[arin-ppml] Reclamation of Number Resources

Ronald F. Guilmette rfg at tristatelogic.com
Tue Jul 12 09:39:02 EDT 2022


In message <53BFBAC8-2F58-497D-B9DB-AAFF3EC2FBCE at arin.net>, 
John Curran <jcurran at arin.net> wrote:

>ARIN does not issue resources to organizations absent a real and substantial
>connection to the ARIN region.

I would certainly hope that this would be so, since that *is* ARIN's written
policy, however the set of facts I'm looking at suggest that this is not
always true.

I call your attention to the case of the ARIN member organization denoted
as "SL-206" aka "1337 Services LLC" which is the current registrant of
AS54990, assigned by ARIN, and also the registrant of the 198.167.192.0/19
IPv4 block, also assigned by ARIN to this member.

-------------------------------------------------------------------------
OrgName:        1337 Services LLC
OrgId:          SL-206
Address:        P.O. Box 590, Springates East, Government Road
City:           Charlestown
StateProv:      Nevis
PostalCode:     
Country:        KN
RegDate:        2012-12-11
Updated:        2012-12-11
Ref:            https://rdap.arin.net/registry/entity/SL-206
-------------------------------------------------------------------------

Although the Caribbean nation of Nevis & St. Kitts (KN) is most assuredly
within the ARIN gergraphic service region, I confess that I am not entirely
persuaded that this particular member organization actually has the requsite
"substantial connection" to the ARIN region which would permit it to obtain
or to retain either ARIN membership or ARIN resources.

NRPM Section 9 lists eight different indicators of a "substantial connection"
to the region.  The seventh of these is explicit in noting that mere
incorporation in the region is insufficent to establish the required
"substantial connection" to the ARIN region:

     *  Demonstrating that the entity has a registered corporation in the
        ARIN region, although this factor on its own shall not be sufficient.

On that basis I am obliged to inquire as to what other indicator(s) of a
"substantial connection" to the ARIN region is/are possessed by this member
organization.  A diligent search for any such on my part has turned up
none at all, other than the high probability that this entity was
incorporated via an "offshore" incorporation firm in Nevis & St. Kitts...
a firm which has apparently also lent its P.O. box mailing address to numerous
other shell companies which are using the exact same mailing address.
(Thank you Google!)

In addition to the highly dubious nature of its alleged domicile, it is, I
think, worth of nota also that routing to the entirety of this organization's
ARIN-assigned IPv4 address block (198.167.192.0/19) appears to currently be
provided by a Finnish company named "abstract" via AS39287.  Also, traceroutes
to random IP addresses within this block appear to dead end somewhere in the
nordic region of Europe, most likely Sweden:

...
13  linx-10ge.lon1.uk.portlane.net (195.66.225.159)  152.769 ms  155.131 ms  154.441 ms
14  be-5.cr3.ams1.nl.portlane.net (80.67.4.225)  159.697 ms  159.874 ms  164.165 ms
15  be-4.cr1.mal4.se.portlane.net (80.67.4.239)  169.469 ms  169.371 ms  170.246 ms
16  80.67.1.121 (80.67.1.121)  169.788 ms  170.777 ms  171.708 ms
17  r.vpn.njalla.net (198.167.192.13)  171.209 ms  169.793 ms  169.998 ms
18  * * *
19  * * *
20  * * *
...

Conversely, this organization's ARIN-assigned ASN (AS54990) appears at present
to be providing routing only to the following two RIPE-assigned IP blocks:

185.193.124.0/24
2001:67c:235c::/48

and these blocks are themselves registered to (a) a Swedish entity going by
the name "Njalla" (for the IPv4 block) and (b) in the case of the IPv6 block,
the aforementioned "abstract" company, allegedly located in Finland.

I should perhaps mention also that traceroutes to random IP addreses in the
2001:67c:235c::/48 block are also highly suggestive that the physical
infrastructure supporting this address block is likely located somewhere
in Europe, with the traceroutes passing at least through the Netherlands,
and that various web-accessible geolocation services place the address
185.193.124.1 either in the vicinity of Oslo, Norway, or, in the case of
Neustar's geolocator service, Malmo, Sweden.

These facts, I'm sorry to say, leave me altogether unpersuaded that the
corporate entity designated in ARIN records via handle SL-206 has the kind
of "substantial connection" to the ARIN region that is allegedly necessary
for its ongoing membership, let alone the lear regional connection needed to
justify this corporation's currently assigned ARIN number resources.

Current reverse DNS for the entire 185.193.124.0/24 block also does not appear
to be indicative of any real or material connection to the ARIN region:

185.193.124.1 1-you.njalla.no
185.193.124.2 1-you.njalla.no
185.193.124.33 2-can.njalla.in
185.193.124.34 2-can.njalla.in
185.193.124.230 ns2.sarek.fi

In point of fact, this corporate entity, although incorporated in the rather
notoriously opaque Caribbean nation of Nevis & St. Kitts, known as much for
shell companies as for its sunny beaches, does appear to have rather more of
a connection to Europe that it does to North America.  In addition to all of
the foregoing facts there is also the identity and location of the contact
person for the RIPE-assigned 185.193.124.0/24 block which is currently routed
by AS54990.  That IPv4 block is itself allegedly located somewhere on the
remote, isolated, glacier-covered, and uninhabited Bouvet Island (BV) in the
far Southern Atlantic:

-----------------------------------------------------------------------------
netnum:        185.193.124.0 - 185.193.124.255
netname:        NJALLA-NET
remarks:        ______                       ___  ___
remarks:        _____________  ___  ______  /  / /  / _____
remarks:        _____\       \ \__\_\___  \/  / /  /_\___  \
remarks:        _____/   \   / /  /   _   /  /_/  //   _   /
remarks:        ____/   //  /\/  /    /  /    /   /    /  /
remarks:        ___/ __//__/    /\_______\____\___\_______\
remarks:        ___\/     \____/
remarks:
remarks:        A hut, on a pole, in a Sapmi forest, made of wood, to protect.
remarks:
remarks:        https://njal.la
remarks:
remarks:        (Please provide us with better art at ascii at njal.la)
remarks:
abuse-c:        NJ1301-RIPE
descr:          Njalla
country:        BV
admin-c:        BKP-RIPE
tech-c:         BKP-RIPE
status:         ASSIGNED PA
mnt-by:         BKP-MNT
created:        2017-11-30T21:48:29Z
last-modified:  2017-11-30T21:56:53Z
source:         RIPE

person:         Peter Kolmisoppi
address:        Box 4111, 203 12 Malmo
address:        Sweden
mnt-by:         BKP-MNT
e-mail:         noc at brokep.com
phone:          +46 40 62 13 000
nic-hdl:        BKP-RIPE
created:        2008-08-12T01:54:31Z
last-modified:  2017-03-03T18:05:55Z
source:         RIPE
-----------------------------------------------------------------------------

The Mr. Peter Sunde Kolmisoppi mentioned in the records above has somewhat of
a colorful personal history, it seems, and not in any particularly savory way...

https://en.wikipedia.org/wiki/Peter_Sunde

If I am reading the information at the above link correctly, I do believe
that it is a fair inference that Mr. Kolmisoppi was tried, convicted, and
sentenced to prison in Sweden, some years ago now, for having been just a
bit too liberal with other people's private property.  (Although some may
admire him for this, I am not among them.)

All that having been said, it would appear that Mr. Kolmisoppi has paid his
debt to society for his past criminal missteps, and thus I personally have no
reason or basis for any concern about his past.  I am however somewhat alarmed
at what would appear to be his current connections to what may perhaps be
some so-called "carding forums", i.e. web sites where cybercriminals buy,
sell, and trade in stolen credit card numbers and associated data (e.g. CVV).

Specifically, the domain name briansclub.shop is currently receiving DNS
services from the following name servers which would apper to be owned by,
or at the very least associated with the company named "Njalla" (see above)
which itself would appear to be strongly connected to Mr. Kolmisoppi:

	1-you.njalla.no
	2-can.njalla.in
	3-get.njalla.fo

Seprately and additionally, the domain names jokerstash.ms and jokerstash.tk
currently receive DNS services from the following set of name servers which
also appear to be connected to both Mr. Kolmisoppi and to the 185.193.124.0/24
RIPE-assigned address block previously mentioned above:

	1-ceci.njalla.do
	2-nest.njalla.ma
	3-pas.njalla.in

For the record, "Joker's Stash" is the nom de guerre of a collection of well-
known carding sites that has been written about extensively by my friend,
journalist Brian Krebs:

https://krebsonsecurity.com/2016/03/carders-park-piles-of-cash-at-jokers-stash/

Similarly, "Brian's Club" is yet another nom de guerre used by yet another
motley and criminal collection of so-called "carding" sites:

https://krebsonsecurity.com/2020/04/how-cybercriminals-are-weathering-covid-19/

It is my sincere hope and belief that all of the foregoing information
should be more than adequate to demonstrate that the Nevis & St. Kitts
corporate entity known as 1337 Services LLC lacks the requsite "substantial
connection" to the ARIN region necessary for it to have ever become an ARIN
member in the first place, let alone to remain one now.  If however the case
is still in the least bit unclear I would like to draw attention also to the
person who is the designated Tech, Admin, and Abuse contact for SL-206 and
thus also for the ARIN-assigned ASN AS37560 and also the ARIN-assigned
198.167.192.0/19 IPv4 address block:

---------------------------------------------------------------------------
Note:           ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2022-02-28
Name:           Watson, Nyahn 
Handle:         WATSO41-ARIN
Company:        
Address:        P.O. Box 590, Springates East, Government Road
City:           Charlestown
StateProv:      NEVIS
PostalCode:     
Country:        KN
RegDate:        2012-12-10
Updated:        2021-02-28
Phone:          +1-869-414-4111 (Office)
Email:          noc at cyberdyne.is
Ref:            https://rdap.arin.net/registry/entity/WATSO41-ARIN

---------------------------------------------------------------------------

(Note that the contact phone number listed above is currently disconnected.)

It is perhaps not entirely coincidental that a simple google search for
the name "Nyahn Watson" turns up the fact that a gentleman having that exact
name is also the Admin and Tech contact for the AFRINIC-assigned organization
identifier ORG-CS10-AFRINIC (Cyberdyne S.A.) which would appear to be located
Monrovia, Liberia, on the continent of Africa:

----------------------------------------------------------------------------
organisation:   ORG-CS10-AFRINIC
org-name:       Cyberdyne S.A.
org-type:       LIR
country:        LR
address:        Broad Street 80
address:        Monrovia
e-mail:         nyahn at cyberdyne.is
phone:          tel:+231-4-713-432
phone:          tel:+1-425-906-4769
admin-c:        AP39-AFRINIC
admin-c:        NW2-AFRINIC
tech-c:         NW2-AFRINIC
mnt-ref:        AFRINIC-HM-MNT
mnt-ref:        CyberdyneSA-MNT
mnt-by:         AFRINIC-HM-MNT
notify:         hostmaster at afrinic.net
changed:        hostmaster at afrinic.net 20130218
changed:        hostmaster at afrinic.net 20171006
changed:        hostmaster at afrinic.net 20171113
changed:        abuse at shelter.st 20180202
changed:        hostmaster at afrinic.net 20210708
source:         AFRINIC

person:         Nyahn Watson
address:        Broad Street 80
address:        Monrovia
address:        Liberia
phone:          tel:+231-4-713-432
e-mail:         abuse at cyberdyne.is
e-mail:         nyahn at cyberdyne.is
e-mail:         billing at cyberdyne.is
nic-hdl:        NW2-AFRINIC
mnt-by:         GENERATED-WVURFBJ8EPYM0NQF6GHLKDUQS7QK9DL3-MNT
changed:        nyahn at cyberdyne.net.lr 20121122
changed:        nyahn at cyberdyne.net.lr 20170524
changed:        abuse at shelter.st 20180202
changed:        nyahn at cyberdyne.net.lr 20180202
changed:        abuse at shelter.st 20191219
source:         AFRINIC
----------------------------------------------------------------------------

Needless to say, having one's Tech, Admin, and Abuse contacts physically in
Africa also would not seem to provide the required "substantial connection"
to the ARIN region needed for 1337 Services LLC to either become or to remain
an ARIN member.

On the basis of all of the foregoing, and for the sake of the law abiding
Internet user community which prefers not to see ARIN bending rules in order
to support online criminal enterprises, even if only indirectly, I respectfully
request that you, John, and other ARIN staff, as ncessary, review this case
with an eye towards terminating this membership, if warranted, and with an
eye towards reclamation of the associated number resources at the earliest
possible date, in accordance with existing ARIN policy.

Separately and additionally, I would like to understand how such a blatant
case as this managed to slip through the cracks with regards to policy
enforcement.  How many other corporate entities have been accepted for
membership by ARIN staff on the basis of mere shell company incorporations
within the region where the deception could have been seen (or could now be
seen) as readily apparent, simply by googling the asserted corporate mailing
address and seeing if dozens or hundreds of other companies are also asserting
their residence at that same address?


Regards,
rfg



More information about the ARIN-PPML mailing list