The most lucrative address hijack does not begin with a dramatic route leak. It begins with a quieter failure: a registry record accepts the wrong person as the right person. A contact is replaced. A dormant company is represented by somebody who cannot prove continuity. A login that should have been only an administrative convenience becomes the practical key to a scarce asset. A letter, a corporate extract or a proxy is accepted without enough attention to capacity, chain of custody or notice. By the time a prefix is announced, leased, sold or used as operating inventory, the valuable part of the theft may already have happened.
That is why hijack and fraud controls around AFRINIC are not merely a compliance topic. They are a problem in bounded verification economics. The registry record is not a title deed in the fullest legal sense, and it is not a moral licence for every later commercial use of an address block. Yet it is one of the documents through which buyers, sellers, lenders, network operators, customers, brokers, courts, auditors and abuse teams infer who can speak for a resource. If that document is too easy to corrupt, theft becomes cheaper than diligence. If it is too hard to change, lawful holders are trapped behind a gate they cannot price or appeal.
AFRINIC's own history makes this tension unusually concrete. Reported address theft involving roughly 4.1 million IPv4 addresses, including resources described as coming from the free pool and legacy records, showed that old records, weak contact data, insider exposure and document manipulation can become routes into real economic value. The same history also showed that correction is not a clerical undo button. Once a false record has been relied on, recovery can involve routed networks, downstream users, counterparties, reputation harm, court proceedings, evidentiary reconstruction and disputed reliance by parties who may be distant from the original manipulation.
The lesson is not that every later AFRINIC refusal is prudent. Nor is it that a registry should become a commercial supervisor of IPv4 leasing, transfer pricing, market concentration or the virtue of a holder's business model. The lesson is narrower and harder: a registry responsible for a scarce ledger needs strong controls against impersonation, forged authority and unauthorized control changes, but those controls must stay inside a bounded mandate. They should protect identity, company authorization, chain of custody, dormant and legacy record review, account security, two-person approvals, tamper-evident logs, notice, cure, appeal and emergency freeze thresholds. They should not become arbitrary refusal, capital control, mandate laundering or a business-model tribunal.
This distinction matters because the costs are asymmetric. A mistaken approval can put a block into the hands of a thief and leave the lawful holder to spend years unwinding the damage. A mistaken refusal can immobilize a legitimate holder, chill a transaction, deprive a customer of service continuity or create a litigation weapon. Delay itself is a cost, but speed without verification is also a cost. The task is not to pick trust or control in the abstract. It is to allocate verification effort where the expected loss from a false entry is highest, and to make refusal reasoned, time-bounded and reviewable where the registry says the evidence is not enough.
In that sense, AFRINIC is a useful case for the whole IPv4 market. Scarcity has made old administrative facts financially material. It has also made institutional discretion more tempting. A scarce ledger can be stolen by outsiders, abused by insiders, frozen by litigation, or quietly converted into a veto over private capital movement. Good anti-hijack controls resist all four. They make false control expensive without making legitimate movement hostage to administrative discomfort.
The registry record is a ledger, not a permission slip
The first discipline is conceptual. A registry record is a ledger entry. It says which organization or person is associated with a resource, which contacts can administer it, which technical and routing facts are recorded, what changes have occurred and what evidence supports the current state. It does not, by itself, decide that every downstream use is wise, that a buyer paid a sensible price, that a lease is commercially attractive, or that a holder's strategy deserves institutional approval.
The distinction between ledger and permission slip is easy to blur because the same registry that records contact and resource data also applies allocation, transfer and account rules. A registry cannot be a passive typist. If it processes every instruction from anyone who can send a plausible email, the database becomes an instrument of theft. If it ignores policy rules that are part of the resource-administration framework, it abandons a function that market participants expect it to perform. But the anti-hijack function is still narrower than general supervision. It asks whether the requester has authority to alter the record. It does not ask whether the market should like the transaction behind the request.
A ledger role is active but bounded. It requires the registry to verify identity, capacity and resource connection. It requires evidence that an officer, director, court-appointed controller, lawful successor, trustee, liquidator, technical delegate, broker or lawyer has the authority claimed. It requires a record of who asked for what, who approved it, which documents were accepted, which notices were sent, which objections were received and why the final decision followed. It also requires the registry to preserve enough history for a later reviewer to distinguish error from discretion and fraud from good-faith doubt.
What it should not do is convert evidentiary review into a discretionary judgement on the commercial form of address use. A registry may need to know whether a lease-related administrator is actually authorized by the holder. It does not need to decide whether the rent was high, whether the lessee's business is attractive, whether the lessor should have sold instead, or whether an unrelated policy objective would be better served by slowing the deal. The same is true for transfers, reorganizations and account changes. If a request fails because authority is not proven, the reason should say that. If a request fails because a rule of allocation or transfer policy applies, the reason should say that. A fraud vocabulary should not hide a policy veto.
This is where bounded verification becomes economically important. The registry record coordinates many actors that cannot reconstruct the whole history of a resource themselves. A buyer cannot efficiently investigate every historic allocation letter, merger, dissolution, name change, archived invoice, role account, domain record and routing signal behind a block. A lender evaluating an address-dependent business cannot become a corporate succession court. An upstream deciding whether to accept a customer's address space cannot conduct a full forensic audit. The registry does not replace all due diligence, but it can make the basic claim of authority harder to forge.
That role supports markets precisely because it is limited. The registry should make the ledger reliable enough for parties to transact. It should not make the ledger contingent on the preferences of whoever happens to control the institution. A permission-slip model reduces risk by granting a standing veto. A ledger model reduces risk by increasing evidence and accountability. The second is slower than blind processing, but it is also safer than unconstrained discretion.
Scarcity changed the payoff for record manipulation
IPv4 scarcity changed the expected return on registry fraud. When addresses were easier to obtain, an old or poorly monitored record still mattered, but the prize was less liquid. A thief could route space, abuse it or sell access informally, yet a legitimate operator often had alternatives. Exhaustion altered the equation. A block that once looked like neglected administrative residue became saleable inventory, operating capital, customer-continuity support and sometimes a balance-sheet-adjacent asset in a business transaction.
The market does not need the strongest possible legal theory of property to create this incentive. What matters is practical control. A party that can appear to control a block can lease it, offer it as part of hosting capacity, support a customer migration, use it in a data-centre business, present it to a buyer, or claim operational continuity during a financing or acquisition. Even where legal ownership is contested or carefully limited, the ability to make the registry, counterparties and routing ecosystem treat one as the authorized controller has economic value. That value attracts fraud.
Scarcity also changes the value of silence. Dormant records, old legacy holdings and unmonitored role contacts become tempting because a legitimate holder may not object quickly. A defunct company may have no obvious successor. A state entity may have reorganized. A university or public-sector network may have retained historic addresses while staff changed and archives decayed. An old email account may still work even though the person using it is no longer authorized. A successor may be real but difficult to prove. In such conditions, the attacker does not have to defeat a perfect system. The attacker has to exploit ambiguity faster than the rightful party can notice and prove the contrary.
Scarcity also creates a second temptation: institutional overreach. If address blocks are valuable and politically sensitive, a registry may be pressured to keep them from moving, to scrutinize leasing as if every lease were a policy breach, to slow transfers whose optics are awkward, or to use anti-fraud language to accomplish a broader allocation or regional-capital objective. That may be presented as prudence. Economically it can operate as capital control. A holder formally retains a resource, but cannot move, monetize, reorganize or finance around it because the ledger entry needed for practical control is stuck behind undefined discretion.
The same scarcity premium therefore demands two controls at once. The first is stronger verification against impersonation, forged documents, account takeover and false succession. The second is stronger constraint on the use of verification power. A good control raises the cost of false authority faster than it raises the cost of lawful movement. A bad control raises the cost of all movement and lets insiders, litigants or administrators decide which transactions live.
Liquidity depends on this balance. If controls are too weak, honest parties discount AFRINIC-administered space with uncertain histories, demand heavy warranties, avoid older records, insist on costly escrow structures or route around the registry through opaque side arrangements. If controls are arbitrary, honest parties face the same discount from the other direction: a buyer does not know whether approval will arrive; a seller cannot price the delay; a lessor cannot know whether a routine update will become a judgement on the lease itself. Both failure modes impair the market. One allows thieves to move value; the other prevents legitimate holders from doing so.
The point is not that scarcity turns every address into a conventional financial asset. It is that scarcity makes the registry record a higher-stakes coordination instrument. When the record is wrong, the loss spreads. When the record is hostage to discretion, the loss also spreads. Verification economics starts from that double cost.
The AFRINIC heist is a warning, not a blank cheque
AFRINIC's reported address heist is a useful warning precisely because it should not be exaggerated beyond what it proves. The broad outline is enough for the institutional lesson: reports described roughly 4.1 million IPv4 addresses as having been misappropriated or manipulated, with parts described as linked to free-pool space and parts to legacy resources. The accounts associated the problem with record alteration, dormant or weakly monitored holdings, grey-market monetization, spam or abuse-adjacent use, later recovery efforts, correction disputes and litigation. Those elements are sufficient to show why a scarce registry ledger needs fraud controls.
They do not prove that every subsequent AFRINIC restriction is sound. A past theft can become a dangerous institutional myth if it is used to justify any refusal, any delay or any public suspicion of any holder whose business model is disliked. The better reading is stricter. The heist showed that control of the registry record can be converted into economic value. It showed that weak authority chains and internal process exposure can impose costs on lawful holders and later market participants. It showed that correction after reliance accumulates is expensive. It did not dissolve the boundary between fraud prevention and commercial supervision.
The sequence matters. A high-value record does not have to be stolen in one visible act. It can pass through stages. First, a resource sits with weak contacts, thin archives or internal ambiguity. Then someone obtains access, creates a corporate story, fabricates or overstates authority, or benefits from a staff-side weakness. Next, the registry record changes in a way that appears administrative. The block is then routed, leased, sold, used for hosting, mixed with customer services or represented in transactions. Later, when the original holder, the registry or an investigator challenges the record, multiple layers of reliance already exist.
That reliance is why prevention is cheaper than recovery. A password can be reset. A contact can be restored. But a large block that has been shown to customers, accepted by operators, attached to a commercial service or sold through a chain is harder to unwind. Some downstream users may be innocent. Some counterparties may have performed partial diligence. Some routers may have accepted the technical facts because the registry facts looked plausible. A later correction has to separate culpable control from operational dependency. It may also have to overcome reputation damage, legal filings and competing narratives about who relied on what.
The heist also makes insider and process risk impossible to ignore. Registry fraud does not require a fully corrupt institution. It requires enough weakness in permissions, document handling, staff approvals, account recovery, audit trails or segregation of duties for a small number of actions to create external authority. Staff members and administrators hold practical power over contact validation, record correction, document acceptance and emergency action. A serious control system assumes that staff can be deceived, pressured, conflicted or, in rare cases, abusive. Two-person approval, maker-checker separation, tamper-evident logs and reviewable evidence files are not decorative controls. They are the price of using a scarce ledger.
The warning should therefore be applied with precision. The registry should treat dormant records, large legacy holdings, complete contact replacement, recent account recovery followed by transfer, newly introduced representatives, conflicted corporate claims and urgent control changes as higher-risk events. It should not make routine, low-risk maintenance feel like a criminal investigation. Nor should it let the past theft become a permanent presumption against old holders who can prove continuity. The economically sensible response is not universal suspicion. It is targeted verification where the loss from a false entry would be high.
Authority chains are economic infrastructure
Most address fraud is an authority-chain problem before it is a routing problem. Who can speak for a company that changed name fifteen years ago? Who controls a block after a merger, liquidation, receivership, estate process, state restructuring or sale of business? Is a consultant still authorized? Did a former employee keep a mailbox? Does a broker's letter prove representation or merely an introduction? Does a court-appointed controller have power over this particular resource, or only over a company in a broader dispute? These are not administrative details. They determine whether scarce-resource markets can function without constant private litigation.
A useful authority chain has several layers. Identity comes first: the human being making the request must be who they claim to be, or must be verifiably linked to an organization. Capacity comes next: the person must have an office, delegation, appointment or legal role that permits action for the holder. Resource connection then has to be shown: the organization or successor must be linked to the specific addresses through allocation records, historic correspondence, invoices, service records, transfer documents, corporate continuity evidence or prior validated registry actions. Finally, the requested action must fall within the authority shown. A person who can update a technical contact may not be able to transfer a block.
This layered approach prevents two errors. The first is treating account access as control. A hardened registry account is strong evidence when it was properly created, maintained and protected. It is weak evidence when old credentials were shared, inherited, compromised or never tied to current corporate authority. Login control is an evidentiary fact, not a substitute for authorization. The second error is treating corporate paperwork as sufficient by itself. A company extract may show that someone is a director of an entity with a similar or successor name. It does not by itself prove that the entity is the holder of a specific historic allocation or that the director can authorize the requested transaction.
The economic function of authority-chain review is to lower the risk premium for everyone else. A buyer does not need the registry to certify that the purchase price is efficient. It needs confidence that the seller is not an impostor. A lender does not need the registry to decide whether addresses are property in the strongest sense. It needs evidence that a borrower claiming operational control is not relying on forged contacts. An operator accepting customer-provided space does not need a full corporate-history judgement. It needs confidence that the party asking it to route the space can be challenged if the claim is false.
AFRINIC's region makes this difficult because the evidence landscape is uneven. Some holders are mature corporations with current records and professional counsel. Others are public agencies, universities, old network operators, acquired entities, small providers, dormant businesses or organizations whose archives were never built for a secondary IPv4 market. A bounded control system should not punish imperfect archives by demanding one ideal document from every claimant. It should accept proportional evidence: tax records, board resolutions, notarized officer statements, service invoices, historic routing patterns, old correspondence, procurement records, business-registration continuity and corroborated operational use can all matter when formal documents are incomplete.
Proportionality does not mean softness. It means that the evidence should match the risk and the action. A routine contact update by a recently validated holder should be quick. A complete transfer of a large legacy block after years of silence should require a stronger file. A disputed succession should be paused long enough to notify known parties and identify the legal issue. A court order should be read for scope rather than treated as a magic word. A broker's involvement should trigger proof of delegated authority, not suspicion of every commercial transaction.
The registry's file should preserve the chain, not merely the outcome. A later reviewer should be able to see what evidence proved identity, what evidence proved capacity, what evidence connected the resource, what notice was sent, what objections arrived and why the decision was made. Without that file, a dispute becomes a contest of institutional memory and private assertion. With it, market participants can distinguish a difficult case from an arbitrary one.
Dormant and legacy records need a different evidentiary clock
Dormant and legacy records require a slower evidentiary clock because silence is ambiguous. It may mean that the holder no longer exists. It may mean that the holder is stable and has had no reason to interact with the registry. It may mean that a technical administrator watches the resource but rarely logs in. It may mean that the original holder was absorbed into another entity whose continuity is real but not obvious. Treating silence as abandonment invites theft. Treating silence as suspicion invites confiscatory administration.
The better starting point is a trigger. A dormant-record review should not be a fishing expedition. It should begin when something control-changing happens: a request to replace all contacts after long inactivity, a transfer attempt by a newly appearing representative, conflicting claims by two corporate actors, evidence that a large block is being sold or leased through an unclear channel, account recovery followed quickly by resource movement, or operational signals suggesting that control has shifted without an authority file. The trigger explains why the registry is asking questions and limits the inquiry to the risk presented.
Once triggered, the review should use notice and cure. Known contacts should be notified even if they are old. Historic addresses, corporate successors, prior technical contacts, archived billing channels and available legal routes may all be relevant. The registry should state what evidence is missing and what kinds of evidence could cure the gap. If the original holder is difficult to reach, that difficulty should be recorded; it should not automatically become consent for a new claimant. If a newly arrived claimant asks to displace an old record, the claimant should bear the burden of building a credible continuity chain.
Legacy resources require particular care because their original allocation context may predate current contracts and current administrative expectations. A registry should not pretend that every older holder entered a modern registration relationship on modern terms. At the same time, old records cannot be immune from verification when a control-changing request appears. The practical compromise is to validate current authority without rewriting the historical basis of the resource. The registry can ask who now speaks for the holder or lawful successor. It should be cautious about using anti-fraud review as a backdoor for unrelated obligations that do not bear on control.
Free-pool and legacy concerns also need to be kept distinct. If a record was never legitimately allocated, or if an internal manipulation created the appearance of allocation, the correction problem differs from a legacy holder whose evidence is old but real. If a legacy holder has a difficult paper trail, that is not the same as a fabricated holder. A bounded system should have separate categories for suspected internal manipulation, dormant continuity review, disputed succession and routine legacy validation. Lumping them together produces both false positives and exploitable gaps.
The tempo should vary with reversibility. A low-risk contact confirmation can move quickly. A transfer that would put a large block beyond easy recovery should move slowly enough for notice, evidence and review. An urgent account-security risk may justify a temporary freeze, but only for the action that could cause harm. Dormancy should not become a permanent cloud over the resource. Once a holder cures the authority gap, the record should be updated, the review marker removed or narrowed, and the history preserved so the same uncertainty does not return.
Done well, dormant-record review improves liquidity. It turns neglected records into evidenced records. It gives buyers and counterparties a file to rely on. It lets old holders prove continuity without being treated as suspects forever. Done badly, it either lets thieves exploit silence or lets the registry turn silence into discretionary control. The difference is the clock: triggered review, clear cure, reasonable notice, documented decision and an end point.
Account security is necessary but not sufficient
Account security is the most visible part of anti-hijack control, but it is not the whole system. Multi-factor authentication, hardened recovery, device alerts, role separation, session monitoring and secure contact maintenance all matter. They make it harder for a thief to enter through the front door. They also create evidence when an account was used, recovered, delegated or changed. Yet a secure account tied to the wrong person is still a dangerous account.
The registry must therefore connect account security to authority security. A resource account should not merely be a bundle of credentials. It should have validated role contacts, defined privileges, recovery procedures, delegation scope and an auditable link to the holder. A finance contact, a network contact, a legal contact and an executive signatory may have different powers. The ability to change a phone number should not imply the ability to authorize a transfer. The ability to manage reverse DNS should not imply the ability to replace the registered holder. Granular roles reduce both fraud and administrative friction.
Recovery is especially sensitive. An attacker who cannot break into an account may try to recover it. A dormant holder may have lost access legitimately. A former employee may still know enough historic details to appear credible. A consultant may hold old correspondence. A corporate successor may have new officers but no old credentials. The registry should treat recovery of high-value or long-dormant accounts as a control-changing event. It should require stronger evidence, notify existing contacts where possible, hold irreversible actions for a defined period and log the decision path.
Two-person approval belongs at two levels. On the holder side, high-risk actions should require confirmation by more than one validated authority where that is practical: for example, a director and an account administrator, or a legal signatory and a technical contact. On the registry side, maker-checker control should separate the staff member who verifies evidence from the staff member who executes the change, at least for large transfers, dormant-record changes, account recovery followed by control movement, emergency freezes and reversals. Two-person approval is not a cure for every failure, but it raises the cost of deception and internal abuse.
Tamper-evident logs are equally important. The question after a dispute is not only what the record says now. It is how it got there. The registry should be able to reconstruct the request, account login, recovery step, document submission, notice attempt, staff review, approval, execution and later modification. The log should protect sensitive data, but it should be resistant to quiet alteration. If a dispute reaches internal review or court, the registry should not have to rely on memory, selective email export or a staff member's informal recollection.
Account controls also protect the registry from becoming a personality-driven institution. When processes are weak, outsiders read every decision as factional. When processes are logged, segmented and reviewable, the argument shifts from motive to evidence. That is particularly valuable in a stressed governance environment. The market does not need to love every decision. It needs to know that a decision affecting scarce resources was not made by a single unchecked hand.
Security, however, should not become theatrical friction. Requiring multiple confirmations for a low-risk technical update may train users to route around the system. Freezing all actions after any login anomaly may punish legitimate operators. Demanding fresh corporate evidence for every minor contact edit may waste scarce staff attention. A risk-based account model is more disciplined: routine actions through hardened accounts move quickly; privilege escalation, account recovery, control changes and high-value actions receive stronger review.
Transfers, leases and routing signals belong in evidence, not judgment
Transfers and leases are places where the boundary between verification and judgement is easiest to lose. The registry may have to verify that the party requesting a transfer is authorized. It may have to confirm that a representative handling a lease-related update actually acts for the holder. It may need to examine whether downstream contacts, suballocation records or routing evidence support or contradict an authority claim. But these are evidence questions. They are not an invitation to audit the commercial wisdom of every arrangement.
For a transfer, the registry's anti-fraud question is straightforward in principle and hard in practice: can the transferor prove authority to move the resource, can the transferee be identified, does the resource chain support the transaction, have affected parties received appropriate notice, and does any known restraint or dispute make the change unsafe? A forged board resolution, a compromised account or a fake successor should stop the process. A high price, a disliked buyer or an unattractive market theory should not be smuggled into the same category unless a clearly applicable rule addresses it and the decision can be reviewed.
Leases are different because the registry may not recognize every private arrangement as a transfer of registration. But leases still create authority-verification issues. A holder may delegate technical operations to a lessee. A lessee may need route objects, reverse DNS or abuse contacts updated. A broker or service provider may submit documents. A dispute may arise over whether the lessee can continue using space after a contract ends. The registry should ask who is authorized to request registry-side changes. It should not turn that inquiry into a broad review of lease terms, deposits, termination mechanics or price. Those are private-risk questions unless they bear directly on whether the requester can speak for the holder.
Suballocation visibility can help as an evidence channel. If a holder has declared downstream users or maintained customer records, the registry and counterparties may better understand who is operating a block at a given time. That can matter for abuse handling, notice, continuity and remediation. It should not become a theory that every downstream customer is a registry-level holder or that every undeclared customer arrangement is fraud. The narrow point is attribution. Visibility helps determine who used or controlled space; it does not decide commercial legitimacy by itself.
Routing evidence, route objects, Internet Routing Registry data, RPKI ROAs and BGP history can also corroborate control. They show who originated space, what authorization signals existed, whether a route changed after an account event, whether a technical story is plausible and whether a claimed operator actually used the block. But routing signals are not corporate authority. A thief can route a stolen block. A legitimate holder may have outsourced routing. A valid ROA may prove that a holder authorized an origin at a point in time, not that a transfer request is lawful. These tools belong in the evidence file, not at the top of the hierarchy.
The same is true of address reputation and blocklists. Reputation damage may be a consequence of a hijack and may help show that a block was operated by a particular party. Delisting records can show remediation. Abuse tickets can show who answered complaints. But reputation is not the thesis of hijack control. A dirty block is not automatically stolen, and a clean block is not automatically legitimate. Reputation evidence should support authority analysis where relevant without becoming a substitute for it.
The registry's discipline is to ask the same question in every commercial form: what fact is this evidence being used to prove? If a lease document proves a broker's authority to request a contact change, use it for that. If a route object proves that a lessee originated space, use it to corroborate operational use. If suballocation records identify affected downstream customers, use them for notice. Do not use the same fragments to conduct a free-floating trial of the business model. That is how verification becomes gatekeeping.
Emergency freezes require bright thresholds
An emergency freeze is the sharpest anti-hijack instrument because it preserves the status quo before all evidence is complete. Sometimes it is necessary. If a registry sees signs of imminent unauthorized transfer, account recovery followed by rapid control movement, forged documents, conflicting high-risk requests, staff-account compromise, a court restraint or a credible report that a large block is being sold through false authority, waiting for ordinary review may let the asset leave the ledger before the rightful party can act.
Precisely because it is powerful, the freeze needs bright thresholds. It should be temporary, specific, reasoned and reviewable. It should apply to the action that creates risk, not to every aspect of a holder's relationship with the registry unless the evidence justifies that breadth. A freeze on transfer or contact replacement may be enough. A freeze on routing-related services or account access may be justified only where those functions are part of the imminent harm. The registry should preserve value where it can, not maximize pressure.
The threshold should be tied to evidence categories. A mere discomfort with a transaction is not enough. A high price is not enough. The existence of a lease is not enough. Public controversy is not enough. A proper threshold looks different: a validated contact denies authorization; two claimants produce conflicting corporate documents; an account recovery request is followed by a large transfer attempt; documents cannot be authenticated and the change is irreversible; staff logs show unusual access; a court order restrains disposition; routing changes suggest a sudden takeover inconsistent with the authority file. These are risk facts, not preferences.
Notice should be fast but careful. Affected parties should be told what has been frozen, at what level of generality the risk exists, what evidence could cure the problem, how long the initial freeze lasts and how to challenge it. The registry may need to protect investigative details, personal data or security signals. Confidentiality does not justify silence about the existence and scope of the decision. A holder that does not know what has happened cannot cure. A counterparty that cannot tell whether a freeze is narrow or broad cannot price its exposure.
Time limits matter. An emergency freeze that can be extended indefinitely without fresh reasons becomes ordinary control by another name. The initial period should be short enough to force review and long enough to prevent immediate loss. Extensions should require documented reasons, a statement of what evidence remains unresolved and a review path. If the freeze follows a court order, the registry should identify the order's scope and avoid expanding it through administrative interpretation. If it follows an internal risk assessment, the registry should identify the evidence category and the cure process.
Appeal should not be ceremonial. A valuable resource can support customers, financing, contractual obligations and network continuity. A freeze can therefore impose costs long before a final decision. Affected parties should have a rapid challenge path before a reviewer who can examine the evidence file rather than merely ask whether staff felt uneasy. The reviewer should distinguish identity doubt, capacity doubt, resource-chain doubt, document-authenticity doubt, policy doubt, court restraint and operational-risk doubt. Different problems require different cures.
Emergency power is most legitimate when it is least comfortable for the institution using it. The registry should have to explain why the freeze is necessary, why it is no broader than necessary and how it will end. That discipline does not weaken anti-hijack control. It makes the control credible to parties who fear both theft and administrative capture.
Governance stress makes bounded authority more important
AFRINIC's recent governance stress changes how fraud controls are perceived. The relevant context includes court involvement, receivership, attempts to restore board governance in 2025, election-integrity concerns, later movement toward board-led recovery and litigation that remained material into 2026. Those facts should be stated conservatively. They do not support a sweeping legal conclusion here, and they do not decide which litigant or institution was right in every dispute. They matter because they show that registry authority can become contested at the same time that the address ledger remains economically necessary.
The answer cannot be paralysis. A registry under litigation still has to maintain records, protect accounts, process legitimate requests, support service continuity and prevent unauthorized changes. Scarce resources do not wait for institutional calm. If every governance dispute disabled anti-fraud control, hijackers would have a map for exploiting crises. The answer also cannot be wider discretion. A stressed institution should not compensate for damaged legitimacy by expanding unreviewable power. That only makes market participants more suspicious of every decision.
The correct response is bounded authority. When governance is contested, the registry should make rules more explicit, evidence files more complete, notices more careful, logs more resistant to alteration, staff approvals more segmented and appeal paths more credible. This is not because every staff member is suspect. It is because the market needs to distinguish necessary verification from institutional preference. In a stable environment, some decisions may be accepted because parties trust the office. In a stressed environment, the office has to earn trust through the file.
Mandate laundering is the central danger. Anti-fraud language has moral force because nobody wants address theft. That force can be used to pursue goals that anti-fraud control does not justify: slowing exits, disciplining a holder, suppressing a commercial model, punishing a faction, favoring an incumbent, keeping capital in place or avoiding an uncomfortable policy debate. The rhetorical move is simple: any challenge to discretion is portrayed as weakness on hijacking. The economic answer is also simple: verification is legitimate when tied to evidence of authority risk; it becomes laundering when it operates as a generalized veto.
The Cloud Innovation dispute is relevant only in that limited institutional sense. It shows how registry actions, member claims, commercial interests, court process, receivership and governance questions can become entangled. It should not be turned into a morality play. A registry may be right to enforce a rule against a powerful holder. A powerful holder may be right to challenge defective procedure. A court may preserve rights while also slowing administration. A receiver may stabilize some functions while revealing the fragility of ordinary governance. None of those possibilities resolves the control-design question. They all point toward the same requirement: decisions affecting scarce resources must be evidenced, bounded and reviewable.
Election-integrity concerns matter for the same reason. A registry's power to freeze, correct, reclaim or refuse control changes is more sensitive when the formation of its decision structure has itself been disputed. Strong fraud controls can survive that sensitivity only if they are insulated from factional use. The ledger must not become the prize of governance conflict. It must remain a record that parties can rely on even when they disagree about institutional politics.
Bounded authority also protects the registry from litigation pressure. A clear file does not eliminate lawsuits, but it improves the registry's position. It shows that staff followed a rule, identified an evidentiary defect, gave notice where possible, allowed cure, separated emergency action from final decision and preserved appeal. It makes disagreement about the rule or evidence visible. Without that file, every refusal looks personal and every approval looks vulnerable.
Correction is expensive because reliance accumulates
Once a false entry enters the ledger, correction is an economic unwinding. The address block may have been routed by networks that saw a plausible record. Customers may have been placed on it. Brokers may have introduced counterparties. Abuse desks may have built files around the wrong controller. A buyer may have paid for inventory. A hosting provider may have assigned downstream users. A lender may have evaluated revenue supported by the space. The longer the false entry persists, the harder it becomes to restore the lawful state without harming innocent parties.
This does not mean the registry should leave a false record in place. A ledger that refuses to correct theft because correction is disruptive invites further theft. It means correction should be designed to separate culpable control from dependent operations where possible. If the registry can restore the lawful holder while allowing innocent downstream users a defined migration window, it may reduce collateral damage. If immediate correction is necessary to prevent further sale, impersonation or irreversible movement, the registry should say why. If two claimants produce conflicting evidence, it should preserve the status quo only to the extent needed to prevent harm while the authority question is resolved.
Early notice is the cheapest form of correction. When a high-risk change is requested, notice to validated contacts can stop many false moves before reliance forms. When a dormant holder cannot be reached, the registry should record attempts and require stronger proof from the claimant. When a newly introduced representative seeks a transfer, existing contacts should know what is being displaced. If notice fails, that fact is evidence of difficulty, not proof of legitimacy. The greater the proposed change, the more valuable the notice record becomes.
Correction files should be built as if they may later be inspected by people who were not present. The file should include the original allocation or registration basis, the sequence of contested changes, the identities of requesters, documents submitted, account events, internal approvals, external notices, objections, operational evidence, routing or suballocation signals where relevant, legal restraints and the final decision. It should also state what the registry is and is not deciding. A registry may decide that a requester lacks authority to change the record. It may not be deciding every private contractual claim among downstream parties.
Privacy has to be managed, not used as an excuse for opacity. Corporate identity documents, personal identifiers, contracts and security logs may need restricted treatment. But affected parties should receive enough explanation to challenge the decision, and authorized reviewers should be able to inspect the evidence. Public markers such as "under dispute" or "frozen" may sometimes be justified, but they should be factual, narrow and updated. A stale dispute marker can become a penalty long after the risk has passed.
The AFRINIC heist history shows why after-the-fact recovery is so costly. A region with finite administrative resources cannot afford a model in which every major correction becomes a bespoke reconstruction of old emails, staff actions, corporate events, routing history and customer reliance. Prevention is cheaper: validated authority contacts, hardened recovery, high-risk triggers, two-person approval, change history and evidence preservation should exist before a crisis.
Correction also has a market-signalling function. If parties see that false records are corrected through a disciplined process, they can rely more on the ledger. If they see that correction is random, political or impossible, they discount the whole region's records. The market does not need the registry to guarantee perfection. It needs proof that errors can be found, reversed and learned from without turning every correction into an institutional battle.
Predictability, appeals and tamper-evident records
Verification can support liquidity only when it is predictable enough to be priced. Market participants often complain about delay, but they also pay for certainty. A slow process that identifies missing evidence, offers a cure path and reaches a reviewable decision may be tolerable. A fast process that later produces contested records is dangerous. An unpredictable process is worse than either: it creates both delay and uncertainty, and parties respond by demanding discounts, warranties, side letters or informal workarounds.
Predictability begins with categories. Resource holders should know the difference between routine contact maintenance, account recovery, authority-contact replacement, dormant-record review, transfer, lease-related update, disputed succession, correction and emergency freeze. Each category should have a normal evidence set, target response times, escalation triggers and review options. Staff should know when to process quickly and when to escalate. Buyers and brokers should know what documents to prepare before closing. Operators should know which registry-side changes require holder confirmation.
Service levels help, but they should not be mechanical. A registry should acknowledge requests quickly, identify missing evidence within a target period and make decisions within a defined range. It should also reserve the ability to extend review where evidence conflicts, notice is incomplete or fraud risk is high. The important point is that delay must produce reasons. A holder waiting because two corporate successors submitted inconsistent records is experiencing a real evidentiary problem. A holder waiting months without knowing what evidence would cure the file is experiencing a veto.
Appeals convert institutional authority into process. Not every minor contact edit requires a formal tribunal. But decisions that freeze, refuse, reverse, reclaim or materially condition control of valuable resources need meaningful review. The reviewer should examine the evidence file, not merely defer to staff anxiety. The decision should identify whether the defect concerns identity, capacity, resource chain, document authenticity, account security, notice, policy, court restraint or operational risk. If the evidence is insufficient, the decision should say what would be sufficient, or why no cure is possible.
Tamper-evident records are the appeal system's foundation. Without a reliable change history, an appeal is forced to relitigate memory. The registry should preserve requests, documents, staff actions, approval steps, account logs, notices, objections and later modifications in a way that cannot be quietly rewritten. The goal is not to publish sensitive material. The goal is to make the institutional record credible when the decision is contested. A scarce ledger whose own history cannot be trusted invites both fraud and conspiracy.
Predictability also reduces the risk of capital control. If categories, evidence standards and time limits are visible, the registry has less room to use anti-fraud review as an indefinite hold. It can still say no. It can say no because authority is unproven, documents are false, notice revealed a dispute, a court restraint applies or an account event is suspicious. Those are bounded reasons. What it should not do is keep asking for new documents without stating the standard, or let a review marker sit indefinitely because a transaction is institutionally inconvenient.
The registry should measure the performance of fraud controls by more than the number of attempts stopped. It should track legitimate changes processed, time to first evidence response, time to cure, appeal outcomes, recurrence of disputed contact changes, accuracy of corrected records, freeze duration and reasons for extension. A system that stops theft by immobilizing everyone has failed. A system that moves everything quickly while leaving a trail of later disputes has also failed. The target is reliable movement.
A bounded control model, not capital control
Capital control sounds dramatic in the context of IP addresses, but the mechanism is familiar. A scarce resource gains market value. An administrative body controls the ledger entry needed for practical movement. If that body can delay, freeze, refuse or condition changes without bounded reasons, it regulates the holder's exit options even if it never says so directly. The holder may remain the holder in name while losing the ability to transact, reorganize or finance around the resource in practice.
This risk is strongest when scarcity, institutional stress and ambiguous language coincide. Scarcity gives the resource value. Governance conflict makes discretion harder to trust. Broad anti-fraud language supplies a respectable vocabulary. The result can be a system in which every proposed movement is described as suspicious, every commercial delegation is treated as a loophole, and every request to cure a file becomes an opportunity to reopen a wider argument about regional policy or market philosophy.
Avoiding that outcome does not require laxity. The registry can refuse a transfer when corporate authority is not proven. It can block an account recovery that appears compromised. It can freeze a record where there is credible evidence of imminent unauthorized movement. It can require a dormant claimant to prove continuity. It can correct a record created through manipulation. These are strong powers. Their legitimacy comes from the fact that each is tied to a specific ledger risk.
The same registry should be cautious about different reasons: dislike of a buyer, discomfort with a lease model, concern about the price, suspicion of liquidity itself, preference for one category of holder over another, or pressure to keep address capital from moving. Some of those concerns may belong in policy debate, legislation, contract negotiation, customer due diligence or court. They do not belong inside an anti-hijack decision unless they connect to authorization, authenticity or a clearly applicable rule. If the issue is policy, call it policy. If the issue is fraud, show the fraud-risk evidence. Mixing them is how mandate laundering works.
Endless cure demands can be a softer form of the same control. A registry may avoid a formal refusal by repeatedly changing the evidentiary target, demanding impossible documents from old holders or declining to state what would be enough. That is not neutrality. It is a decision without a decision paper. Bounded verification requires a cure standard and an endpoint. The registry may accept alternative evidence where archives are incomplete, but it should eventually say whether the evidence proves authority, what remains missing, and how the decision can be challenged.
Public uncertainty can also become leverage. Marking a resource as disputed or frozen may be necessary to warn counterparties. But the marker should be accurate, narrow and refreshed. A broad or stale marker lowers value and may operate like a penalty. If a holder cures an evidentiary gap, the visible state should change. If a dispute remains, the marker should describe the dispute without implying a legal conclusion the registry has not made.
The line is therefore practical: anti-hijack control protects the correctness of the ledger; capital control uses the ledger to restrict lawful movement for reasons beyond that corrective function. AFRINIC needs the first because the heist history showed the cost of a corruptible record. It must avoid the second because the same history, combined with governance stress and scarcity, makes discretionary power economically dangerous.
The practical model follows from that line. Not every registry action deserves the same scrutiny. Routine technical updates by a recently validated holder through hardened accounts should move quickly. Control-changing actions should receive stronger verification. High-risk actions should receive enhanced review: dormant-record transfers, large legacy blocks, account recovery followed by transfer, replacement of all authority contacts, conflicting corporate claims, court-appointed controllers, lease-related authority disputes, correction of suspected manipulated records and staff or account-log anomalies.
For each class, the registry should define the evidence normally required. Identity evidence confirms the requester. Capacity evidence confirms that the requester can act for the holder. Resource-chain evidence connects the holder or successor to the addresses. Transaction evidence confirms the requested change. Operational evidence, such as routing history or suballocation records, may corroborate use but should not replace authority. Legal evidence should be tied to the specific resource and action. This structure allows judgment without improvisation.
The model should include chain-of-custody files for high-risk changes. Each file should preserve submitted documents, verification steps, notice attempts, objections, staff approvals, account-security events, decision reasons and later review outcomes. It should distinguish decisive evidence from corroborative evidence. A routing history may support continuity but should not by itself transfer authority. A company extract may prove current officers but not the resource chain. A broker letter may show representation but not holder consent unless backed by the holder.
Account controls should be layered into the model. Hardened authentication, recovery review, device and role alerts, two-person confirmation and staff maker-checker procedures should be mandatory for high-value changes. The registry should maintain validated authority contacts for each holder, with privacy protections where needed. Changes to those contacts should be treated as sensitive events. Delegations to lawyers, brokers, network service providers or lessees should specify scope and duration.
Notice and cure should be the ordinary posture. If evidence is missing, tell the requester what kind of evidence would satisfy the gap. If existing contacts may be displaced, notify them. If there is a conflict, define the issue and pause only the actions that could cause irreversible harm. If no response arrives from a dormant holder after reasonable efforts, record the efforts and require stronger proof from the claimant. Silence is a reason for caution, not automatic consent.
Emergency freezes should preserve the status quo against imminent harm, not become indefinite control. Initial freezes should be short, scoped and reasoned. Extensions should require fresh reasons. Affected parties should have a rapid challenge path. Where a freeze follows a court order, the registry should identify the order's scope. Where it follows internal risk assessment, the registry should identify the evidence category without exposing sensitive details unnecessarily.
Finally, the model should separate registry verification from commercial judgement. It should not decide whether a lease price is efficient, whether a transfer is politically attractive, whether a holder should monetize addresses, whether a buyer is a better steward, or whether a business model is too aggressive. It should decide whether the record can safely be changed or relied upon. That mandate is strong enough to stop theft and modest enough to preserve market freedom.
The model also needs a learning loop. Each mistaken approval, mistaken refusal, unnecessary freeze, successful appeal or recovered hijack should improve the categories and evidence standards. A registry that cannot learn from false positives and false negatives becomes more dangerous with time. A registry that learns only by adding friction also fails. The goal is not a thicker bureaucracy. It is a sharper one.
Reliable movement is the test
The success of AFRINIC's anti-hijack and anti-fraud controls should not be measured by how much power the registry can assert. Nor should it be measured by how little it interferes. The economic test is reliable movement. Legitimate holders should be able to maintain, transfer, reorganize, lease, secure and explain their resources through a process that counterparties trust. Impostors and forged authority chains should face a high probability of detection before value moves.
Reliable movement requires a registry that can say no. It can refuse a transfer when authority is not proven. It can freeze a record when evidence shows imminent unauthorized movement. It can require a newly appearing claimant to build a credible chain. It can correct a record created through manipulation. It can demand hardened accounts and independent approval for high-risk actions. These are not optional niceties in a scarce market. They are the price of treating the ledger as economically meaningful.
Reliable movement also requires a registry that can say yes. A holder that proves authority should not be trapped because the institution dislikes the market price of IPv4, the existence of leasing, the identity of a counterparty or the optics of resource movement. A buyer that completes the evidentiary process should not face open-ended hesitation. A legacy holder with imperfect but persuasive continuity evidence should not be defeated by a demand for impossible archives. Markets become safer when the lawful path works.
That is the difference between bounded verification and discretionary administration. Laxity invites record theft, account takeover, forged transfers, reputation damage and after-the-fact litigation. Discretionary administration invites capital immobility, favoritism, mandate laundering and loss of trust. Bounded verification is the middle discipline: specific triggers, proportional evidence, secure accounts, documented authority, notice and cure, time-limited emergency action, tamper-evident logs and review.
The discipline is demanding because it denies easy stories. It does not let resource holders pretend that a scarce registry can process every instruction on trust. It does not let the registry pretend that anti-fraud language authorizes broad market control. It does not let courts, insiders, brokers or litigants treat the database as a private weapon. It treats the address record as a shared economic instrument whose value depends on both resistance to falsehood and restraint in the use of institutional power.
AFRINIC's heist history, scarcity context and governance stress make that discipline urgent. The region cannot afford a ledger that is easy to hijack. It also cannot afford a registry authority that turns verification into a veto over lawful movement. The practical answer is not to weaken controls, but to narrow and harden them. Verification should be strong where impersonation, forged authority, dormant records, account takeover and unauthorized transfer threaten the ledger. It should be modest where the question is merely whether a lawful holder is making a commercial choice others dislike.
Properly bounded, hijack and fraud controls are not obstacles to the IPv4 market. They are part of its foundation. They make address capital more usable by making control claims more credible. They protect customers by reducing the chance that operational continuity depends on a stolen record. They protect buyers and sellers by turning authority into evidence rather than rumour. They protect the registry by limiting its own power to defensible acts. A scarce-resource ledger works only when it can resist both thieves and gatekeepers.

