BGP Origin-AS Diversion Report
Generated: 2026-07-05T02:15:55.088146+00:00
Latest BGP snapshot: 2026-07-03
Scope
- European prefix space: EU-27 + EEA + UK + CH + UA (33 countries)
- Russian ASNs (RIR-allocated): 5,745
- Sanctioned-entity ASNs (network_attribution): 346
- Combined target ASN set: 5,861
Detects origin-AS hijacks only โ cases where a Russian/sanctioned ASN announces (as origin) a prefix that RIPE/etc allocated to a European entity. Does NOT detect transit-path manipulation; that requires full AS_PATH from MRT RIBs.
Known false-positive class
Each finding compares the parent RIR allocation country against the
origin ASN country. RIPE-allocated blocks are routinely sub-assigned
by European LIRs to Russian commercial customers (Virty.io, Selectel, etc.).
Those sub-assignments are perfectly legal and announced by Russian ASNs
โ but they show up here as EU prefix โ RU ASN. Before treating any
individual finding as a diversion event, verify with RIPE WHOIS on the
specific block (whois <prefix> โ look for the most-specific inetnum
and its country:/org:) and ideally an RPKI ROA check.
Track A v2 TODO: integrate RIPE IRR route: objects and RPKI VRP feed to
automatically downgrade RPKI-valid / IRR-authorized announcements.
๐ Premium brief โ full access
This brief's evidentiary detail, specific targets, and designation recommendations are available to vetted compliance teams, law firms, and government analysts โ as single-brief purchases or under a portfolio monitoring retainer. The teaser above shows the headline methodology; the full document includes case-number citations, target INNs, SDN-adjacency numbers, and recommended secondary-designation scope.
Already subscribed? Open the full brief with your analyst credentials. Otherwise, subscribe to portfolio monitoring for the full library, or commission this brief on its own.
Read the full brief โ See access options Request by email