How Ukraine’s IP Space Was Sold Off and Turned Against It

How Ukraine’s IP Space Was Sold Off and Turned Against It

Since Russia’s invasion in 2022, nearly 20% of Ukraine’s IP address space has either fallen under Russian control or been sold off to brokers. A new report shows that much of this space is now routed by U.S. infrastructure and tied to proxy and anonymity services.

The report comes from Kentik, a network performance firm. Researchers found that while many Ukrainian ISPs maintained their infrastructure, others resorted to selling off IPv4 addresses to survive. Ukrtelecom, Ukraine’s main telecom provider, is now routing only 29% of the address ranges it held at the start of the war. The company said it sold blocks to maintain operations. According to Kentik’s Doug Madory, much of this space is now dormant or scattered across more than 100 other networks globally, including Amazon, AT&T, and Cogent.

LVS, another Ukrainian ISP, went from routing about 6,000 IPv4 addresses to distributing most of it across over a dozen new routes, with AT&T hosting the majority. TVCOM saw a drop of nearly 15,000 addresses, with those now appearing in 37 networks, mostly outside Eastern Europe. Trinity, which went dark in March 2022 during the Mariupol siege, has over 1,000 of its old IPs now showing up on AT&T’s network.

Why are these U.S. ISPs routing Ukrainian addresses? Spur.us, which tracks proxy services, says nearly all of the rerouted address blocks are now tied to commercial proxy infrastructure. These services allow clients to route traffic anonymously through rented IPs, masking the real source. While some use them for scraping or automation, the majority are used to obscure malicious traffic, making it harder to trace attacks.

IPv4 space is in short supply and high demand. ISPs can lease out blocks—typically in sets of 256 addresses—for $100 to $500 a month. The buyers are usually proxy and VPN operators willing to pay a premium. Kentik’s review of AT&T’s routing tables showed blocks tied to countries like Ukraine, Moldova, Hungary, Seychelles, and Lithuania—far outside AT&T’s own customer base.

AT&T recently updated its policy. As of February 2025, customers routing non-AT&T IPs will have until September 1, 2025 to switch to using their own ASN. An AT&T spokesperson confirmed that static routes involving third-party IPs will be phased out in favor of BGP routing with customer-managed ASN identifiers.

The issue has already led to blowback. Some of these IPs—now being used in proxy infrastructure—have turned up in attacks targeting Ukraine and its allies. The EU recently sanctioned Stark Industries Solutions, a U.S.-based ISP that appeared just before the invasion and quickly became a major source of DDoS and spear-phishing campaigns tied to Russian interests. Stark’s address space includes Ukrainian IPs now tied to Russia-based proxy networks.

Spur says IPRoyal is actively using IP blocks from several of the Ukrainian providers flagged in Kentik’s report. The service allows clients to filter proxies by country and city—making rerouted IPs especially attractive.

Spur’s CTO, Riley Kilmer, said AT&T’s policy change will force proxy services to migrate elsewhere. But that won’t solve the problem. Other ISPs like Cogent make it easy for customers to onboard their own IP ranges. Cogent, a Tier 1 provider in Washington D.C., is now hosting a growing number of proxy services using address blocks once tied to Ukraine.

Cogent declined to comment. Spur says the reason so many proxy operations rely on them is simple: it’s easy. There’s little friction and almost no oversight.

If you need cybersecurity, we offer security for both personal/family computers as well as businesses. You can get started here!