Image: Mark Rademaker, via Shutterstock.
A new study found that Ukraine has seen nearly one-fifth of its internet space belong to Russia’s control, or that since February 2022, Ukraine’s internet space has been sold to internet address brokers. Analysis shows that a large portion of Ukraine’s internet address space is now in the hands of shady agents and anonymous services nested on some of the largest Internet service providers (ISPs) in the United States.
The results are in a report examining how Russian invasions affect Ukraine’s domestic supply Internet Protocol Version 4 (IPv4) Address. The researchers are KenticeA company that measures the performance of the Internet network has found that while most ISPs in Ukraine haven’t changed much of its infrastructure since the beginning of the 2022 war, others turned to selling their valuable IPV4 address space to keep the range of lighting.
For example, the current ISP in Ukraine Ukrtelecom Kentik found that only the IPv4 address range of the IPv4 address range is now for your control. Although most of the previous IP space was still dormant, Ukrtelecom told Kentik’s Doug Madory They were forced to sell a number of address barriers “to ensure financial stability and continue to provide essential services.”
“Lease a portion of IPv4 resources allows us to mitigate some of the extraordinary challenges we have faced since the start of the full-scale invasion,” Ukrtelecom told Madory.
Madory found that most of the IPv4 space previously allocated to Ukrtelecom has now been spread across more than 100 providers worldwide, especially among three large U.S. ISPs (three large U.S. ISPs) Amazon (AS16509), AT&T (AS7018) and Convincing (AS174).
Another Ukrainian Internet provider – LVS (AS43310) – In 2022, there will be approximately 6,000 IPv4 addresses nationwide. Kentik learned that by November 2022, most of the address space had been wrapped in more than a dozen different locations, most of which were announced at AT&T.
The IP address of the Ukrainian provider LVS (AS43310) routed over time, and AT&T (AS7018) routed most of it. Image: Kentice.
Ukrainian ISP same as above TVCOMCurrently, when the war begins, IPv4 addresses have nearly 15,000 less routes. Maddy said most of these addresses have been spread over 37 other networks outside Eastern Europe, including Amazon, AT&T and Microsoft.
Ukrainian ISP Trinity (AS43554) was offline during the siege of Mariupol in early March 2022, but its address space eventually began to appear in more than 50 different networks around the world. Madory found that more than 1,000 addresses in Trinity’s IPv4 address suddenly appeared on AT&T’s network.
Why are all these former Ukrainian IP addresses routed by US AT&T and other US networks? according to spur.usa company that tracks VPNs and proxy services, nearly all address ranges determined by Kentik now maps to commercial proxy services that allow customers to route their Internet traffic anonymously through other people’s computers.
From a website perspective, traffic for proxy network users appears to be derived from rented IP addresses, not from proxy service customers. These services can be used for a variety of business purposes such as price comparison, sales intelligence, web crawling and content matching robots. However, proxy services are also greatly abused for hiding cybercrime activity, as they can be difficult to track malicious traffic from their original sources.
IPv4 address ranges are always high, which means they are valuable too. Now, multiple companies will pay for ISPs to rent out their unwanted or unused IPv4 address space. Maddy said these IPv4 brokers will pay between $100 and $500 a month to rent blocks of 256 IPv4 addresses, and the entities that are usually most willing to pay for those rents are agents and VPN providers.
A rough review of all Internet address blocks currently routed through AT&T – as shown by the public records maintained by the Internet Backbone provider Hurricane power – Shows flags of other countries besides the United States, including networks originating from Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia and Ukraine.
AT&T’s IPv4 address space appears to be routing a large amount of proxy traffic, including a large range of IP addresses, until recently routed by ISPs in Ukraine.
Asked about the apparently high incidence of routing foreign address blocks through AT&T’s proxy services, the telecom giant said it recently changed its policy on the launch routes for network blocks not owned and managed by AT&T. The new policy was clarified in the AT&T Terms of Service in February 2025 until September 1, 2025, when these customers launched their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T is AS7018).
“To ensure customers get the best service, we have changed the dedicated Internet terms for February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer allow static routes using unprovided IP addresses. We have been identifying and notifying affected customers who have 90 days to transition to border gateway protocol routing using their own autonomous system numbers.”
Ironically, the shared layout of Ukrainian IP address space with proxy providers has led to many of these addresses being used in cyber attacks against other enemies in Ukraine and Russia. Earlier this month, the EU approved it Stark Industries Solutions Inc.This is the ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDOS attacks and conflicting attempts by the Russian state-sponsored hacker group. A deep dive into Stark’s vast address space, showing that some of them are from Ukrainian ISPs, most of which are related to Russian-based agents and anonymous services.
According to SPUR, Iproyal’s proxy service is the current beneficiary of the IP address blocks of several Ukrainian ISPs described in the Kentik report. Clients can choose an agent by specifying the city and country where they will be transported through. Image: Trend Microscopic.
Chief Technical Officer of Spur Riley Kilmer It says AT&T’s policy changes may force many agent services to move to other U.S. providers with less policies.
“AT&T is the first big ISP that seems to be actually doing something for this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses and see what happens to those services in September, which will be very interesting.”
Still, several other large ISPs continue to make proxy services easy to take their own IP addresses and host them in scope, allowing residential customers to emerge, Kilmer said. For example, Kentik’s report determines that the former Ukrainian IP range is displayed as Convincing communication (AS174), a first-class Internet backbone provider in Washington, DC
Cogent has become an attractive home for proxy services because it is relatively easy to make address block routes, Kilmer said.
“To be fair, they have a lot of traffic,” Kilmer said of Cogent. “However, there are a lot of such agent content that manifests as persuasive reasons: Because getting something there is very easy.”
Cogent rejected a request to comment on Kentik’s discovery.
