Jurisdiction Laundering at the BGP / WHOIS / DNS Layer

Russian-operator infrastructure on European-allocated, European-announced address space — what compliance teams don't see, why, and what the live-traffic layer reveals.

Period covered: 2026-05-19 — 2026-05-20 active scan; uses 5-year BGP history (2021-05 — 2026-05) and current RIPE / DNS / RouteViews / RIR delegation snapshots. Generated: 2026-05-20 Companion to: docs/BGP_DIVERSION_INTELLIGENCE.md (the war-window origin-hijack and transit-MITM brief). This brief documents a structurally older and broader category that the earlier framework missed.

Executive summary

Both Track A (Russian origin AS announcing European prefix) and Track B (Russian transit AS on path to European prefix) filter out a third category that is the dominant sanctions-evasion shape Russian operators actually use:

BGP origin AS is registered to a non-Russian RIR jurisdiction (Kazakhstan, Serbia, United Kingdom, Netherlands, the United States, etc.)
The prefix itself is RIR-allocated to a non-Russian country
RPKI ROAs issued by that AS validate the announcement cleanly
RIPE IRR route: objects from the same AS authorize it
Only the WHOIS more-specific inetnum — netname, mnt-by, descr, org — reveals that the operator is Russian

A bulk scan of ~4.13M RIPE inetnum objects, joined to currently-announced BGP prefixes, surfaced 1,163 candidate /24-class prefixes that match this shape. The candidates concentrate under a handful of named ASes, each with a recognizable operator behind it:

ASN	Name / RIR jurisdiction	Candidates	Operator-attribution
AS210976	TWC-EU (Kazakhstan, allocated 2025-04-02)	274	Timeweb (`TW-Cloud`/`TW-VDS` netnames, `TIMEWEB-MNT` maintainer). Post-invasion KZ-allocated AS.
AS210644	AEZA-AS (Russia, 2021-10)	216	AEZA Group. OFAC-sanctioned July 2024. EU-registered prefix layer survived the designation.
AS208398	TELETECH (Serbia, 2023-01)	91	Russian hosting customers on a Serbian-allocated AS, DE/FI/NL/US prefix mix.
AS9002	RETN-AS (United Kingdom, 2008-03)	35	Primary tenant Beget LLC; `BEGET-MNT` maintainer, `RU-BEGET-` / `LV-BEGET-` netnames.
AS215540	GCS-AS (UK, 2024-02)	49	Diffuse — UK-allocated, mixed FR/US/NL/DE prefix registrations.
AS209372	WSTELECOM Customers (US, 2019-08)	42	US-allocated, mixed.
AS212706	LIVI-HOSTING (UK, 2026-02)	32	UK AS allocated 3 months ago; tenants include `*.ztv.su` (`.su` is the Soviet-era ccTLD).
AS216139	IRONHOST (UK, 2023-10)	22	Tenant `*.mchost.ru` — Russian operator MasterHost on UK AS.
AS44407	LINKT (FR, 2016-11)	22	French-allocated, Russian sub-tenants on FR-registered space.
AS43350	NFORCE (NL, 2007-07)	15	NL-allocated; long-standing Russian-hosting tenants.
AS41745	FORTIS-AS (RU, 2021-02)	14	Russian AS announcing prefixes registered to NL/US/FR/GB.

The dominant operator → prefix-country flow is KZ-AS → NL-registered: 242 prefixes, all under AS210976 / Timeweb. RU → SE (64), RU → NL (49), GB → NL (43), RU → DE (43), GB → LV (36), RS → DE (32), KZ → DE (32) follow. 61 unique operator-jurisdiction × prefix-country pairs total.

The pattern's three signal layers — and why each layer can miss it

Layer	What it sees	What it misses
BGP routing-table	Origin AS country = KZ / GB / RS / NL / US — all non-RU	Operator nationality
RIR-allocated prefix	Country = NL / SE / LV / DE / etc. — all non-RU	Operator nationality
RPKI ROA	Cryptographically signed: the announcing AS is authorized to announce	Operator nationality
IRR `route:` object	Operator publishes "yes, this AS is mine" — also clean	Operator nationality
WHOIS more-specific inetnum	Netname `RU-BEGET-*`, maintainer `BEGET-MNT`, descr "Russian operator", org `Beget LLC RU`	nothing — this is the reveal

A compliance review that asks "is this AS Russian?" returns no at every layer except the last. A reviewer who doesn't do per-prefix RIPE WHOIS lookups at the more-specific inetnum level will conclude the infrastructure is European-operated. That conclusion is wrong.

The post-invasion playbook is visible — Timeweb / TWC-EU as the case study

Timeweb is one of the largest Russian hosting providers. Its domestic AS — AS9123 TIMEWEB-AS, RU, allocated 2008 — hosts 7,207 currently-resolving .su domains (8.3% of all .su hosting). Its EU-presenting AS — AS210976 TWC-EU, RIPE-allocated to Kazakhstan on 2 April 2025 — announces 274 prefixes RIR-registered to NL (242) and DE (32), with TW-Cloud and TW-VDS netnames maintained by Russian Timeweb handles.

The KZ allocation date is the meaningful detail: three years into the post-2022 sanctions regime, Timeweb registered a fresh AS in a non-coalition jurisdiction specifically to carry European-prefix hosting that would have been impossible to do from a Russian origin-AS without triggering coalition-side sanctions screening. This is the textbook playbook of the post-sanctions structuring phase, executed precisely as predicted by sanctions-policy analysts.

AEZA — sanctioned but still operating

AS210644 AEZA-AS (Russia) announces 216 prefixes registered to SE (63), NL (45), DE (42), FI (32). AEZA Group was placed on OFAC's SDN list in July 2024 for hosting infostealer / botnet infrastructure. Eleven months later the EU-registered prefix layer remains announced, the maintainer handles (aeza-mnt, lir-ru-aezagroup-1-MNT) still operative, and the netnames (NL-AEZA-NETWORK, DE-AEZA-NETWORK) unchanged. Reverse DNS samples show generic flower-themed wildcards (verticalsapphir.ptr.network, foolishrose.ptr.network, premieraquamari.ptr.network) consistent with the hosting-of-anonymized-infrastructure rationale OFAC cited in the original designation.

The persistence of AEZA's EU prefix layer after OFAC designation is itself a finding: sanctions designations operate on the entity, not the BGP layer. Removing the EU-presenting prefix layer would have required either RIPE LIR cooperation or a coalition-side BGP intervention, neither of which has occurred. The operator continues to deliver content from the same address space.

Operational classification — live vs parked vs warehoused

The candidate list contains parked, dormant, and live infrastructure in roughly equal measure. To separate signal from noise we sampled 4 domains from each of the top 30 outlier ASes and ran HTTP banner checks from three vantages:

Western European residential FTTH (clean residential probe; reduced scanner blocklist exposure)
Western European datacenter (Contabo FR; comparable but recognised as datacenter)
A Russian-individual-owned AS presenting as Dutch (instance of the pattern we're auditing; included as a Russian-trust-signal vantage)

Results categorise the 30 outliers as follows:

Category	Pattern	Example ASes
🔴 LIVE — live Russian-language operations on non-RU AS	Returns HTTP 200 with Russian-language content from any vantage	AS50245 US (498 live domains), AS198068 EE (225 live), AS54113 US (178), AS216154 AE (111), AS204601 NL (120, live 1xBet/1Win gambling), AS50867 NL (94, Russian IT/news), AS133618 AU (93, live piracy `123moviesfull.su`), AS32338 AI (82, live adult), AS211381 LV (76, live Argo Casino + 1Win), AS214833 RS (70, live Minecraft community)
⚪ PARKING / NON-OPERATIONAL	Returns parking-class 403 or Sedo-marketplace landing	AS47846 SEDO DE (290 domains all parked), AS19574 US (cybersquats redirecting to trademark owners)
🟡 LEGALLY BLOCKED	Returns HTTP 451 — German legal takedown compliance visible	AS206834 DE (343 domains, all HTTP 451 for `movies.su`)
⚫ DEAD / RESTRICTED	All timeouts, all 404, or "domain not configured" responses	AS58182 IL (95 all 404), AS58061 LV (107 all timeout), AS138995 HK (92 all "域名未配置")
🟠 WAREHOUSED REDIRECT CHAIN	Returns 302 to mirror-class `.top` domains that themselves return 403 from any external vantage	AS59692 UAE (the named-brand gambling cluster `1melbet.su` → `3t-melbet.top` etc.)

The most striking reclassification: AS59692 UAE was initially read as the brand-name gambling cluster (Melbet, Pokerdom, 1Win). The HTTP trace shows the redirect chain to .top mirrors exists but the mirrors return 403 from every external vantage we tried — residential NL, datacenter FR, and the Russian-individual VPN AS. That's consistent with the infrastructure being warehoused — provisioned, redirect dance configured, but not actively serving traffic right now. The actually-live gambling-affiliate traffic is on AS204601 NL and AS211381 LV — both serve 1xBet, 1Win, Argo Casino content over HTTP 200 from any vantage we tried.

The Australian piracy AS133618 is the other clean operational finding: identical 123movies-family content that returns HTTP 451 under German jurisdiction (AS206834 DE) returns HTTP 200 under Australian jurisdiction. Jurisdiction shopping is visible at the serving layer, not just the registration layer.

.su TLD as a corroborating dataset

The Soviet-era .su ccTLD remains operated by ROSNIIROS (Russian-state-affiliated registry) and is the dominant TLD of nostalgia / Russian-language commerce / brand-squatting in Cyrillic-speaking markets. As of 20 May 2026, the live .su zone contains 110,996 domains. Of these, 87,723 (78.9%) currently resolve to an IP.

The hosting distribution corroborates the laundering audit:

Bucket	.su domains	Share
Russian / Belarusian RIR-allocated ASes	69,800	79.9%
Otherwise-unknown (non-RU/BY, not in laundering candidate set, not major CDN)	7,777	8.9%
Major CDN (Cloudflare / AWS / Google / Akamai / Hetzner / etc.)	6,465	7.4%
Laundering-candidate AS	3,307	3.8%

The 79.9% Russian-domestic concentration is the expected baseline. The 8.9% on "otherwise-unknown" ASes is the interesting outlier bucket — .su domains hosted outside Russia, outside the laundering-flagged ASes we already documented, outside the major CDN infrastructure. Sectoral breakdown of that 8.9%:

Live Russian-targeted gambling: AS204601 NL, AS211381 LV (1xBet, 1Win, Argo Casino, Melbet variants) — gray-market gambling operating in EU jurisdictions in defiance of AML rules
UAE post-2022 hosting hub: AS59692, AS216071, AS216154, AS205282 — 663 .su domains across four UAE-allocated ASes
1C Russian ERP software ecosystem: parked at AS47846 SEDO DE
Piracy: AS133618 AU (live), AS206834 DE (legally blocked)
Adult content: AS32338 AI (Anguilla — permissive Caribbean registry)
Minecraft / gaming community: AS214833 RS (Russian-language game servers on Serbian AS)
Baltic Russian-language commerce: AS198068 EE (225 live), smaller LT/LV/EE clusters

Proportional concentration (.su domains per /24 of announced space)

Density	AS	CC	Operator inference
227 / 24	AS57724	RU	DDoS-Guard — the Russian benchmark for "site-protection density"
180 / 24	AS60357	RU	Small RU AS — heavily .su-concentrated
72.5 / 24	AS47846	DE	SEDO domain marketplace — Russian sellers using a German marketplace; not operational
68.6 / 24	AS206834	DE	Piracy hosted, legally blocked by HTTP 451
56 / 24	AS205282	AE	UAE micro-AS — half a /24 dedicated to .su
39.7 / 24	AS48287	RU	RU-CENTER (Russian registrar's hosting)
34.2 / 24	AS197695	RU	REG.RU (the dominant .su registrar)
30.3 / 24	AS44112	RU	REG.RU subsidiary
23.3 / 24	AS133618	AU	Live piracy concentration
19.0 / 24	AS58182	IL	Israeli AS, mostly 404 — provisioned but dormant

The Western anomalies — AS47846 SEDO DE, AS206834 DE, AS205282 AE, AS133618 AU — host Russian-targeted content at the same intensity (or higher) than mainstream Russian providers. SEDO turns out to be parking; the other three are operational layers in foreign jurisdictions.

State-themed .su domains

The .su zone contains several explicitly state-themed and occupied-territory-themed registrations:

Domain	Resolves to	Hosting AS	Note
`fsb.su`	5.101.153.10	AS198610 BEGET-AS, RU	Russian Federal Security Service name
`minfinlnr.su`	109.69.18.78	AS198610 BEGET-AS, RU	"Ministry of Finance of the Luhansk People's Republic" — Russia-recognised occupied-territory governance, hosted on Beget
`mvdussr.su`	87.236.16.247	AS198610 BEGET-AS, RU	"USSR MVD" themed, on Beget
`lpr.su`	82.97.243.107	AS9123 TIMEWEB-AS, RU	Luhansk-themed on Timeweb
`crimea.su`	95.163.244.135	AS197695 REG.RU, RU	Generic Crimea-themed, on REG.RU

Several others — mvd.su, rosatom.su, rostelecom.su, duma.su, kremlin.su, gazprom.su, sberbank.su, president.su — exist in the registry but do not currently resolve.

Two detection layers, and the asymmetry between them

Investigating the live-classification results revealed a second-order finding worth recording.

Mainstream Russian platforms (mail.ru being the index case) appear to detect VPN/proxy traffic with characteristic latency — a multi-second delay before flagging — that is not consistent with synchronous commercial-classifier API lookups (sub-50ms typical). The observed lag pattern is more characteristic of asynchronous flow-correlation joining session metadata against subscriber- and AS-profile data arriving from upstream pipelines. Under Russia's SORM-2/-3 regulatory regime — which mandates ISP-level mirroring of metadata to FSB-controlled buffers and confers state-grade access to derived data feeds — flow-correlated detection of this shape is the operationally plausible mechanism. We are not claiming direct observation of this mechanism, only that the latency profile of the observed VPN-detection notices matches passive-flow-correlation characteristics more closely than it matches commercial-classifier API characteristics.

This produces a notable asymmetry between two detection layers:

Layer	What it sees	What it can't see
Commercial AS-classifier (IPQS, IP2Proxy, Spur, MaxMind GeoIP2-Anonymous, etc.)	"This AS is an anonymous-network / VPN-shape allocation" — small, recent, datacenter-shape, individual-owned	The operator identity behind the AS, the specific Russian sub-tenants on its prefixes, the laundering pattern
Russian-platform-side flow-correlated detection (SORM-grade pipelines feeding services like mail.ru / Yandex / VK / Sber / gosuslugi)	Active VPN sessions where the user-side of the connection terminates in Russian-mainland ISP space	Sessions that terminate entirely abroad — the laundering layer is invisible to Russian-side surveillance because the user is foreign

The two layers are not complementary. The classifier layer is what Western compliance teams have access to. The flow-correlation layer is what Russian state surveillance has access to. Neither sees the full picture, and the gap between them is exactly the operational window the laundering pattern exploits:

A Russian operator structures a foreign-jurisdiction AS to host customer content — the customer is Russian but the session terminates abroad
Russian-side flow correlation does not observe the session (it's outside SORM scope when both endpoints are foreign)
Western commercial classifiers see the AS but not the operator — they may flag the AS as "anonymous network" but they don't know the operator's identity or that this is sanctions-evasion infrastructure

The compliance gap is structural: enterprise tools tell you the AS is risky; they don't tell you who runs it. The contribution of this brief — operator-attribution via RIPE WHOIS at the inetnum level — fills that gap.

Methodology

Bulk RIPE inetnum dump (ripe.db.inetnum.gz, 4.13M RPSL objects) parsed. For each inetnum: extract inetnum, netname, country, mnt-by, org, descr. Filter to inetnums where at least one country field is a non-RU European/EU+US country and prefix size is ≤ /16.
Russian-operator signal scoring against four categories: netname pattern (RU-*, BEGET, RUSSIA, etc.), maintainer pattern (BEGET-MNT, YANDEX-MNT, MTS-MNT, ROSTELECOM-MNT, VIMPELCOM-MNT, etc.), descr operator-token match (SELECTEL, AEZA, TIMEWEB, RUVDS, MAJORDOMO, ~30 tokens total), org name. Any inetnum with ≥ 1 signal flagged.
Joined each candidate to bgp_history.db.bgp_pfx_current (1.02M currently-announced v4 prefixes) to attribute the AS that announces the covering prefix.
Aggregated by announcing-AS and operator-country → prefix-country flow.
Curated tail-trimming: dropped Tier-1 transit ASes (SURFNET AS1103, DTAG AS3320, GTT AS3257, TIM AS3269) where signals are incidental noise rather than systematic operator presence.
Full .su TLD inventory pulled from ru-tld.ru/files/SU_Domains_*.gz (110,996 domains). Parallelized DNS A-record resolution (80 worker threads, ~30 minutes wall-clock, 87,723 of 110,996 resolved = 78.9% success rate).
Per-AS density computed as (.su-domains-hosted) / (announced /24-equivalent address space). ASes with < 20 .su domains hosted excluded as noise floor.
HTTP-banner check on 4 sample domains per outlier AS, from three vantages (residential FTTH NL, datacenter FR, Russian-individual VPN AS) — distinguishing parking from live operations and cross-checking gating behaviour.
Reverse-DNS lookups on sample IPs from each candidate cohort surfaced operator-confirmation strings (*.twc1.net for Timeweb, *.beget.ru.*.in-addr.arpa for Beget, *.ztv.su for ZTV, *.mchost.ru for MasterHost, etc.).

Limitations

Signal precision is imperfect: an inetnum with netname starting RU- could be unrelated to Russia (e.g., RU as initial letters); manual spot-check of headline ASes confirmed the major patterns are real, but the tail likely contains false positives. The top-11 named ASes are well-attested; the long tail below 14 candidates per AS is less reliable.
The /16 prefix-size cutoff excludes LIR-level parent allocations. A Russian-operated LIR holding /16+ blocks would be invisible to this audit.
AS-allocation jurisdiction is the country the AS was allocated to by RIPE. It does not necessarily reflect where the AS operates. For the named headline ASes manual verification of netname / maintainer / descr patterns aligns with the Russian-operator interpretation; the long-tail ASes may have other explanations.
HTTP banner checks are point-in-time. A site that returns 403 today may serve tomorrow; a site that returns HTTP 200 may be taken down. The classification is a snapshot.
The SORM-channel detection inference is reasoning from observed latency profiles, not direct observation of upstream data flows. Alternative explanations (asynchronous behavioural fingerprinting, session-history correlation, DNS-pattern detection) could produce similar latency profiles, though SORM is the parsimonious account given Russia's regulatory environment.
Multi-vantage probing is limited to three vantages. A Russian residential or mobile vantage would clarify the AS59692 gambling cluster's actual operational state; we do not have one. AS59692's current dormant-on-external-probes state is consistent with several scenarios (selectively serving Russian residential IPs only, post-block warehousing, paused awaiting redeployment) and the data does not distinguish between them.
IPv6 announcements are not in this scan. The pattern likely extends to v6 space; we have not measured it.
The bulk inetnum dump is point-in-time. Maintainer changes after the dump generation date are not reflected. AEZA's post-OFAC operator changes, if any, would not be captured by this pass.

What this changes for compliance teams

The contribution is operator-attribution at the WHOIS layer for the top jurisdiction-laundering ASes. Specifically:

AS210976 TWC-EU (Kazakhstan) — Timeweb. The KZ-allocated 2025-04 AS announcing NL/DE-registered prefixes is operationally Timeweb. Compliance screening that filters on "AS origin country = KZ" will not flag this. Screening that filters on "operator recognised as Russian hosting" should.
AS210644 AEZA-AS — already OFAC SDN. The EU-registered prefix layer survived the designation; downstream services that consume OFAC's published list won't automatically catch this if their ingestion pipeline only matches at AS-allocation-country.
AS9002 RETN — primary tenant Beget LLC. Beget LLC RU is the operator behind the LV-registered prefixes announced via UK AS9002. RPKI ROAs and IRR route: objects from RETN validate the announcements cleanly; only WHOIS at the more-specific inetnum reveals the tenant.
AS208398 TELETECH (Serbia). RS-allocated AS, Russian customers, DE/FI/NL/US prefix registrations.
The smaller GB / FR / NL / US ASes in the long tail.
The non-laundering-but-still-live cohort surfaced by the .su audit — particularly AS204601 NL gambling, AS211381 LV gambling, AS133618 AU piracy, AS32338 AI adult content, the four UAE-allocated commerce ASes. These are not the same shape as the laundering audit findings (the operators don't hide their nationality in WHOIS) but they are equivalent sanctions-evasion shapes at the hosting-jurisdiction layer.

Recommended follow-ups

Generalize the audit beyond RIPE-allocated address space. The current scope covers RIPE inetnums only. ARIN, APNIC, LACNIC delegations may contain analogous patterns (US-allocated prefixes with Russian-operator signals in WHOIS, etc.). Bulk-dump access exists for ARIN but the data model differs; APNIC and LACNIC expose less granular bulk data.
Cross-reference each candidate against a Russian legal-entity ownership database. EGRUL-style lookups on the named operators (Beget LLC, AEZA Group, Timeweb LLC, etc.) would surface beneficial-ownership chains and any sanctions-list matches at the parent-entity level.
Add the candidate set to a published Linzalytics intel page for compliance-team consumption (some of this work has been published at /intel/bgp-jurisdiction-laundering.html and /intel/retn-as9002-prefix-audit.html; further expansion warranted).
Continuous monitoring. The post-invasion structuring pattern (Timeweb's 2025-04 KZ allocation) suggests new AS allocations in permissive jurisdictions will continue. A periodic re-run of the bulk audit, plus alerting on new RIPE allocations from KZ / RS / AE / etc. with Russian-operator WHOIS signals, would surface future structurings as they happen.
Probe live-operational state from a Russian residential vantage — for the warehoused / gated cohort (AS59692 et al.), the only way to definitively classify is to observe the response served to a Russian residential user.
ASPA monitoring. RPKI's planned Autonomous System Provider Authorization (ASPA) extension, when deployed, would validate transit-layer relationships and constrain the laundering pattern. Adoption is not yet at meaningful scale; track deployment.

Generated from the master branch of the sanctions-intelligence repository, commits through the head at write time. Primary data sources: RIPE inetnum bulk dump (4.13M objects, 2026-05-19), CAIDA RouteViews pfx2as (1.02M v4 prefixes, 2026-05-18), full RouteViews MRT RIB (2026-05-18 0600 UTC), .su TLD zone export (ru-tld.ru, 2026-05-20, 110,996 domains), Cloudflare RPKI VRP feed (~672K v4 VRPs), RIPE IRR route: database (~456K objects), MaxMind GeoLite2-City. All analysis code lives at pipeline/jurisdiction_laundering_audit.py and related modules.