Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17
Ronald F. Guilmette
rfg at tristatelogic.com
Fri Aug 9 20:09:39 UTC 2019
Further investigation of this case obliges me to post the following
correction and retraction.
Additional evidence now strongly suggests that the 216.179.128.0/17
IP address block has NOT been "stolen" as I had suggested yesterday.
I simply mis-read the ARIN historical registration ("WhoWas") data
with repect to this block.
In fact, the ARIN historical "WhoWas" registration data for this
block indicates that when the block was first assigned, by ARIN...
which the historical WhoWas records show as occuring on 06-24-2002...
the block was assigned to a Southern California company named HHSI, Inc.
Records available on the California Secretary of State's web site
indicate that this company was first registered with the State of
California 02/11/2002. Oddly, some seven years would pass after the
registration of this California corporation before any documents
were filed with California which would designate any officers of
the company. On 03/02/2009 however a filing was made indicating
the President of the company was a gentleman named Koji Ban.
Additional corporate filings in subsequent years indicate that
both Mr. Ban and the company, HHSI, Inc. were located at 20 Arches,
Irvine, CA 92603.
On or about 02-17-2010 the public WHOIS record for the 216.179.128.0/17
block was changed so that instead of designating HHSI, Inc. (California)
as the block's registrant, the WHOIS record for the block would henceforth
say instead that the registrant of the block was the 2009 vintage
Delaware LLC called Azuki, LLC.
Unfortunately, we cannot read too much into this change that was made
to the block's public-facing WHOIS record. Neither the new WHOIS info
nor even the old WHOIS info can be used to reliably infer who or what
is the legitimate registrant of the block at any point in time. This
is because ARIN, like all of the other Regional Internet Registries,
allows registrants to put essentially any bovine excrement they desire
into their public-facing WHOIS records. (And, it should be noted, the
man behind the recent large scale "Micfo" fraud apparently availed
himself of this exact opportunity far subterfuge, in spades.)
Regardless, the available records suggest that there are only two likely
possibilities in this case:
1) On or about 02-17-2010 HHSI, Inc. (California) transfered the
registration of the 216.179.128.0/17 block from itself to the
2009 vintage Delaware entity Azuki, LLC. If this is what happened,
then it is likely that the transfer was performed in violation
of the applicable ARIN trasfer policy that was in force at the time.
(Azuki, LLC did not simply buy-out HHSI, Inc., lock, stock, and
barrel in 2010. California records show that HHSI, Inc. continued
to be an active California corporation until at least 02/12/2014,
and probably well beyond that date.)
2) Alternatively, on or about 02-17-2010 HHSI, Inc. (California) simply
altered what would henceforth appear in the public-facing WHOIS
record for the the 216.179.128.0/17 block to make it appear... to
everyone except ARIN staff, who knew better... that the block was
now registered to Azuki, LLC in Delaware.
Only ARIN staff can tell us which of these possibilities actually applies.
But due to ARIN's strict adherence to contractual confidentiality with
respect to all of their resource holders, I do not anticipate that ARIN
will actually provide any clarity on this case anytime soon.
To summarize, either the block was transferred in 2010 in violation of
ARIN's own transfer policy or else the information that we have all been
looking at in this block's WHOIS record since 02-17-2010 is and has been
nothing other than a very deliberate and bald-faced lie. There is no
third option.
Regardless of which of the two possible scenarios applies, it is a dead
certainty that the registration of the 216.179.128.0/17 block was indeed
transferred away from HHSI, Inc. at some point in time, and in a manner that
most probably did not comport with applicable ARIN transfer restrictions
in place at the time. I say this without fear of contradiction because
the State of California currently lists HHSI, Inc. as "suspended". Legally
speaking, it no longer exists. It cannot therefore still be a valid
contractual counterparty, with ARIN, or with respect to the registration
of *any* ARIN-administered resources.
All of this ambiguity, and all of these crooked deception games are enabled
and materially aided and abetted by the disastrous interplay of two
longstanding policies that are and have been in force, for many many years,
both at ARIN an also at all of the other RIRs, namely:
*) Excessive anal retentiveness with respect to corporate confidentiality
which deprives the public at large from even knowing even so much as
the accurate and correct legal names of resource holders.
*) Policies which permit resource holders to place any arbitrary garbage
they desire into their associated public-facing WHOIS records, without
there being any vetting at all of that information by the RIRs.
I am not now and never have been a big fan of ICANN, but to ICANN"s credit,
it at least had the good sense to recognize, years ago, that crooks are in
fact present on the Internet, and that many of them have no qualms at all
about putting deliberately misleading garbage into the WHOIS records
for their registered domain names. As a result, ICANN developed both
policies and procedures, feeble though they may be, to try to respond to
this perennial and ongoing problem.
I do wonder what sort of catastrophy it is going to take before the Regional
Internet Registries likewise take at least some affirmative steps to address
the fact that -their- WHOIS records are now also (and provably) contaminated
with unreliable garbage, put there deliberately by various flavors of
Internet miscreants intent on harming the rest of us honest netizens.
Regards,
rfg
More information about the NANOG
mailing list