Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of proxy and anonymity services nested at some of America's largest Internet service providers (ISPs).

Image: Mark Rademaker, via Shutterstock.

Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service providers (ISPs).

The findings come in a report examining how the Russian invasion has affected Ukraine’s domestic supply of **Internet Protocol Version 4** (IPv4) addresses. Researchers at **Kentik**, a company that measures the performance of Internet networks, found that while a majority of ISPs in Ukraine haven’t changed their infrastructure much since the war began in 2022, others have resorted to selling swathes of their valuable IPv4 address space just to keep the lights on.

For example, Ukraine’s incumbent ISP **Ukrtelecom** is now routing just 29 percent of the IPv4 address ranges that the company controlled at the start of the war, Kentik found. Although much of that former IP space remains dormant, Ukrtelecom told Kentik’s **Doug Madory** they were forced to sell many of their address blocks “to secure financial stability and continue delivering essential services.”

“Leasing out a portion of our IPv4 resources allowed us to mitigate some of the extraordinary challenges we have been facing since the full-scale invasion began,” Ukrtelecom told Madory.

Madory found much of the IPv4 space previously allocated to Ukrtelecom is now scattered to more than 100 providers globally, particularly at three large American ISPs — **Amazon** (AS16509), **AT&T** (AS7018), and **Cogent** (AS174).

Another Ukrainian Internet provider — **LVS** (AS43310) — in 2022 was routing approximately 6,000 IPv4 addresses across the nation. Kentik learned that by November 2022, much of that address space had been parceled out to over a dozen different locations, with the bulk of it being announced at AT&T.

IP addresses routed over time by Ukrainian provider LVS (AS43310) shows a large chunk of it being routed by AT&T (AS7018). Image: Kentik.

Ditto for the Ukrainian ISP **TVCOM**, which currently routes nearly 15,000 fewer IPv4 addresses than it did at the start of the war. Madory said most of those addresses have been scattered to 37 other networks outside of Eastern Europe, including Amazon, AT&T, and **Microsoft**.

The Ukrainian ISP **Trinity** (AS43554) went offline in early March 2022 during the bloody siege of Mariupol, but its address space eventually began showing up in more than 50 different networks worldwide. Madory found more than 1,000 of Trinity’s IPv4 addresses suddenly appeared on AT&T’s network.

Why are all these former Ukrainian IP addresses being routed by U.S.-based networks like AT&T? According to **spur.us**, a company that tracks VPN and proxy services, nearly all of the address ranges identified by Kentik now map to commercial proxy services that allow customers to anonymously route their Internet traffic through someone else’s computer.

From a website’s perspective, the traffic from a proxy network user appears to originate from the rented IP address, not from the proxy service customer. These services can be used for several business purposes, such as price comparisons, sales intelligence, web crawlers and content-scraping bots. However, proxy services also are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

IPv4 address ranges are always in high demand, which means they are also quite valuable. There are now multiple companies that will pay ISPs to lease out their unwanted or unused IPv4 address space. Madory said these IPv4 brokers will pay between $100-$500 per month to lease a block of 256 IPv4 addresses, and very often the entities most willing to pay those rental rates are proxy and VPN providers.

A cursory review of all Internet address blocks currently routed through AT&T — as seen in public records maintained by the Internet backbone provider **Hurricane Electric** — shows a preponderance of country flags other than the United States, including networks originating in Hungary, Lithuania, Moldova, Mauritius, Palestine, Seychelles, Slovenia, and Ukraine.

AT&T’s IPv4 address space seems to be routing a great deal of proxy traffic, including a large number of IP address ranges that were until recently routed by ISPs in Ukraine.

Asked about the apparent high incidence of proxy services routing foreign address blocks through AT&T, the telecommunications giant said it recently changed its policy about originating routes for network blocks that are not owned and managed by AT&T. That new policy, spelled out in a February 2025 update to AT&T’s terms of service, gives those customers until Sept. 1, 2025 to originate their own IP space from their own autonomous system number (ASN), a unique number assigned to each ISP (AT&T’s is AS7018).

“To ensure our customers receive the best quality of service, we changed our terms for dedicated internet in February 2025,” an AT&T spokesperson said in an emailed reply. “We no longer permit static routes with IP addresses that we have not provided. We have been in the process of identifying and notifying affected customers that they have 90 days to transition to Border Gateway Protocol routing using their own autonomous system number.”

Ironically, the co-mingling of Ukrainian IP address space with proxy providers has resulted in many of these addresses being used in cyberattacks against Ukraine and other enemies of Russia. Earlier this month, the European Union sanctioned **Stark Industries Solutions Inc.**, an ISP that surfaced two weeks before the Russian invasion and quickly became the source of large-scale DDoS attacks and spear-phishing attempts by Russian state-sponsored hacking groups. A deep dive into Stark’s considerable address space showed some of it was sourced from Ukrainian ISPs, and most of it was connected to Russia-based proxy and anonymity services.

According to Spur, the proxy service IPRoyal is the current beneficiary of IP address blocks from several Ukrainian ISPs profiled in Kentik’s report. Customers can chose proxies by specifying the city and country they would to proxy their traffic through. Image: Trend Micro.

Spur’s Chief Technology Officer **Riley Kilmer** said AT&T’s policy change will likely force many proxy services to migrate to other U.S. providers that have less stringent policies.

“AT&T is the first one of the big ISPs that seems to be actually doing something about this,” Kilmer said. “We track several services that explicitly sell AT&T IP addresses, and it will be very interesting to see what happens to those services come September.”

Still, Kilmer said, there are several other large U.S. ISPs that continue to make it easy for proxy services to bring their own IP addresses and host them in ranges that give the appearance of residential customers. For example, Kentik’s report identified former Ukrainian IP ranges showing up as proxy services routed by **Cogent** **Communications** (AS174), a tier-one Internet backbone provider based in Washington, D.C.

Kilmer said Cogent has become an attractive home base for proxy services because it is relatively easy to get Cogent to route an address block.

“In fairness, they transit a lot of traffic,” Kilmer said of Cogent. “But there’s a reason a lot of this proxy stuff shows up as Cogent: Because it’s super easy to get something routed there.”

Cogent declined a request to comment on Kentik’s findings.

Proxy Services Feast on Ukraine’s IP Address Exodus

AI is increasingly embedded into threat detection and response tools, but hallucinations can lead to false positive and inaccurate guidance. The AI-associated risk can't be completely eradicated, but SecOps teams can take steps to at least limit the effects.

SecOps Need to Tackle AI Hallucinations to Improve Accuracy

Secure enterprise browsers deliver multi-layered security, including web security, protection against malware on the endpoint, and defense against malicious extensions.

Gartner: Secure Enterprise Browser Adoption to Hit 25% by 2028

Cellebrite, a controversial digital forensics firm, is set to acquire virtualization vendor Corellium in a $170 million deal.

Digital Forensics Firm Cellebrite to Acquire Corellium

Cisco Talos researchers observed the new wiper malware in a destructive attack against an unnamed critical infrastructure organization.

'PathWiper' Attack Hits Critical Infrastructure In Ukraine

The vulnerability, with a 9.9 CVSS score on a 10-point scale, results in different Cisco ISE deployments all sharing the same credentials as long as the software release and cloud platform remain the same.

Cisco Warns of Credential Vuln on AWS, Azure, Oracle Cloud

Crypto-tracing firm Chainalysis says the mysterious 300-bitcoin donation to the pardoned Silk Road creator appears to have come from someone associated with a different defunct black market: AlphaBay.

When Ross Ulbricht received a $31 million bitcoin donation last weekend from an unknown source, many observers saw it as more than a very nice welcome-home gift. Rumors swirled that the creator of the Silk Road, less than five months after receiving a pardon from Donald Trump that saved him from a lifetime in prison, was sending himself a trove of his stashed criminal proceeds from his days running the dark web's first black market more than a decade prior.

Now cryptocurrency tracing investigators say they've arrived at a stranger explanation: The money wasn't originally Ulbricht's, and didn't come from the Silk Road. Instead, they suspect it came from a _different_ long-defunct dark-web black market: AlphaBay.

The crypto tracing firm Chainalysis tells WIRED that, based on blockchain analysis, it has tied the origin of the 300 bitcoins sent to Ulbricht on Sunday to someone involved in AlphaBay, a dark web market that sold a wide variety of drugs and cybercriminal contraband from 2014 to 2017 and eventually grew to be 10 times the size of the Silk Road, according to the FBI.

Chainalysis says the funds appear to have emerged from AlphaBay around 2016 and 2017. Given the amount of the donation, Chainalysis suggests it might have come from someone who acted as a large-scale seller on the market. “We have reasonable grounds to suspect that these funds originated in AlphaBay,” says Phil Larratt, Chainalysis's director of investigations and a former official at the UK's National Crime Agency. “Looking at the amount, that would suggest they came from someone who was possibly a vendor on AlphaBay back in the early days.”

WIRED reached out to Ulbricht for comment about the donation's origin via contacts at the Free Ross campaign that lobbied for his pardon, but didn't immediately receive a response.

Prior to Chainalysis’ finding that the $31 million donation appears to have originated at AlphaBay, the independent crypto-tracing investigator known as ZachXBT had already posted to his account on X his own findings that the money didn't appear to have come from the Silk Road. ZachXBT found that, despite the donor's use of multiple Bitcoin “mixers” that take in users' coins and return others to obfuscate their trail on the blockchain, he was able to trace the funds to an address that had been flagged in Chainalysis’ software tool Reactor as tied to illicit activity. That analysis suggested that the money was a “legitimate donation but not legitimate funds,” ZachXBT wrote in a text message to WIRED.

ZachXBT also found that the same individual who controlled the funds had cashed out other cryptocurrency at an exchange in small, distributed quantities rather than in a single sum, suggesting he or she may have been trying to prevent them being seized or flagged—another sign that the money may have come from criminal origins. “Usage of multiple mixers, spreading out CEX deposits, etc,” ZachXBT writes to WIRED, using the term CEX to mean a centralized exchange, “that is done typically if you are trying to avoid getting illicit funds frozen.”

Chainalysis declined to offer more information on how exactly it identified the funds as originating at AlphaBay. But the company has built a business around identifying illicit services like digital black markets out of the morass of billions of cryptocurrency addresses. Chainalysis’ identification of the AlphaBay cluster of bitcoin addresses, in fact, played a key role in the takedown of the market in a law enforcement investigation known as Operation Bayonet that spanned 2016 and 2017.

AlphaBay certainly produced plenty of crypto kingpins who would have the kind of eight-figure sum donated to Ulbricht. Before it was torn offline in an elaborate sting operation in July 2017, the site was facilitating $2 million a day in sales, largely of illegal drugs although it also offered malware, stolen data, and other cybercriminal wares. AlphaBay's creator and administrator, Alexandre Cazes, died in a Bangkok jail cell under mysterious circumstances following his arrest, but the site's second-in-command, who went by the handle Desnake, appears to have remained at large. Any bitcoins an AlphaBay seller or administrator managed to hold onto since the site’s closure would have since appreciated more than 40-fold.

Exactly why one of AlphaBay's crypto moguls would donate $31 million to Ulbricht, however, remains a mystery. Speculation on social media has ranged from a fellow black marketeer repaying a favor to a more principled gift intended to thank Ulbricht for blazing a trail with his invention of the Silk Road's crypto-enabled anonymous transactions.

That gratitude may also take into account that, while many got rich on the dark-web markets that Ulbricht pioneered, he instead spent over a decade in prison, speculates Taylor Monahan, a crypto tracer and security researcher at crypto firm MetaMask. “People donate when they’re deeply inspired by someone and/or grateful and/or have some sort of remorse for the situation,” says Monahan. “Survivor's guilt is wild.”

Ross Ulbricht Got a $31 Million Donation From a Dark Web Dealer, Crypto Tracers Suspect

Sophos researchers found this operation has similarities or connections to many other campaigns targeting GitHub repositories dating back to August 2022.

Backdoored Malware Reels in Newbie Cybercriminals

In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.

Thursday, June 5, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

I’ve discovered that being a rent guarantor for someone is an involved experience. While I’m glad that I can help out a loved one secure a better rental property, the process of verifying my identity and ability to cover any missed payments required handing over far more personal and financial data than I was comfortable with. 

I asked the agent about their information security policies and cybersecurity posture. I was relieved to hear that they delete all the personal data within two weeks of processing, but I was concerned that the person dealing with my dossier didn’t think that they were at risk of a cyber attack. They believed that because they had a low online profile and their organisation was small, they didn’t present as a target. 

Not wanting to jeopardise my position as a guarantor, I didn’t argue further beyond offering a few words of advice. The truth is that everyone is a target. Many criminals do not discriminate; they seek to compromise anyone and see how they can make money from a compromise once access is achieved. Sophisticated criminals research their targets and their wider ecosystem of suppliers and partners in depth to identify potential weak points. It only takes a moment’s inattention for anyone to fall for a phishing or social engineering scam. 

Cybersecurity training needs to reinforce the fact that anyone can be a victim of a cyber attack. No matter how careful you might be, how insignificant you think that you might be, an attack can still catch you off guard. The good news is that by ensuring basic cyber hygiene, we can make a lot of progress towards preventing harm. 

Impressing on users the need to install updates promptly, the importance of having end-point protection and using multi-factor authentication is not a panacea, but it is a basic foundation upon which more advanced protection can be built. 

Good cybersecurity begins with an awareness of the threat, an acknowledgement that we are all at risk, and knowing the potential consequences. Nobody is too insignificant, too small or too well hidden to escape the risk of cyber attack. Suitable protection follows from reflecting on what is at risk and what could possibly go wrong.

**The one big thing **

Talos has uncovered a destructive attack on Ukrainian critical infrastructure involving a new wiper malware, "PathWiper," deployed through a legitimate endpoint administration framework. Talos attributes this attack to a Russia-linked APT actor, underscoring the persistent threat to Ukraine's infrastructure amid the ongoing war. 

**Why do I care? **

This attack highlights the sophisticated tactics of state-sponsored threat actors and the risks critical infrastructure entities face, which could have global implications for cybersecurity and geopolitical stability. 

**So now what? **

Organizations, particularly those managing critical infrastructure, should strengthen their endpoint security, monitor for unusual administrative activity, and stay informed on evolving threats to mitigate potential risks.

**Top security headlines of the week**

**New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch**   
The high-severity flaw is being tracked as CVE-2025-5419 (CVSS score: 8.8), and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. (The Hacker News) 

**Vanta bug exposed customers’ data to other customers**   
Compliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion. (TechCrunch) 

**Data Breach Affects 38K UChicago Medicine Patients**   
UChicago Medicine released a statement that the data of 38K patients may have been exposed by a third-party debt collector's system breach. The exposed data may include SSNs, addresses, dates of birth, medical information, and financial account information. (UPI)

**Can’t get enough Talos? **

**Fake AI installers target businesses.** Catch up on the ransomware and malware threats Talos discovered circulating in the wild and masquerading as legit AI tool installers. Read the blog or listen to our most recent Talos Takes to hear Hazel and Chetan, the author, discuss the blog more in-depth.

**Talos at Cisco Live 2025**. From sessions featuring a live IR tabletop session to learning how to outsmart identity attacks, there’s plenty of Talos to keep you going in San Diego next week. Browse sessions Talos is participating in, and we'll see you there!

**Upcoming events where you can find Talos **

*   Cisco Live U.S. (June 8 – 12) San Diego, CA 
*   REcon (June 27 – 29) Montreal, Canada 
*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2–  7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376     
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details    
Typical Filename: IMG001.exe    
Detection Name: Simple\_Custom\_Detection 

**SHA 256:**   
**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

**SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0**   
MD5: 8c69830a50fb85d8a794fa46643493b2    
Typical Filename: AAct.exe    
Claimed Product: N/A    
Detection Name: PUA.Win.Dropper.Generic::1201

Everyone's on the cyber target list

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs…

A massive data leak has put the personal information of over 3.6 million app creators, influencers, and entrepreneurs at risk, reveals a report from vpnMentor. Cybersecurity expert Jeremiah Fowler uncovered an unsecured database containing a whopping 12.2 terabytes of sensitive data, linked to an app-building platform.

The exposed database, which was neither encrypted nor protected by a password, held 3,637,107 records. These records included names, email addresses, physical addresses, and details about payments for what appeared to be both users and app creators.

According to Fowler’s report, internal files and the database’s name suggested the data belonged to Passion.io, a company based in Texas/Delaware. Passion.io provides a no-code platform, allowing individuals like creators, coaches, and celebrities to build their own mobile apps without needing technical skills. These apps enable users to offer interactive courses and earn money through subscriptions or one-time purchases.

The exposed information, including personally identifiable information (PII) like names addresses, and even images, carries significant risks. Fowler warns that such data can be used by criminals for “phishing or social engineering attacks,” which are a common starting point for cybercrimes. Leaked email addresses and purchase histories can be used to trick individuals into revealing more personal or financial details by impersonating a trusted company.

Furthermore, the exposure of user profile images, some of which included children, raises serious privacy concerns. These images could potentially be misused for impersonation, creating fake accounts, or other online scams.

Source: vpnMentor

The researcher noted that even seemingly harmless images could be “potentially weaponized or used for unethical purposes.” Beyond personal data, the database also contained video files and PDF documents that appeared to be premium content sold by app creators, along with internal financial records, which could undermine creators’ revenue and give competitors insight into the company’s operations.

**Kudos to Passion.io’s Transparency**

Upon discovering the leak, Fowler promptly informed Passion.io. The company acted swiftly, restricting public access to the database on the same day. Passion.io acknowledged the finding, stating their “Privacy Officer and technical team are working on fixing the issue, making sure this can’t happen again.”

Nevertheless, if your company processes data, here are 5 key steps to follow to avoid database misconfigurations and prevent data leaks like the one affecting Passion.io. It is worth noting that these following steps won’t guarantee perfection, but they lower the chance of leaving a database exposed and leaking user data:

****1\. Enforce Authentication and Access Controls****

*   Implement multi-factor authentication for administrative access.

*   Use role-based access to limit who can view or modify sensitive data.

*   Never leave a database exposed without a password or access control.

****2\. Encrypt Data at Rest and In Transit****

*   Use strong encryption protocols and manage keys securely.

*   Ensure all sensitive data is encrypted both on disk and during transfer.

****3\. Automate Misconfiguration Detection****

*   Set up alerts for public exposure or unusual access patterns.

*   Use cloud security tools or configuration scanners (e.g., AWS Config, GCP Security Command Center) to detect misconfigurations in real-time.

****4\. Conduct Regular Security Audits and Pen Tests****

*   Test not just your app but also your storage and database layers.

*   Perform routine vulnerability assessments and penetration tests on your infrastructure.

****5\. Train DevOps and Technical Teams on Security Best Practices****

*   Keep documentation updated and enforce policies during development.

*   Make sure all team members handling infrastructure know how to secure cloud databases, manage permissions, and spot risky configurations.

Latest News