Summary
Nearly 20% of Ukraine's IPv4 addresses have been sold or seized since Russia's invasion, with most ending up in global proxy services hosted at U.S. ISPs – fueling both privacy tools and cyberattacks against Ukraine itself.
Image: Mark Rademaker, via Shutterstock
The Russian invasion of Ukraine has triggered an unexpected digital migration, with nearly 20% of Ukraine's IPv4 address space shifting to Russian control or global brokers since February 2022. A groundbreaking Kentik study reveals this cyber fallout, showing how war-torn Ukrainian ISPs sold critical internet infrastructure to survive – only for these addresses to be weaponized through anonymity services hosted at major U.S. providers. This digital hemorrhage represents more than economic desperation; it's reshaping global cybersecurity threats.
IPv4 addresses remain the internet's scarce real estate despite IPv6 adoption. With only 4.3 billion available globally, brokers lease blocks of 256 addresses for $100-$500 monthly – pricing that made Ukrainian assets irresistible to proxy providers when ISPs faced existential crises. Ukrtelecom, Ukraine's incumbent provider, now routes just 29% of its pre-war IPv4 ranges after selling blocks 'to secure financial stability,' according to Kentik's Doug Madory. Similarly, LVS (AS43310) and TVCOM hemorrhaged thousands of addresses, while Trinity Networks (AS43554) went offline during Mariupol's siege, its IP space scattering globally.
These addresses didn't vanish – they reappeared concentrated at three U.S. giants: Amazon (AS16509), AT&T (AS7018), and Cogent (AS174). Analysis by proxy-tracking firm Spur.us confirms these blocks now power commercial anonymity services like IPRoyal. While legitimate users employ such proxies for price comparisons or web scraping, they've become favorite tools for cybercriminals seeking untraceable infrastructure. Traffic routed through these addresses appears to originate from Ukraine, not the actual user – perfect cover for Russian-state hacking groups. The EU recently sanctioned Stark Industries Solutions, an ISP sourcing Ukrainian IPs for massive DDoS attacks against Ukraine.
AT&T's network became such a hub for foreign proxy traffic that the telecom enacted a landmark policy shift in February 2025. The update bans static routes for non-AT&T-owned IP blocks, requiring customers to originate traffic through their own autonomous system numbers (ASNs) by September 2025. 'AT&T is the first big ISP actually doing something about this,' noted Spur's CTO Riley Kilmer. However, this merely displaces rather than solves the problem. Kilmer predicts migration to lenient providers like Cogent (AS174), where Ukrainian IP ranges already surface. 'It's super easy to get something routed there,' he observed – a statement Cogent declined to address.
The implications cascade through tech communities. For torrent users and privacy advocates, this scramble degrades proxy reliability while increasing exposure to blacklisted IPs. Security teams face hardened attribution challenges as Ukrainian addresses launch attacks against their own nation. Crucially, the exodus continues: Hurricane Electric's routing tables show AT&T currently announcing non-U.S. blocks from Moldova to Seychelles. As Kilmer notes, until other backbone providers adopt AT&T's stance, the digital black market will simply pivot – turning Ukraine's tragedy into an endless game of whack-a-mole for global cybersecurity.
This IPv4 redistribution illustrates war's hidden infrastructure battles. Ukrainian ISPs sold digital territory to maintain physical services, inadvertently arming adversaries. While AT&T's policy marks progress, the solution requires coordinated action across Tier-1 providers. Until then, every Ukrainian IP sold represents another bullet in the cyberwar chamber.
The Russian invasion of Ukraine has triggered an unexpected digital migration, with nearly 20% of Ukraine's IPv4 address space shifting to Russian control or global brokers since February 2022. A groundbreaking Kentik study reveals this cyber fallout, showing how war-torn Ukrainian ISPs sold critical internet infrastructure to survive – only for these addresses to be weaponized through anonymity services hosted at major U.S. providers. This digital hemorrhage represents more than economic desperation; it's reshaping global cybersecurity threats.
IPv4 addresses remain the internet's scarce real estate despite IPv6 adoption. With only 4.3 billion available globally, brokers lease blocks of 256 addresses for $100-$500 monthly – pricing that made Ukrainian assets irresistible to proxy providers when ISPs faced existential crises. Ukrtelecom, Ukraine's incumbent provider, now routes just 29% of its pre-war IPv4 ranges after selling blocks 'to secure financial stability,' according to Kentik's Doug Madory. Similarly, LVS (AS43310) and TVCOM hemorrhaged thousands of addresses, while Trinity Networks (AS43554) went offline during Mariupol's siege, its IP space scattering globally.
These addresses didn't vanish – they reappeared concentrated at three U.S. giants: Amazon (AS16509), AT&T (AS7018), and Cogent (AS174). Analysis by proxy-tracking firm Spur.us confirms these blocks now power commercial anonymity services like IPRoyal. While legitimate users employ such proxies for price comparisons or web scraping, they've become favorite tools for cybercriminals seeking untraceable infrastructure. Traffic routed through these addresses appears to originate from Ukraine, not the actual user – perfect cover for Russian-state hacking groups. The EU recently sanctioned Stark Industries Solutions, an ISP sourcing Ukrainian IPs for massive DDoS attacks against Ukraine.
AT&T's network became such a hub for foreign proxy traffic that the telecom enacted a landmark policy shift in February 2025. The update bans static routes for non-AT&T-owned IP blocks, requiring customers to originate traffic through their own autonomous system numbers (ASNs) by September 2025. 'AT&T is the first big ISP actually doing something about this,' noted Spur's CTO Riley Kilmer. However, this merely displaces rather than solves the problem. Kilmer predicts migration to lenient providers like Cogent (AS174), where Ukrainian IP ranges already surface. 'It's super easy to get something routed there,' he observed – a statement Cogent declined to address.
The implications cascade through tech communities. For torrent users and privacy advocates, this scramble degrades proxy reliability while increasing exposure to blacklisted IPs. Security teams face hardened attribution challenges as Ukrainian addresses launch attacks against their own nation. Crucially, the exodus continues: Hurricane Electric's routing tables show AT&T currently announcing non-U.S. blocks from Moldova to Seychelles. As Kilmer notes, until other backbone providers adopt AT&T's stance, the digital black market will simply pivot – turning Ukraine's tragedy into an endless game of whack-a-mole for global cybersecurity.
This IPv4 redistribution illustrates war's hidden infrastructure battles. Ukrainian ISPs sold digital territory to maintain physical services, inadvertently arming adversaries. While AT&T's policy marks progress, the solution requires coordinated action across Tier-1 providers. Until then, every Ukrainian IP sold represents another bullet in the cyberwar chamber.