Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Fri Aug 9 13:59:18 UTC 2019

Thought you may find these connections with the 3500 South DuPont Hwy, Dover, DE, 19901 address interesting.

https://offshoreleaks.icij.org/nodes/14014038

Thank you,

Kevin McCormick

-----Original Message-----
From: NANOG <nanog-bounces at nanog.org> On Behalf Of Ronald F. Guilmette
Sent: Thursday, August 8, 2019 2:54 PM
To: nanog at nanog.org
Subject: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

Corporate identity theft is a simple ploy which may be used to illicitly obtain valuable IPv4 address space.  Actual use of this fradulent ploy was first described publicly in April, 2008 (https://wapo.st/2YLEhlZ).

Quite simply, a party bent on undertaking this ploy may just search the publicly available IP block WHOIS records, looking for abandoned and unrouted IPv4 address blocks belonging to companies or organizations which no longer exist.  Upon finding any such, the thief may simply undertake to formally register, with relevant government authorities, a new corporate entity with the same or a very similar name as the now defunct entity that is still listed in the WHOIS records as the registrant of the coveted IPv4 address block(s).

Note that so-called "legacy" address blocks, i.e. those which were assigned prior to the formation of ARIN in early 1997, are especially prized by IPv4 address thieves because such blocks may be less subject to effective control or regulation by Regional Internet Registries.

Publicly available evidence strongly suggests that a corporate identity theft has occurred with respect to a former Delaware corporate entity known as Azuki, LLC and also with respect to its valuable legacy IPv4 address block, 216.179.128.0/17.

The corporate search function of the Delaware Secretary of State's web site may be used to obtain records relevant to corporate entities registered in Delaware:

    https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch.aspx

At present, the Delaware SoS's web site indicates that there are or have been two different corporate entities, both named Azuki, LLC, that have been registered in the State of Delaware.  The file numbers for these entities are 2810116 and 4751384.

The former entity was first registered in Delaware on or about 10/20/1997.
It's current operating status cannot be known without paying a fee.  My own personal speculation is that it most likely ceased operation well more than a decade ago.

The latter entity was registered in Delaware on or about 11/9/2009.

According to the current live ARIN WHOIS record for the 216.179.128.0/17 address block (NET-216-179-128-0-1), this block was first allocated by ARIN to Azuki, LLC on or about 1999-01-07.  Quite obviously, this assignment must have been made by ARIN to the original 1997 Azuki, LLC because the one that was registered in Delaware in 2009 did not yet exist at that time.

Nontheless the mailing address currently present in the ARIN WHOIS record for the 216.179.128.0/17 IPv4 address block, and the one which is also present in the ARIN WHOIS record for the 2009 vintage ASN,
AS13389 (Azuki, LLC), i.e. 3500 South DuPont Hwy, Dover, DE, 19901, matches exactly with the address given in Delaware corporate records for the particular Azuki, LLC that was registered in Delaware in 2009.
(The corporate address that is still on file in Delaware for the original
1997 Azuki, LLC is located in a different Delaware city altogether.)

These evident inconsistancies, by themselves, are strongly indicative of a probable case of corporate identity theft.  Additional indicators are however also present in this case.

In particular, the contact email address for both the Azuki, LLC ASN
(AS13389) and the Azuki, LLC IPv4 address block (216.179.128.0/17), i.e.
tech_dep (at) azukinet.com, make reference to the azukinet.com domain which was, according to the relevant GoDaddy WHOIS record, registered anew on or about 2011-05-12, some twelve years -after- the original assignment, by ARIN, of the 216.179.128.0/17 block to Azuki, LLC.

The absence of evidence of the contnuous registration of this one and only contact domain name since the original 1999 assignment, by ARIN, of the 216.179.128.0/17 address block also tends to support the theory that this valuable address block has been illicitly and perhaps illegally appropriated by some party or parties unknown, and specifically via the fradulent ruse of a corporate identity theft.  Quite simply, my theory is that following the demise of the original Azuki, LLC, sometime in the 2000s, some enterprising crook registered the domain name azukinet.com in order to successfully impersonate the actual and original Azuki, LLC, specifically when interacting with ARIN staff members.  This simple ruse appears to have worked successfully for its intended purpose.

Additionally, attempts to call the contact phone number for Azuki, LLC,
(+1-213-304-6809) as currently listed in both the relevant ASN and the relevant IP block WHOIS records, during normal business hours, Eastern Daylight Time, yield only an anonymous answering machine recording.
(The recorded message does not even state the company name.)  This is yet another indicator of possible deliberate deception.

Last but not least, the widely-respected Spamhaus anti-spam organization has had the entirety of the 216.179.128.0/17 block listed on its anti-spam SBL list since 2019-06-08, i.e. two full months, dating backwards from today:

    https://www.spamhaus.org/sbl/query/SBL103083

This listing, together with additional data from passive DNS and reverse DNS scans suggest that the 216.179.128.0/17 block has been and is being used for less than entirely admirable purposes.  This is yet another persuasive indicator of the possible/probable theft of the block.

I will shortly be informing both hostmaster (at) arin.net and also the folks at Spamhaus of all of the above factual findings.  I did however want to share this information also with the NANOG community.  Some or all of you may wish to drop all packets from addresses currently announced by AS13389, and/or may wish to encourage the direct peers of AS13389 to review those peering arrangements.  Of course, my exposition of all of the above facts and indicators may perhaps also serve to further educate members of the community regarding what to look for when and if suspicions are cast upon a particular IP block or ASN.

In the 2008 case referenced above, which involved self-evident corporate identity theft as a ruse to steal IPv4 address assets, ARIN apparently elected not to actively seek the involvement of law enforcement, even though the multiple clearly fraudulent actions undertaken in that case were altogether apparent and were clearly perpetrated quite deliberately and directly against ARIN.

In multiple more recent instances in which ARIN has, allegedly, been targeted and defrauded, ARIN appears to have become more proactive in seeking the involvement of criminal law enforcement.  Specifically, in addition to the well-publicized, notorious, and ongoing "Micfo"
case, a less well reported federal criminal case (3:18-cr-04683-GPC), filed the Southern District of California last year, is currently ongoing.  This case also and likewise attempts to hold to account, criminally, a different set of actors who also are alleged to have perpetrated a rather elaborate fraud against ARIN for the purpose of illicitly obtaining control over a number of IPv4 address blocks.

Personally, I am gratified that ARIN is nowadays taking this more forward leaning posture towards those criminal actors who would attempt to use fraud and deception to surreptitiously obtain IPv4 address blocks.
I do also hope that if the tenative conclusions of this public report are borne out by subsequent investigation, that ARIN will again and likewise seek an appropriate response from elements of the criminal law enforcement community.  We cannot have and should not have these kinds of events happening again and again.  Some appropriate deterrence against ALL of these kinds of crooks is therefore no longer optional.

Regards,
rfg