BGP Diversion — Geographic + Temporal Map

How to read the arcs

Each arc is a relationship between two ASes (network operators) regarding one specific block of IP addresses. The colors mean:

• Red arc — a confirmed unauthorized origin announcement. A Russian AS is claiming ownership of a European-allocated prefix, and neither RPKI nor the IRR has authorized that. Globally visible across 17–18 RouteViews peers — this is the hijack shape.
• Orange dashed arc — a narrow-propagation unauthorized announcement. Same authorization profile as red, but only 2 RouteViews peers observe it. Probably a local injection that's not propagating globally; lower analytical weight.
• Green arc — a post-invasion stable transit insertion. The prefix's origin AS is properly authorized; a Russian AS appears in the BGP path as transit. Both green arcs in this dataset trace to the same Ukrainian-RIPE-allocated /20 that hosts CrimeaStar — i.e., Russia operating occupied-Crimea Internet infrastructure via its state backbone. Not a hijack; overt integration.
• Faint grey arcs (toggle on/off via "Background") — aggregated legacy Russian-transit relationships on European prefixes that already existed pre-invasion. Country-pair flows; line weight = log(pair count). These are 1,760 commercial peering relationships that were not introduced by the war. Showing them puts the headline cohort in context: the substantiated findings are extremely few compared to the pre-existing baseline.
• Purple dashed arc — jurisdiction-laundering structure. Aggregated country-pair flows where the BGP-visible registration country differs from the operator nationality (e.g., RIPE-registered to Latvia, BGP-announced as RETN UK, but maintained by Russian operator Beget). Pre-dates the war; not a war-window finding but a structural one. Click any purple arc for details.
• Golden nimbus — flashes at the endpoints of any arc whose first_seen falls inside the time interval you just slid past. The visual cue that "this is the moment that route appeared."

Line thickness for red arcs scales with the number of RouteViews peers observing the announcement (more peers = thicker = more globally visible). Dot size at each endpoint is uniform.

The seven substantiated findings

AS196638 → Ukrainian /24 cluster (×3 prefixes)

A Russian AS (AS196638) began originating three contiguous Ukrainian-allocated /24s in early March 2026 — 91.241.80.0/24, 91.241.81.0/24, 91.241.82.0/24. All three appeared within nine days of each other. Seventeen RouteViews peers around the world observe the announcement, meaning the route is broadly propagated. Neither RPKI ROA nor RIPE IRR route: object authorizes the announcement. The IPs have no reverse DNS — there's no hosted-service fingerprint to attack or intercept — which is consistent with either BGP-level disruption (making the legitimate holder's space harder to reach) or staging for future deployment.

AS64486 → Czech /24 (since December 2022)

The longest-tenured finding. A Russian AS originating 176.96.229.0/24, a RIPE-Czech-allocated /24, continuously since 29 December 2022. Eighteen RouteViews peers observe it. No reverse DNS. Significantly: the IPs in this block geolocate to Ryazan, Russia — the "Czech" allocation appears to actually serve Russian addresses operationally. Thirty-eight months without RPKI/IRR correction by the registered prefix holder is itself noteworthy: either the holder is unaware, has stopped maintaining the block, or has implicitly accepted the announcement.

AS201097 KVANTA-LLC → French /24 (narrow)

A fresh Russian AS (allocated February 2026) originating 209.131.69.0/24, allocated by RIPE to French hosting company Syslevel. RPKI ROA explicitly rejects this origin; no IRR authorization exists. However, only 2 RouteViews peers observe the announcement, which means the route is barely propagating — likely a local injection, not a globally-effective hijack. Worth noting; not worth a designation referral.

Rostelecom transit on Crimean /20 (×2 AS paths)

This is the Track B finding. A Ukrainian-RIPE-allocated /20 — 81.162.64.0/20, registered to AS198293 GIGABYTE-AS pre-annexation — hosts internet.crimeastar.net, an Internet operator physically located in Russian-occupied Crimea (sample IP geolocates to Bakhchisaray). Post-invasion, BGP paths to this /20 traverse both AS12389 Rostelecom (Russian state telecom) and AS201776 (a Rostelecom subsidiary). These transit relationships did not exist in any of our six pre-war snapshots (2021Q1 through April 2022) and are present in 10 of the 13 recent weekly snapshots. The interpretation is straightforward: Russia is operating occupied-Crimea Internet infrastructure via its own state backbone. Overt integration, not covert diversion.

Jurisdiction laundering — the purple flows (1,163 candidates across 11+ ASes)

A separate category our origin-and-transit framework would have missed entirely — and the reason this map has a fourth color. We bulk-scanned all ~4 million RIPE inetnum objects looking for prefixes that are registered to a non-RU country but whose more-specific WHOIS records show Russian-operator signals (BEGET-MNT, AEZA-MNT, TIMEWEB-MNT, RU-* netnames, etc.), joined to the AS currently announcing them.

1,163 candidate prefixes surfaced, concentrated under 11+ ASes:

• AS210976 TWC-EU (Kazakhstan, allocated 2025-04-02): 274 candidates. Operates Timeweb infrastructure (TW-Cloud / TW-VDS netnames, TIMEWEB-MNT maintainer). Russian hosting at scale via a Kazakh-allocated AS created post-invasion — the textbook post-sanctions playbook.
• AS210644 AEZA-AS (Russia): 216 candidates. AEZA was OFAC-sanctioned in 2024 for hosting infostealer/botnet infrastructure; its EU-registered hosting layer (NL, SE, DE, FI) remains on BGP.
• AS208398 TELETECH (Serbia): 91 candidates, distributed across DE/FI/NL/US.
• AS9002 RETN (United Kingdom): 35 candidates, primarily LV-registered Beget infrastructure (earliest BEGET-MNT registrations 2007).
• AS215540 GCS-AS (UK), AS209372 WSTELECOM (US), AS212706 LIVI-HOSTING (UK), AS216139 IRONHOST (UK), AS44407 LINKT (FR), AS43350 NFORCE (NL), AS41745 FORTIS-AS (RU): 14–49 candidates each, accumulating into a long tail.

The dominant flows are KZ → NL (242 prefixes), RU → SE (64), RU → NL (49), GB → NL (43), GB → LV (36), RS → DE (32), KZ → DE (32), RU → FI (33). Click any purple arc on the map for the detail panel listing the named ASes for that jurisdiction.

This pattern predates the war for the Beget/RETN line (2007+), but the Timeweb-via-Kazakhstan structure was registered in April 2025 — a post-invasion, post-sanctions response. AEZA's 2024 OFAC designation didn't dislodge the EU-registered prefix layer either; the maintainer handles persist.

Track A and Track B both miss this class structurally: the BGP-visible country of origin is the operating AS's RIR allocation country (KZ, GB, RS, NL, etc.), not RU. RPKI ROAs issued by those ASes would validate the announcements cleanly. Only WHOIS analysis of the more-specific inetnum reveals the Russian operator. The dedicated RETN-specific audit lives at /intel/retn-as9002-prefix-audit.html; the broader intel page is /intel/bgp-jurisdiction-laundering.html (being prepared).

Glossary

• AS / ASN (Autonomous System / AS Number) — an independent network operator. Each gets a numeric identifier. AS12389 = Rostelecom; AS196638 = a smaller Russian operator; AS198293 = the Ukrainian operator GIGABYTE-AS.
• BGP (Border Gateway Protocol) — the protocol ASes use to advertise reachability and stitch together the global Internet's routing topology.
• Prefix — a contiguous block of IP addresses written as 1.2.3.0/24. /24 = 256 addresses; /20 = 4,096; smaller numbers are larger blocks.
• Origin AS — the AS at the far end of the BGP path; the one that "owns" the prefix and starts the route.
• Transit AS — any AS that appears between the start of a BGP path and its origin. Packets travel through transit ASes en route to the origin.
• Hijack — when an AS originates a prefix it does not actually own. Can be malicious, accidental, or political (the announcing operator might be following a state directive, for instance).
• RIR (Regional Internet Registry) — the five registries that allocate IP space and ASNs to operators: RIPE (Europe + ME + parts of Asia), ARIN (North America), APNIC (Asia-Pacific), LACNIC (Latin America), AFRINIC (Africa). Each publishes a "delegated-extended" file documenting allocations.
• RPKI (Resource Public Key Infrastructure) — a cryptographic system where prefix owners publish signed Route Origin Authorizations (ROAs) declaring "only these specific ASes may announce my prefix." An announcement with no matching ROA → "RPKI unknown." With a matching ROA → "RPKI valid." With an explicitly-rejecting ROA → "RPKI invalid" (the strongest hijack signal).
• IRR (Internet Routing Registry) — older, non-cryptographic database where operators publish route: objects with the same intent as ROAs. Less authoritative than RPKI (anyone with a maintainer account can write objects), but covers more prefix space because it predates RPKI by twenty years.
• RouteViews — University of Oregon project that collects BGP routing data from ~40 cooperating ASes worldwide. Publishes hourly MRT-format files that capture the global routing table from each peer's vantage point. The data backbone for this analysis.
• MRT (Multi-Threaded Routing toolkit) — the binary file format RouteViews uses to publish BGP snapshots. Contains the full AS_PATH for every observed prefix.
• AS_PATH — the ordered list of ASes a route traverses. AS6939 → AS12389 → AS31430 → AS64486 means "to reach AS64486's prefix, packets enter via AS6939, cross to Rostelecom, then to AS31430, terminating at AS64486."
• SORM (Система оперативно-розыскных мероприятий) — Russia's mandatory lawful-intercept system. All Russian licensed telecom operators install FSB-controlled equipment that provides unmediated access to traffic and metadata. The reason transit through Russian state-aligned ASes is operationally significant.

Two detection layers, neither sees the whole picture

The laundering pattern works because two different surveillance layers observe it inconsistently — and the gap between them is the operational window.

The commercial AS-classifier layer (IPQS, IP2Proxy, Spur, MaxMind GeoIP2-Anonymous, etc.) is what Western compliance teams consume. It tells them: "this AS looks anonymous-network / VPN-shape" — small allocation, recent registration, datacenter address space, individual-owned. What it cannot tell them: who actually operates the AS, which Russian tenants are on its prefixes, and that the structure is sanctions-evasion shape rather than a generic privacy VPN. Compliance teams may block the AS; they don't know whose business they're disrupting.

The Russian-platform-side detection layer (mail.ru, Yandex, VK, Sber, госуслуги) appears to draw on flow-correlation data from upstream ISP-level pipelines. Major Russian platforms detect VPN / proxy connections with multi-second latency — too slow for synchronous commercial-classifier API lookups (sub-50ms typical), but consistent with asynchronous flow metadata propagating from upstream subscriber-attribution systems. Under Russia's SORM-2 / SORM-3 regulatory regime, which mandates ISP-level mirroring of metadata to FSB-controlled buffers, flow-correlated detection of this shape is the operationally plausible mechanism. What this layer sees: Russian-mainland users routing through anomalous foreign-AS endpoints. What it doesn't see: sessions that terminate entirely abroad — the laundering layer is invisible to Russian-side surveillance because the user is foreign.

The asymmetry is the design. A Russian operator builds infrastructure on a foreign-jurisdiction AS to serve content to Russian customers. The Russian platform-side observers can't see sessions where both ends are outside Russian ISPs; the Western compliance teams can see the AS but can't attribute its operator. Both layers know something is happening but neither sees the full picture. Operator attribution at the WHOIS inetnum level — the contribution of this analysis — is the missing piece for the Western side.

Full write-up at /intel/bgp-jurisdiction-laundering.html.

Methodology

• 5 years of CAIDA routeviews-prefix2as daily snapshots (1,825 days) for origin-AS history. Compressed into a closed-window SQLite of ~1M current + ~2.4M historical (asn, prefix, first_seen, last_seen) tuples.
• 13 weekly RouteViews MRT full-RIB snapshots for transit-path data (Feb 23 – May 18, 2026), plus 6 pre-war snapshots (Feb 2021, May 2021, Aug 2021, Nov 2021, Jan 2022, April 2022) for baseline.
• Cloudflare RPKI VRP feed (~672K v4 VRPs across all five Trust Anchors) refreshed daily. RIPE IRR route: database (~456K objects).
• AS-PATH propagation analysis — for each candidate hijack, parse the most recent MRT and count distinct RouteViews peers reporting the announcement. Distinguishes globally-visible hijacks from local injections that don't propagate.
• City-level IP geolocation via MaxMind GeoLite2-City.
• Path stability scoring — for each (prefix, transit_asn) pair in Track B, count how many of the 13 recent weekly snapshots actually observed the pair. Pairs present in ≥10/13 are "stable"; ≤3/13 are "transient."
• Pre-war vs post-war split — for each stable Track B pair, check whether it was present in any of the 6 pre-war snapshots. Present pre-war → legacy commercial peering. Absent pre-war + stable now → war-window operational introduction.

Caveats

• The substantiated cohort is small: four origin-hijack prefixes plus two transit-integration pairs to one Crimean /20. The map's visual prominence is high; the underlying analytical claim is modest. Worth manual investigation, not journalism-worthy by itself.
• City-level geo is approximate. Russian IP space frequently geolocates inconsistently across vendors and across time. The Ryazan attribution for AS64486's /24 is from one provider's dataset; a different provider might say Moscow or Saint Petersburg.
• Background grey flows are aggregated to country-pairs — line weight reflects pair count, not individual prefix evidence. Click is disabled on grey arcs (only the substantiated findings have detail panels).
• The 6 pre-war snapshots are sparse coverage. A pair absent from all six might still be a pre-war legacy relationship that simply wasn't in the path during those particular sampling moments. Tighter monthly pre-war coverage would reduce this uncertainty.
• RPKI ASPA (the upcoming protocol that will validate transit relationships, not just origin) is not yet deployed at scale. When it is, the Track B framework gains the same authoritative validation Track A already has.

Full analytical report: docs/BGP_DIVERSION_INTELLIGENCE.md in the sanctions-intelligence repository. Generated 2026-05-20.