U.S. attorneys have charged a South Carolina man with operating a scheme that fraudulently obtained internet addresses worth roughly $14 million that later were used by spammers.
Amir Golestan was charged this week with 20 counts of wire fraud for his alleged role in a plot to create fictitious companies, then use those firms to obtain more than 750,000 IP addresses. Golestan’s data center company, Micfo LLC, obtained those addresses from the American Registry for Internet Numbers, a nonprofit that oversees the release of IP addresses only to companies that meet ARIN criteria.
By impersonating at least 10 companies, the indictment alleges, Golestan created his own secondary market for the IPv4 addresses, which the government alleges are worth $13 to $19 apiece. Then, he sold many of those IP addresses via a third party, according to the indictment.
Many of those addresses later appeared on a blocklist of known spammers maintained by the Spamhaus nonprofit.
KrebsOnSecurity was the first to tie the Micfo scheme to spam operations.
This prosecution comes after Micfo was ordered in arbitration to pay ARIN $350,000 and return any unused IP addresses. For Stephen Ryan, ARIN’s general counsel, that case and the prosecution going on now represent a realization in the government that IP addresses can be the reward for a crime, rather than only being used to carry out other criminal activities.
“In the past, when IPs were used in a crime they would be forfeited, but this is different,” he said. “Now the numbers are the fruit of the crime. That’s important because it sends a message to people out there who see all the money they can make if they hijack IP numbers.”
IPv4 addresses are so valuable because the more than 400 billion combinations handed out by ARIN and other regional internet registries are gone. The next generation, IPv6, will be implemented soon. In the meantime scammers are seizing that scarcity, hijacking dormant IPv4 addresses or buying them from shell companies — set up by other fraudsters — and buying them in bulk. This was the market shortage from which Golestan and Micfo were trying to profit, Ryan said,
Many of the websites identified in the Golestan indictment were still online at press time, including Contina, Virtuzo, Oppobox and Telentia.
All used similar fonts and advertised managed technology solutions. When CyberScoop dialed the phone numbers on each of the sites, all but one led to a voice mailbox. A representative for Contina who answered the phone told CyberScoop the company “has had issues with the line” for John Lieberman, who prosecutors say is a fabricated individual.
Amir Golestan did not return a voicemail seeking comment.