Ukraine’s Lost Internet Space: How the War is Reshaping Global Cybercrime and What It Means for You

Nearly one-fifth of Ukraine’s internet infrastructure has vanished into the murky world of proxy services and, potentially, hostile actors since February 2022. This isn’t just a Ukrainian problem; it’s a growing threat to global cybersecurity, and a stark illustration of how geopolitical conflict is playing out in the digital realm. A new study reveals that valuable Ukrainian IP address space, sold off to keep vital services online during wartime, is now being exploited to mask cyberattacks and facilitate illicit online activity – often routed through American internet service providers.

The Fire Sale of Ukrainian IP Addresses

As Russia’s invasion intensified, Ukrainian internet service providers (ISPs) faced an impossible choice: maintain infrastructure amidst active warfare or sell off crucial assets to survive. Many opted for the latter, offloading blocks of IPv4 addresses – the numerical labels that identify devices on the internet – to brokers. These addresses are a finite resource, and therefore valuable. Ukrtelecom, Ukraine’s incumbent ISP, now controls just 29% of the IP ranges it held at the start of the war, admitting the sales were necessary for “financial stability and continue delivering essential services.” Other providers, like LVS and Tvcom, followed suit, scattering their address space across the globe.

The American Connection: Why US ISPs Are Involved

The destination for a significant portion of this Ukrainian IP space? Surprisingly, some of the largest internet service providers in the United States. Amazon (AS16509), AT&T (AS7018), and Cogent (AS174) are now routing substantial blocks of addresses that once belonged to Ukrainian ISPs. But it’s not as simple as a direct transfer. According to Spur, a company tracking VPN and proxy services, these addresses are overwhelmingly being used by commercial proxy providers. These services allow users to mask their IP address and location, routing internet traffic through a third-party server.

The Dual Nature of Proxy Services

Proxy services aren’t inherently malicious. They have legitimate uses, such as enabling price comparisons, gathering sales intelligence, and powering web crawlers. However, they are also a haven for cybercriminals. By obscuring their origin, attackers can launch DDoS attacks, conduct phishing campaigns, and engage in other illegal activities with greater anonymity. The co-mingling of Ukrainian IP addresses with these proxy networks has created a dangerous situation, with some of those very addresses being used in cyberattacks against Ukraine and its allies.

AT&T’s Policy Shift and the Looming Deadline

Recognizing the problem, AT&T recently updated its terms of service, prohibiting customers from using IP addresses they don’t own. Affected customers have until September 1, 2025, to transition to Border Gateway Protocol (BGP) routing using their own Autonomous System Number (ASN). This is a significant step, and AT&T is the first major ISP to take such decisive action. As Riley Kilmer, CTO of Spur, notes, “AT&T is the first one of the big ISPs that seems to be actually doing something about this.”

Will Other ISPs Follow Suit?

The question now is whether other large US ISPs will follow AT&T’s lead. Cogent Communications (AS174), in particular, has been identified as an attractive destination for proxy services due to its relatively lax routing policies. While Cogent handles a large volume of traffic, its ease of use makes it a prime target for those seeking to hide their online activities. The future of these proxy services hinges on whether other providers tighten their policies or continue to facilitate this shadowy traffic.

The Rise of State-Sponsored Cybercrime and the Stark Industries Case

The situation is further complicated by the emergence of entities like Stark Industries Solutions Inc., an ISP that surfaced shortly before the Russian invasion and quickly became a source of large-scale cyberattacks. Sanctioned by the European Union, Stark Industries was found to be utilizing IP address blocks sourced from Ukrainian ISPs and connected to Russia-based proxy services. This highlights the potential for state-sponsored actors to exploit the vulnerabilities created by the displacement of Ukrainian internet infrastructure.

Looking Ahead: A More Fragmented and Vulnerable Internet?

The displacement of Ukrainian IP address space is a symptom of a larger trend: the increasing fragmentation of the internet and the growing sophistication of cyber threats. As geopolitical tensions rise, we can expect to see more instances of infrastructure being weaponized and exploited. The reliance on proxy services, while offering legitimate benefits, creates a significant security risk. The upcoming September 2025 deadline for AT&T customers will be a critical test. Will it force proxy services to relocate, or will they simply find new havens on less regulated networks? The answer will have profound implications for the future of cybersecurity.

What steps can individuals and organizations take to protect themselves? Prioritizing strong cybersecurity practices, utilizing reputable VPN services (with careful consideration of their privacy policies), and staying informed about emerging threats are crucial. The battle for internet security is ongoing, and vigilance is paramount.

Explore more insights on cybersecurity threats and mitigation strategies in our dedicated section.