The writing is quite confusing in trying to explain things but the gist of it appears to be that the person in question (1) applied for IP addresses through numerous companies created just for this purpose in order to bypass ARIN's restriction on the number of addresses it was willing to allocate to a single entity, and (2) made the obtained IP address ranges available to serve as VPN endpoints, so that "huge amount of traffic—some of it illicit or criminal—passed through its computer servers but wasn't traceable to the true originators."
He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.
A prosecution seems a bit over the top for this... Setting up multiple companies to meet some rule isnt against said rule. And anyway, it's a company policy not the law.
Yes. For example, someone signed up for 58,000 accounts and used them to receive micro deposits (those small sums that are deposited into an account to validate that two accounts are linked correctly). They had their time in court: https://www.wired.com/2008/05/man-allegedly-b/
Shell companies are not normally used for structuring. That's a different matter entirely. A shell company is usually a holding company, not a company created in order to deceive or to bypass a hard cap on some scarce resource.
Well, there are the fake registrars, such as DropCatch 345, DropCatch 346, DropCatch 347, ... DropCatch 1545. Those are all ICANN-accredited registrars.[1] ICANN parcels out dropped domains among all the registrars who want them at random. Having a thousand dummy registrars improves the odds. That's definitely "structuring" to hog Internet assets.
This is possible only because, while ICANN charges each registry when they acquire a domain, ICANN refunds that if they give the domain back within some time period.
I've looked up wire fraud in the US and it seems to come with some properly serious penalties:
Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.[4]
These companies often times were bought shelf companies with history so as to have credibility. The goal was selling up blocks to prohibited locations and enabling spamming. This guy spent a lot of time in Tunisia with spam Kong’s and accepted up front money to build infrastructure.
The publicly discussed components here are but a small piece of a complex and sloppily run scam organization.
Look up the judgements under these businesses over the years at various web hosts. These companies would enter long contracts and eventually stop paying.
I can come up with at least 3 distinct meanings for “amassed VPN clients” and I’m still not 100% sure which is correct in this context. I take it that clients here refers to “paying customers”?
> He said Micfo provides a legitimate service to VPNs, adding that whatever his customers or their users do through Micfo servers is none of his business.
From what I understand he was attributed many IPs by creating shell companies and rented these IPs to VPN providers.
A former employer used to rent IPs, the person renting ranges had different companies own each block to reduce abuse report blast radius. We also owned a ton of IPs and never really had to prove utilization when requesting new blocks from ARIN as of 2011.
I'd guess he pissed off some important people... If this prosecution doesn't succeed, you can bet every tax return of his for the last 20 years will suddenly be randomly checked, and he'll be prosecuted for claiming a Starbucks coffee as an expense during a business meeting when he actually took half the coffee away after the meeting making it not an allowable expense, and therefore technically fraud.
That's what I've been thinking as well. Creating "shell companies" (aka "Special Purpose Entities/Vehicles") is not illegal per se.
Perhaps he violated the terms and conditions of his contract with ARIN and should have had the assignments cancelled but where does the criminality come in?
If he misrepresented himself in order to gain a financial advantage then that is fraud.
Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Not just financial advantage, all deceit where you intend to gain from it is fraud. Money just makes it more obvious what the gain was.
Are there grey areas? Sure. In particular there's a passive sort of deceit in which you let people assume things that you know aren't true, to your benefit. Mostly the law holds that it's their mistake for not asking, and anyway they'd usually be far too embarrassed to make a fuss if they realise their error.
I don't see that here, the plan was explicitly to trick the RIR into giving them resources they were otherwise not entitled to. Those resources were for everybody to share, they're stealing from you and it's appropriate to prosecute for fraud.
> Creating shell companies is not illegal, using a name fir yourself that isn’t your legal name is not illegal, doing either of those things in order to trick people into giving you money is.
Have you seen a list of list of all telco companies that are together AT&T which exist solely to allow AT&T to limit liability, create a separation of entities for qualify under some rules for some other entities, etc?
When MCI Worldcom filed for bankruptcy the list of the entities that it covered took a couple of pages in major newspapers.
Hmm, GDPR thought experiment: I make a database of public IPv4s by running a couple for-loops and subtracting private spaces. Can an EU guy who owns an IPv4 request to have it removed?
Regarding GDPR, I think IPs are considered “personal data” if you can identify the user from it.
Well, my understanding is any data is ‘personal data’ if you can use it to identify a user, can be combined to identify a user or can be aggregated to an identified user.
For example, list of addresses themselves are not personal data. Everybody has access to addresses, you can get them at the post office for example when you try to look up code for the address.
But a list of addresses of creditors (ie. address + some non-identifying context information) is personal data.
I do not know GDPR well but given just that example I would say there is some more nuance.
I would expect a database of valid email addresses had been compromised. Context of what is being “obtained” matters, of course. But the sum total of valid IP addresses is a fixed, finite, and well-known value. Can you write a script to generate all valid email addresses?
The concept of ownership of an IP address, implied by “obtains”, is pretty clear and well-understood. The story was exactly what I imagined after reading the headline. Rather than making an obtuse joke, how would you suggest it be improved?
consider the headline "obtained 800k email addresses illegitimately". would you really assume that this meant they were able to receive email at those addresses, or just that they'd obtained the addresses?
He did keep track though of which VPN operator used which range at any given time, so perhaps the "true originators" could be traceable after all, assuming the VPN owners were willing to co-operate. In any case, he is only being prosecuted for (1), and the immediate reason for this is that a couple of US politicians were hacked with attacks originating from these addresses.