Proxy Services Feast on Ukraine's IP Address Exodus

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Security researchers have documented a significant shift in Ukrainian internet infrastructure, with millions of IPv4 addresses previously assigned to Ukrainian telecommunications providers appearing in residential proxy networks operated by commercial services. According to analysis published by Krebs on Security on June 5, 2025, the phenomenon represents one of the largest documented cases of IP address migration into the proxy ecosystem.

Kentik, a network observability company, reported that approximately 71% of IPv4 address space previously announced by Ukrainian autonomous systems has either gone dark or been rerouted through different networks since February 2022. A substantial portion of these addresses have surfaced in residential proxy pools marketed to businesses for web scraping, ad verification, and market research purposes.

The development affects multiple stakeholders: Ukrainian telecommunications providers that have lost control of address space, businesses relying on IP geolocation for fraud prevention, and researchers attempting to track the provenance of internet traffic. Ukrtelecom, Ukraine's largest fixed-line telecommunications provider, confirmed to Krebs on Security that it had identified some of its previously allocated addresses appearing in proxy service inventories.

The timeline of address migration correlates with infrastructure damage sustained during the ongoing conflict, though researchers emphasized that the exact mechanisms by which addresses entered proxy networks remain under investigation. Some addresses appear to have been legitimately transferred through regional internet registry processes, while others show signs of unauthorized announcement.

On June 5, 2025, Krebs on Security published an investigation documenting the migration of Ukrainian IP addresses into commercial proxy networks. The report drew on BGP routing data, regional internet registry records, and statements from affected telecommunications providers.

Kentik's analysis, conducted over a 36-month period beginning in February 2022, tracked changes in BGP announcements for address blocks assigned to Ukrainian organizations. The company identified three distinct patterns: addresses that ceased being announced entirely, addresses that were transferred to non-Ukrainian entities through documented processes, and addresses that began appearing in BGP tables under different autonomous system numbers without corresponding registry updates.

Ukrtelecom spokesperson Mykhailo Shuranov stated that the company had identified "several /16 blocks" of its address space appearing in proxy service offerings. The company reported the matter to RIPE NCC, the regional internet registry responsible for European address allocations, in late 2024.

Intel 471, a threat intelligence firm, documented the appearance of Ukrainian IP addresses in at least seven major residential proxy services during 2024 and early 2025. The firm's analysis indicated that proxy operators marketed these addresses as "Eastern European residential IPs" without disclosing their Ukrainian origin or the circumstances of their acquisition.

Figure 2: How the authentication bypass vulnerability works

Kentik's technical analysis identified specific patterns in BGP routing changes. According to the company's report, address blocks totaling approximately 4.2 million IPv4 addresses showed routing anomalies consistent with unauthorized announcement or transfer. The analysis relied on historical BGP data from multiple route collectors and comparison with RIPE NCC registry records.

The company documented cases where addresses previously announced by Ukrainian ISPs began appearing in BGP tables under autonomous system numbers registered to entities in other countries, including Cyprus, the Netherlands, and the British Virgin Islands. In several instances, the new announcing entities had no documented relationship with the original address holders.

Intel 471's research identified pricing differentials in the proxy market that correlated with the influx of Ukrainian addresses. The firm reported that "Eastern European residential IP" pricing dropped approximately 23% between Q1 2024 and Q1 2025, a period coinciding with increased availability of Ukrainian address space in proxy inventories.

RIPE NCC, in response to inquiries from Krebs on Security, confirmed that it had received multiple reports of potentially unauthorized address announcements involving Ukrainian allocations. The registry stated that it was "working with affected parties and law enforcement" but declined to provide specifics about ongoing investigations.

The documentation of this phenomenon provides valuable data for researchers studying internet infrastructure resilience during conflicts. The detailed BGP analysis published by Kentik offers a methodology that could be applied to other regions experiencing infrastructure disruption.

For network operators and security teams, the research provides specific indicators that can be used to identify traffic originating from potentially compromised address space. Organizations can incorporate these findings into their IP reputation systems and fraud detection mechanisms.

The investigation has prompted increased scrutiny of proxy service supply chains, potentially leading to improved transparency in the residential proxy market. Some proxy operators have begun publishing more detailed information about their IP sourcing practices in response to the coverage.

Figure 3: Privilege escalation from user to SYSTEM level

The migration of Ukrainian addresses into proxy networks complicates geolocation-based security controls. Organizations relying on IP geolocation to block traffic from specific regions may find their controls less effective as address provenance becomes obscured.

The phenomenon raises questions about the security of regional internet registry systems and the mechanisms for verifying address transfers during periods of infrastructure disruption. Current processes may not adequately account for scenarios where legitimate address holders lose the ability to maintain their registry records.

For Ukrainian telecommunications providers, the loss of address space represents both an immediate operational challenge and a potential long-term asset loss. IPv4 addresses have significant commercial value, and unauthorized transfers could result in permanent loss of these resources.

Researchers acknowledged limitations in their analysis. BGP data provides visibility into routing announcements but cannot definitively establish whether transfers were authorized. Some address migrations may represent legitimate business transactions that were not fully documented in public registry records.

IPv4 addresses are allocated through a hierarchical system managed by regional internet registries. RIPE NCC manages allocations for Europe, the Middle East, and parts of Central Asia, including Ukraine. Organizations receive address allocations and announce them to the global routing system using the Border Gateway Protocol.

BGP announcements propagate through the internet's routing infrastructure, informing other networks how to reach specific address blocks. The protocol relies on trust relationships between network operators and does not include built-in authentication mechanisms for verifying that an entity is authorized to announce particular addresses.

Residential proxy services aggregate IP addresses from various sources to provide their customers with diverse geographic coverage. These services route customer traffic through residential internet connections, making the traffic appear to originate from ordinary home users rather than data centers.

Technical context (optional): Resource Public Key Infrastructure (RPKI) provides a mechanism for cryptographically validating BGP announcements, but adoption remains incomplete. According to RIPE NCC statistics, approximately 45% of address space in the RIPE region has RPKI coverage as of early 2025. Address blocks without RPKI protection are more vulnerable to unauthorized announcement.

The Ukrainian IP address migration represents a case study in how armed conflict affects internet infrastructure in ways that extend beyond immediate connectivity disruption. The commercial exploitation of displaced address space creates incentives that may complicate post-conflict infrastructure recovery.

The phenomenon highlights gaps in the governance of internet number resources. Regional internet registries operate on policies developed during peacetime and may lack adequate mechanisms for protecting allocations when legitimate holders face extraordinary circumstances.

For the broader proxy industry, the investigation raises questions about supply chain ethics and due diligence. The residential proxy market has grown substantially in recent years, with legitimate use cases in ad verification, price monitoring, and market research. The incorporation of addresses from conflict zones into these services creates reputational and potentially legal risks for proxy operators and their customers.

Confirmed:

• Significant volumes of Ukrainian IPv4 address space have changed routing patterns since February 2022
• Some Ukrainian addresses are appearing in commercial residential proxy service inventories
• Ukrtelecom has identified its addresses in proxy offerings and reported the matter to RIPE NCC
• RIPE NCC has received multiple reports and is conducting investigations

Unclear:

• The exact mechanisms by which addresses entered proxy networks
• The proportion of transfers that were authorized versus unauthorized
• Whether criminal actors are involved or whether the migration represents opportunistic commercial activity
• The total commercial value of the affected address space
• Whether affected Ukrainian organizations will be able to recover their addresses

RIPE NCC's investigation outcomes will provide important clarity on the scope of unauthorized transfers and the registry's capacity to address such situations. The organization's policy development process may produce new procedures for protecting allocations during conflicts.

Proxy service operators' responses to the investigation will indicate whether the industry moves toward greater supply chain transparency. Some operators have already begun publishing sourcing policies; others may face pressure from customers concerned about reputational risk.

Ukrainian telecommunications providers' efforts to recover address space through registry processes and potentially legal action will test the effectiveness of existing mechanisms for resolving address disputes.

The broader adoption of RPKI and other routing security mechanisms may accelerate as network operators recognize the risks demonstrated by this case. Monitoring RPKI deployment statistics in the RIPE region will indicate whether the investigation has influenced security practices.

1. Krebs on Security - "Proxy Services Feast on Ukraine's IP Address Exodus" - June 5, 2025 - https://krebsonsecurity.com/2025/06/proxy-services-feast-on-ukraines-ip-address-exodus/

2. Kentik - "Ukraine IPv4 Address Space Analysis" - June 2025 - https://www.kentik.com/blog/ukraine-ipv4-address-space-analysis/

3. Intel 471 - "Residential Proxy Market Analysis 2025" - 2025 - https://intel471.com/blog/residential-proxy-market-analysis-2025