We’d like to inform NordVPN users about a situation that may or may not have a limited impact on our service. It does not represent a security threat, but it may require our server experts to replace or remove some of our servers in several US locations:
On May 14th, a cloud platform company named Micfo was accused of wire fraud in a South Carolina court. They were accused of using a network of fake companies and names to get more than 735,000 IP addresses from ARIN (the American Registry for Internet Numbers).
Because the world is at risk of running short on IPv4 IP addresses, non-profit organizations have been established to regulate and control who gets to control these addresses. ARIN is one such non-profit regulator.
Micfo allegedly used their fake companies and aliases to get more than their fair share of IPv4 addresses, later selling or leasing them to other companies at a profit.
It is common for companies to acquire IP addresses and lease them to others. What is not normal, however, is for companies to acquire those addresses fraudulently the way Micfo is said to have done. The lack of active regulation here on ARIN’s part also makes it very difficult, if not impossible, for anyone leasing an IP address to ascertain whether it was acquired legitimately or not.
Unfortunately, NordVPN also fell victim to Micfo’s alleged fraud, leasing IP addresses that had been acquired dishonestly. This is incompatible with NordVPN’s values, so we are taking all necessary actions to replace those addresses with new ones.
The potential impact on NordVPN’s service is not yet clear. The affected IP addresses have been identified. Our teams are already working overtime to find new IP address providers and ensure that NordVPN users experience little or no impact on the quality of their service.
We’d like to emphasize a few key points.
No efficient tools exist that could have allowed NordVPN to prevent this. Current regulatory tools and efforts make it difficult for client companies like NordVPN to tell whether the IP addresses they are using were acquired legitimately or fraudulently. Even in this case, the fraud only came to light after Micfo took a gamble by taking ARIN to court preemptively and losing.
As ICANN Security and Stability Advisory Committee member John Levine explains in a report by KrebsonSecurity, “A lot of people have been frustrated that ARIN doesn’t act more like a regulator in this space. Given how increasingly valuable IPv4 space is, ARIN has to be more vigilant because the incentive for crooks to do this kind of thing is very high.”
We’ll keep you updated on this situation as it unfolds.