the millions Golestan allegedly made selling the addresses, US prosecutors are trying recover them through its indictment, presumably holding the threat of decades in jail over him in an effort to extract the cash.

But at the moment, nothing is certain. As the US attorney for South Carolina noted: "All charges in the indictment are merely accusations and the defendants are presumed innocent until and unless proven guilty."

Now if everyone would just move to IPv6... ®