Russia is using stolen Ukrainian IP addresses to disguise cyberattacks on Europe, creating a threat to the continent’s digital security, as by The Cyber Express.
Russian occupation forces in Kherson, through physical coercion, obtained credentials from Ukrainian telecom operators and took control of their IP addresses. Moscow now uses these addresses to conceal the sources of attacks and disinformation operations, presenting them as actions by Ukrainian entities.
Despite Ukraine’s appeals and clear violations of sanctions, the organization managing Internet number resources for Europe, the Middle East, and Central Asia—RIPE NCC, based in Amsterdam—continues to provide Russia access to the stolen digital assets, citing “neutrality” and claiming that “the Internet is beyond politics.” Experts warn that this significantly complicates tracking cyberattacks and undermines Europe’s digital security.
IP addresses function as digital passports for devices, providing geolocation and data routing. These resources have not only economic but also strategic value, as they carry government communications, banking operations, and signals for critical infrastructure. One IPv4 address currently sells for €35–50 on shadow or semi-official markets, and the loss of even a few thousand addresses results in multimillion-euro damages.
After Russia occupied parts of Ukraine in 2014 and 2022, many Ukrainian providers were stripped of IP addresses, which were re-registered through RIPE NCC to Russian companies.
Russian information expansion in occupied Ukrainian territories is carried out through state-owned telecom enterprises such as Ugletelecom, Comtel, Phoenix, and Republican Digital Communications. These entities use large blocks of stolen IP addresses to conduct sham referenda and elections, spread propaganda and cyberattacks against Ukraine, and redirect revenues to the budgets of the “DNR” and “LNR.”
Andriy Pylypenko, a lawyer working on Ukraine’s legal position to freeze the stolen IP addresses, noted that such actions violate the EU sanctions regime. The Internet Association of Ukraine warned RIPE in 2018 against cooperating with the “DNR” and “LNR,” but the organization did not respond, claiming that IP addresses are not subject to sanctions. In 2021, the Dutch Ministry of Foreign Affairs confirmed that IP resources are economic assets and should be restricted for sanctioned organizations; however, RIPE did not agree with this interpretation and requested an exemption from sanctions, which was denied.
