← Journal index
Journal

Jurisdiction Laundering at the BGP / WHOIS / DNS Layer

2026-05-22

A bulk join of roughly 4.13 million RIPE inetnum objects against currently-announced BGP prefixes surfaced 1,163 candidate /24-class prefixes where every routing-layer signal reads as European but the more-specific WHOIS reveals a Russian operator. The origin AS is registered in Kazakhstan, Serbia, the United Kingdom, the Netherlands, or the United States. The prefix is RIR-allocated to a non-Russian country. RPKI ROAs validate. IRR route: objects authorize. Only the netname, maintainer, and org fields on the more-specific inetnum, things like RU-BEGET-*, TIMEWEB-MNT, or aeza-mnt, expose the operator nationality. A compliance review that stops at the AS-country or prefix-country layer returns a clean answer at every check except the one nobody runs.

The candidates concentrate under a small set of named ASes with recognizable operators behind them. AS210976 TWC-EU, allocated to Kazakhstan on 2 April 2025, carries 274 prefixes, 242 of them RIR-registered to the Netherlands and 32 to Germany, all under Timeweb's TW-Cloud and TW-VDS netnames. AS210644 AEZA-AS, OFAC-designated in July 2024, still announces 216 EU-registered prefixes (63 SE, 45 NL, 42 DE, 32 FI) eleven months after the designation, with maintainers and netnames unchanged. AS208398 TELETECH on a Serbian allocation carries 91 prefixes for Russian hosting customers. AS9002 RETN-AS, a UK allocation since 2008, runs Beget LLC as its primary tenant on BEGET-MNT-maintained space. AS212706 LIVI-HOSTING, allocated in the UK three months ago, hosts tenants on the Soviet-era .su ccTLD. The dominant operator-jurisdiction-to-prefix-country flow is Kazakhstan-AS to Netherlands-registered prefix at 242, followed by RU→SE at 64, RU→NL at 49, GB→NL at 43, RU→DE at 43, GB→LV at 36, RS→DE at 32, and KZ→DE at 32. Sixty-one unique operator-by-prefix-country pairs in total.

Live HTTP banner sampling from three vantages (Western European residential FTTH, Western European datacenter, and a Russian-individual-owned AS presenting as Dutch) separated parked from live infrastructure across the top 30 outlier ASes. The reclassifications matter. AS59692 in the UAE, initially read as a live 1Melbet/Pokerdom/1Win gambling cluster, returns 302s into .top mirrors that themselves 403 from every external vantage, consistent with warehoused-but-not-serving. The actually-live gambling-affiliate traffic is on AS204601 NL (120 live domains running 1xBet and 1Win) and AS211381 LV (76 live, Argo Casino and 1Win). AS133618 in Australia serves 123movies-family piracy content over HTTP 200 that the same family returns under HTTP 451 from AS206834 in Germany, showing jurisdiction shopping operating at the serving layer rather than just the registration layer. AS47846 SEDO DE shows up as the largest single .su concentration outside Russia (290 domains) but every banner reads as Sedo marketplace parking, not operational hosting.

The .su zone corroborates the audit. Of 110,996 live .su domains, 87,723 (78.9%) resolve. 79.9% of resolutions land on Russian or Belarusian RIR-allocated ASes (the baseline), 7.4% on major CDNs, 3.8% on the laundering-candidate set already documented, and 8.9% on otherwise-unknown ASes outside all three of those buckets. That 8.9% breaks out cleanly: gray-market gambling on AS204601 NL and AS211381 LV, a UAE post-2022 hosting hub across AS59692/AS216071/AS216154/AS205282 (663 .su domains across four UAE allocations), Anguilla-hosted adult content on AS32338, Serbian-AS-hosted Russian-language gaming communities on AS214833, and Estonian/Latvian/Lithuanian Russian-language commerce clusters led by AS198068 EE at 225 live domains.

For compliance and sanctions analysts, the operational consequence is straightforward: AS-country and prefix-country filters miss this category by construction, and so do RPKI-validity and IRR-cleanliness checks. The pattern is only visible if screening pulls the more-specific inetnum WHOIS for every prefix in scope and parses the netname, maintainer, and org fields for Russian-operator strings. The AEZA case demonstrates that OFAC designation alone does not remove the EU-presenting prefix layer; that requires either RIPE LIR cooperation or coalition-side BGP action, neither of which has happened in the eleven months since the July 2024 designation. The Timeweb TWC-EU case demonstrates that the post-sanctions structuring playbook is being executed in real time: a fresh Kazakhstan-allocated AS registered three years into the sanctions regime specifically to carry European-prefix hosting that a Russian origin-AS could no longer carry without triggering screening. Analysts running coalition-side procurement, payment, or hosting reviews should treat KZ/RS/GB/NL/US origin-AS as a screening trigger for WHOIS deep-dive, not a clearance signal.

Full tables, the complete operator-by-prefix-country matrix, the 30-AS live-traffic classification, methodology for the WHOIS join and the three-vantage banner sampling, and the raw candidate prefix list are in the brief at /intel/bgp-jurisdiction-laundering.html.

Designation Briefs — €5,000 / brief

The procurement graph and designation analysis behind this piece is available as evidence-chained intelligence products:

✓ Single-entity designation briefs — court citations, UBO delta maps
✓ Immutable Evidence Bundle — every claim source-linked
✓ Portfolio monitoring — alerts scoped to your counterparty INNs
✓ Master target scorecard — 24,687 rows (monitoring tier)
✓ Government designation packages — OFAC/EU intake format
✓ Bulk data licensing for screening platforms
Request a brief → Case-budgeted · ex-VAT · All access options