Summary
- IPv4 scarcity makes RIPE NCC account control economically valuable: a false claimant who can move contacts, transfer a range, change reverse DNS, create or revoke ROAs, or authorize routing can redirect real operating capacity.
- The core risk is adversarial authority, not paperwork in the abstract. Compromised accounts, stale role credentials, forged director letters, old company names, false merger files, insolvency stories and urgent operational excuses all try to make unauthorized change look routine.
- Official RIPE facts are useful exhibits. RIPE NCC exhausted its available IPv4 pool in November 2019, facilitates transfers, evaluates business-structure updates, maintains database authorisation surfaces, offers voluntary transfer locks and operates RPKI services. Those facts do not decide the institutional boundary.
- Transfer locks, hold periods, notices and multi-party confirmation can prevent theft, but they also impose liquidity taxes when they are vague, slow, irrevocable, poorly scoped or available only to sophisticated holders.
- Route authorization, ROA issuance or revocation and reverse DNS changes are high-value control surfaces because a registry account can influence what networks, platforms, customers and counterparties treat as responsible use.
- Emergency freezes need a narrower clock than ordinary disputes: fast containment is justified when control may be stolen, but it must preserve service continuity and avoid becoming a long commercial standstill.
- Strong controls require audit trails, dual control, separation of duties, signer-authority review, staff-access limits, tamper-evident change history, clear notices, cure paths and reversibility.
- The cost burden is unequal. Large carriers, cloud firms and address-market specialists can absorb verification work; small access networks, universities, public-service providers and older holders can be trapped by evidence gaps.
- The moral hazard runs both ways: too little control rewards thieves and account raiders; too much control gives registry staff private discretion over scarce capital, commercial timing and disputed value.
- RIPE NCC's right role is to prevent unauthorized registry changes and make actions attributable, reviewable and reversible, while refusing to adjudicate private ownership fights, punish market actors, set prices, seize resources or become a court.
The night a false transfer looks routine
The message arrives with the tone of an emergency and the grammar of administration. A company says it must move a valuable IPv4 range before a financing deadline. The old contact cannot be reached. The domain used for earlier correspondence has changed hands. A director letter is attached, signed by someone whose title looks plausible. A merger file explains why the current operating company is not the same as the name in the historical record. A technical consultant asks for account access so that contacts can be replaced, reverse DNS updated, ROAs reviewed and a transfer request submitted. A second message, from an older mailbox, asks RIPE NCC not to touch anything.
No one has yet proved theft. No one has yet proved innocence. The requested changes look ordinary if each is viewed alone. A holder changes contacts. A company updates its legal name. A merger produces a successor. A cloud migration needs route authorization. A buyer needs a transfer. A security team needs a stale maintainer cleaned up. Each of those events happens legitimately in the RIPE NCC region. Fraud works by hiding inside that normality.
The registry must decide how much speed the facts deserve. If it processes the request too quickly, a false claimant may gain the practical keys to a scarce range. The attacker may not need to announce a hijacked route immediately. It may be enough to replace trusted contacts, gain database authority, alter reverse DNS, issue or revoke ROAs, unlock a transfer path, or create a record that a broker, buyer or upstream treats as evidence. By the time a later review finds the weakness, money may have moved, customers may have migrated and third parties may have relied on the apparent state.
If RIPE NCC stops too much for too long, the harm runs in the other direction. A legitimate holder may miss a transfer closing. A public-service network may fail to update security controls. A buyer may lose escrow confidence. A small ISP may be unable to repair stale contacts because it cannot produce the one document a large corporate group would have on file. A court, creditor or rival director may use registry hesitation as leverage. Anti-fraud review can protect property-like value. It can also become a private gate over capital.
That is the economics of hijack and fraud controls. The point is not that RIPE NCC should be permissive. Scarce IPv4 has made false authority too valuable for soft controls. Nor is the point that the registry should become a tribunal over every transfer, lease, sale price, insolvency dispute or corporate fight. The harder institutional task is narrower: prevent unauthorized changes to the registry layer, make every important action attributable and reversible where possible, and keep verification from becoming discretionary market rule.
Scarcity made account control worth stealing
RIPE NCC says on its IPv4 run-out page that it exhausted its remaining IPv4 pool in November 2019 and that networks in Europe, the Middle East and parts of Central Asia can no longer receive previously unused IPv4 addresses from RIPE NCC in the older allocation pattern. That fact is only a factual exhibit, but it changes the payoff. In a world of abundant substitute capacity, a stale contact or weak recovery process is a service-quality problem. In a world of scarce IPv4, the same weakness is a value-transfer problem.
A range can support hosting revenue, broadband customers, enterprise VPNs, public-sector portals, cloud import, managed security, payment systems, mail infrastructure, data-centre onboarding and acquisition economics. The registry record is not the whole commercial asset, and RIPE NCC does not own the business value created by the holder. Yet recognised control is one of the facts that lets others treat the range as usable. A false claimant who can move that recognition can convert an administrative weakness into operational power.
The attacker's first prize may be contact control. If old role accounts, former staff addresses or weakly protected credentials still sit near the resource, a bad actor can request recovery, replace visible contacts and create a new administrative baseline. The new baseline may then be used to support a transfer, a route authorization request, a reverse-DNS delegation or a claim to a buyer that the holder has cleaned up its records. The theft is already underway before the outside world sees routing change.
The second prize is timing. Scarce ranges often move in windows: a transaction closing, a migration cutover, a public procurement deadline, a financing condition, a customer onboarding date or a bankruptcy schedule. Fraudulent requests use urgency because urgency changes the psychology of verification. A forged file asks staff to treat delay as the main risk. A legitimate file may also be urgent. Good controls therefore cannot simply distrust urgency. They must ask whether urgency is being used to avoid the normal proof of authority.
The third prize is ambiguity. Old corporate names, changed jurisdictions, acquisitions, liquidations, spun-off network units and dormant records create interpretive space. The false claimant does not need perfect evidence; it needs evidence plausible enough to outrun notice and review. Conversely, a legitimate claimant with messy history may not have perfect evidence either. A mature control system must distinguish fraud from historical imperfection without making perfection the price of access.
Scarcity also increases the registry's temptation to overcorrect. If every mistake can look expensive, staff and governance bodies may prefer delay. Delay feels safe because it avoids the visible error of approving a false change. But indefinite delay is also a decision. It transfers cost to the holder, buyer, customer, lender or operator waiting on the record. After IPv4 run-out, not acting can be as economically material as acting.
Fraud is an authority-chain problem before it is a routing event
Many hijacks are remembered as routing incidents because the visible harm appears in BGP. In registry economics, the earlier and more important question is authority. Who is allowed to change the record? Who is allowed to bind the holder? Who may add or remove contacts? Who may request transfer recognition? Who may create or revoke routing authorization? Who may control reverse DNS? If those questions are answered badly, the later technical path is easier to abuse.
RIPE Database documentation on authorisation usefully separates authorisation, authentication and credentials. That distinction matters in fraud review. A person may authenticate successfully and still lack authority for the requested act. A credential may allow database updates but say little about present legal authority if it was inherited, shared, compromised or attached to an old role. A company paper may prove legal existence but not prove that the company controls a specific range. A lawyer's letter may prove representation but not the scope of representation.
The cleanest control sequence is practical. First identify the requester. Then identify the claimed role. Then identify the specific action requested. Then ask what authority that action requires. Then test the connection between the requester, the role, the holder and the resource. Then assess the consequence of a false approval and the consequence of delay. This keeps review attached to the registry act rather than to an open-ended judgement about the underlying business.
Resource specificity is essential. A director letter may authorize a consultant to maintain routing records, but not to transfer address holdings. A merger agreement may transfer a business line, but not every range ever used by that business. A bankruptcy administrator may have authority over a company, but the registry still needs to know whether the resource belongs to that estate, a subsidiary, a customer, a former holder or a sponsored end user. An account holder may have technical access, but not authority to sell or unlock.
Fraud control fails when these distinctions collapse. Account access becomes legal power. A broad letter becomes transfer authority. A name change becomes succession. A stale email becomes consent. A technical route need becomes holdership evidence. A court filing becomes an instruction beyond its scope. Each shortcut lowers the cost of false control.
The same distinctions protect legitimate users. A holder denied for vague reasons cannot cure the file efficiently. A holder told that it must prove a specific signer, a specific chain, a specific transfer scope or a specific technical delegation can do the work. The stronger the control, the more precise the question should be. Bounded verification is not softness. It is accuracy about what fact is missing.
The RIPE NCC surface is wider than a transfer form
The obvious fraud target is the transfer request. RIPE NCC's transfer page states that RIPE NCC authorises and facilitates transfers of Internet number resources and that a transfer changes holdership from one party to another. That makes transfer review a high-value checkpoint. But a false transfer is not the only way to hijack practical control.
Contacts matter because they determine who receives notices, complaints, validation messages and recovery channels. If a false claimant changes contacts first, later instructions may appear cleaner. A holder that fails to maintain contacts also weakens its own defence, because notice may go to people who no longer act for the network. Fraud controls should therefore make ordinary contact hygiene easy while treating complete replacement after dormancy as higher risk.
Maintainer control matters because database authority can support many later changes. A party that gains update power can align records with its story. It can make old facts look current and current facts look historical. It can add or remove routing-related entries, update remarks, alter contact references and shape the file seen by outsiders. A later reviewer may still detect the sequence, but the attacker has gained time and apparent regularity.
Reverse DNS matters because naming can influence customer trust, network operations, mail systems, abuse handling and due diligence. A reverse-DNS change is not a transfer of holdership, but it can signal control. In a disputed range, a false change may help an attacker persuade customers or counterparties that the new party is the operational controller. In an emergency, it may also redirect support and investigation.
RPKI matters because ROAs can influence route-origin validation. RIPE NCC describes RPKI as a framework that helps network operators make more secure routing decisions, and its RPKI materials point users toward managing ROAs. The point here is not to make this a routing-security article. The point is that a registry account able to create, change or revoke ROAs touches a property-like control surface. A false ROA can give cover to an unauthorized route, and a malicious revocation can impair a legitimate one.
M&A and legal-name updates matter because they are the respectable face of discontinuity. RIPE NCC's M&A page asks for recent company registration documents, legal documents from a national authority supporting the change and other supporting materials where available. Those requirements are sensible exhibits of the evidence problem. The risk is that a real document can be used to support a false conclusion if it does not prove the exact resource chain.
The control surface is therefore a bundle: account access, contacts, maintainer authority, transfer request, legal-name update, business-structure update, routing authorization, RPKI, reverse DNS and notices. A fraud system that guards only the final transfer button is too late. A system that treats every low-risk edit like a transfer is too heavy. The design problem is to grade changes by consequence.
Stale credentials turn customer service into a fraud corridor
Account recovery is one of the hardest registry functions because it is both necessary and dangerous. Without recovery, legitimate holders get locked out by staff turnover, lost domains, old emails, former consultants, forgotten authentication factors and mergers. With weak recovery, a false claimant can turn lost access into new authority. A helpdesk process becomes a corridor into scarce capital.
The risk is especially sharp in the RIPE NCC region because the service area contains mature operators, small ISPs, public-sector networks, universities, enterprise legacy holders, cloud firms, conflict-affected businesses, sanctioned or sanctions-adjacent jurisdictions and companies with long cross-border histories. Some holders maintain current accounts with professional governance. Others have records that survived multiple reorganisations without ever being treated as finance-grade evidence. Uniform suspicion would be unfair. Uniform convenience would be unsafe.
A sensible recovery process should have stages. The first stage is channel protection: identify the requester, inspect whether old contact channels still function and notify the last reliable contacts where feasible. The second is role recognition: decide whether the requester can receive limited account access, technical update rights, billing communication, emergency contact status or full authority. The third is change control: allow only the changes justified by the evidence. The fourth is follow-up: record what remains restricted and what proof is needed for higher-consequence actions.
This staging prevents the common error of making recovery all or nothing. A small provider may need to update an abuse mailbox immediately. That does not mean it should be able to transfer a large range the same day. A legitimate successor may need temporary access to submit a business-structure file. That does not mean its succession has already been accepted. A technical operator may need to repair routing authorization for service continuity. That does not mean it has authority to move holdership.
Stale role accounts deserve particular suspicion when followed by urgency. A former employee who still controls an old address, a contractor with abandoned credentials, a mailbox under a domain that changed ownership, or a shared password in a legacy team can all produce a superficially valid instruction. The more consequential the requested change, the more recovery should be decoupled from authority. Gaining access to communicate with RIPE NCC should not automatically become authority to change the economic state of the resource.
At the same time, the registry should not punish holders for trying to clean up. If every contact repair triggers a broad investigation, rational holders will postpone maintenance until a transaction, incident or audit forces them to act. That increases fraud risk. Good control design makes early, low-risk hygiene cheap and late, high-risk displacement expensive. The same rule lowers risk and transaction cost.
Corporate evidence can be true and still misleading
Fraud does not always depend on crude forgery. Sometimes the most dangerous file contains true documents arranged around a false inference. A company registration extract is real. A director exists. A merger happened. A subsidiary changed name. A court appointed an administrator. A business line moved. A lawyer has a mandate. Yet none of those facts, alone, proves authority over a particular IPv4 range.
This is the director-letter problem. A signed letter on corporate letterhead can look decisive because it is familiar. But the signer may lack authority under the company's rules. The company may not be the holder. The holder may be a predecessor not legally absorbed. The range may have stayed with a different affiliate. The resources may be sponsored, legacy, assigned to an end user or tied to an agreement that the letter does not address. A letter proves less than its formatting suggests.
The same is true of M&A files. A purchase agreement may transfer customers, equipment, contracts, brand, staff and network operations. It may be silent about number resources. It may refer to "IP assets" in a way that counsel intended for intellectual property, not Internet numbering. It may transfer a network business but exclude shared infrastructure. It may transfer a company whose address records were never updated after an earlier reorganisation. The fraudster uses the word "successor" as a bridge over every gap. The registry must inspect the bridge.
Bankruptcy and insolvency narratives add pressure because they mix urgency with authority complexity. A liquidator, administrator, receiver, trustee or court-appointed manager may have real power. The question is scope. Does the appointment cover the holder? Does it cover the specific resource? Does local law treat the resource as transferable, usable, pledged, customer-dependent or tied to a going-concern sale? Does an order direct the registry or merely describe rights between private parties? RIPE NCC should respect proper legal authority, but it should not treat any insolvency filing as a universal instruction.
False files also exploit cross-border diversity. The RIPE NCC region spans legal systems with different company registries, languages, notarisation practices, sanctions exposure, public-sector forms and insolvency regimes. A document that looks normal in one jurisdiction may not answer the control question in another. A fraud review must avoid both chauvinism and naivety: it should not reject valid foreign forms merely because they are unfamiliar, and it should not accept unfamiliar forms merely because they appear official.
The economic value of this review is narrow. RIPE NCC does not need to decide whether a sale price was fair, whether a merger was wise, whether creditors should recover more, whether a lease was good business, or whether a market actor deserves approval. It needs to decide whether the requested registry change is authorized by the holder or a lawful successor for that specific resource and action. That boundary is what stops anti-fraud review from becoming private adjudication.
M&A stories and insolvency stories need different clocks
Business-structure changes are not the same as theft reports, and theft reports are not the same as commercial disputes. If the registry uses one clock for all of them, it will either move too slowly during fraud or too quickly during contested succession. The clock should follow the risk.
An ordinary M&A update has a documentation rhythm. The parties know the transaction, gather company papers, identify resources, submit the request and wait for evaluation under policy and procedure. RIPE NCC's M&A materials state that both parties involved in a business-structure change can request the change for LIRs, that end-user requests go through a sponsoring LIR, and that sanctions checks are part of evaluation. Those are ordinary verification steps. They should be predictable enough that deal teams can plan around them.
A suspicious M&A update has a different shape. The request appears after long dormancy. It is filed by a newly introduced representative. It asks to replace old contacts before explaining the chain. It uses urgency to resist notice. It supplies a broad company story but weak resource-specific evidence. It asks for routing or RPKI changes while the business-structure file is unresolved. It is followed by a transfer or broker conversation. These signals do not prove fraud. They justify a higher-evidence clock.
Insolvency also requires a different rhythm. A distressed network may need rapid continuity actions to keep customers alive. A court-appointed controller may need to update contacts, pay fees, preserve reverse DNS, maintain ROAs and respond to abuse reports. Delaying those actions can harm innocent users. But a distressed estate may also attract opportunistic claims, especially where valuable IPv4 is one of the few liquid assets. The registry should preserve service and verified responsibility while being careful about irreversible movement.
The useful distinction is between continuity actions and value-moving actions. Continuity actions keep the existing service safe: preserve contacts, receive notices, pay bills, maintain known routing authorizations, prevent malicious revocation and record temporary authority. Value-moving actions change holdership, unlock transfer, displace prior authority, sell the resource or create a new long-term control state. Continuity actions should often be possible under narrower proof. Value-moving actions require a stronger chain.
This separation protects everyone. Creditors are not helped if a stolen range disappears during review. Customers are not helped if legitimate continuity actions wait for a full commercial dispute to finish. Buyers are not helped if the registry appears to bless an insolvency sale without clear scope. RIPE NCC is not helped if every insolvency file turns into a private trial. The control should be granular enough to keep the network functioning while the value question is evidenced elsewhere.
The same logic applies to internal corporate disputes. If two directors or factions each claim authority, the registry can preserve the last verified safe state and require clearer authority for major changes. It should not decide corporate governance beyond what is necessary for the registry act. A notation of uncertainty or a temporary restriction may be justified. A permanent standstill without a path to cure is not.
Transfer locks are safeguards and liquidity taxes
Locks are attractive because they are visible, simple and strong. RIPE NCC's Voluntary Transfer Lock materials say that transferable IPv4, IPv6 and ASN resources registered with RIPE NCC can be locked, that legacy resources are excluded from that voluntary mechanism, that only a whole allocation or assignment can be locked, that the lock is irrevocable once implemented, that it expires automatically at the agreed time, that active locks are published, and that a request can be for 6, 12 or 24 months. Those details show both the usefulness and the cost of a lock.
The usefulness is obvious. A holder that fears hostile transfer, insider dispute, creditor pressure, account compromise or social engineering can pre-commit to delay. The lock tells buyers, brokers and opportunistic claimants that a range cannot be moved quickly. It can buy time for notice, board review, corporate cleanup and dispute resolution. For valuable ranges, that time may prevent theft.
The cost is equally real. A lock is a tax on optionality. It can prevent a legitimate sale, refinancing, merger, divestiture or restructuring during the lock period. A company that over-locks scarce resources may protect against theft while reducing its ability to raise capital or respond to market conditions. A buyer may discount locked resources because timing is uncertain. A small network may avoid a lock because it cannot forecast its cash needs. A large holder may use locks more confidently because it has legal staff, address inventory and financing alternatives.
Publication of active locks also has mixed effects. It helps market actors know that fast movement is unavailable and reduces false expectations. It may also reveal that a holder is worried about control, undergoing restructuring or treating a range as strategically valuable. That information can attract inquiries or speculation. Publicity is not a reason to reject locks, but it is part of their economic incidence.
The exclusion of legacy resources from the voluntary mechanism is also instructive. Many fraud-control problems cluster around older histories, but older histories may not fit modern control tools neatly. A legacy holder may have the most reason to fear false succession and the least access to a clean voluntary lock path. That does not mean every legacy range needs the same instrument. It means fraud-control design must not assume that the easiest-to-lock resources are the only ones at risk.
The best lock policy is therefore not maximum locking. It is proportional locking. Holders should be able to protect high-risk resources, but the lock should be transparent, time-defined, scoped to specific resources and accompanied by clear procedures for what can still happen during the lock. Contact maintenance, security repair, fee payment, abuse handling, known routing authorization and emergency continuity should not be confused with transfer movement. A lock that stops theft and allows maintenance is a control. A lock that immobilizes every useful action becomes a freeze with another name.
Route authorization and naming are high-value control surfaces
Routing-security infrastructure deserves its own treatment elsewhere, but fraud-control design cannot ignore route authorization. A false claimant does not need legal ownership to create harm if it can persuade the ecosystem that a route is authorized. In a world where networks increasingly consider ROAs and other routing evidence, the power to create, change or revoke those signals has economic weight.
RPKI and ROAs help networks make route-origin decisions. That is precisely why they must be protected from false control. A fraudulent party with access to the holder's RPKI interface or authority path can attempt to authorize a new origin, preserve an unauthorized origin, or revoke authorizations that support the legitimate operator. The consequence may be route acceptance, route rejection, traffic shift, customer outage, cloud import failure or negotiation leverage.
The same is true in a weaker but still material way for routing records in the RIPE Database. They are not the same as cryptographic origin validation, and the details of routing-record governance belong to a separate debate. But they remain evidence that operators, automation systems and counterparties may inspect. If an attacker can align those records with its story, the fraud becomes easier to sell. If a legitimate holder cannot update them during an incident, service restoration may suffer.
Reverse DNS is a different surface with similar economics. Names do not prove title. They do influence trust, debugging, customer support, mail systems, policy filters and due diligence. A false reverse-DNS change can make a range appear to belong operationally to the wrong party. A malicious failure to change names can leave a legitimate new operator tied to a former network. In a contested control review, naming should be treated as evidence-sensitive, not as clerical decoration.
The control principle is again graded consequence. Low-risk corrections by a long-validated holder should not face unnecessary friction. High-consequence changes after account recovery, dormant contact replacement, disputed succession, emergency claims or transfer-adjacent urgency should require stronger confirmation. The same change can have different risk depending on timing and file history.
The registry should also preserve reversibility where possible. If an emergency freeze stops new ROA changes, it should explain whether existing ROAs remain, whether known legitimate routing is protected, who can request a service-preserving adjustment and how the freeze will be reviewed. If a reverse-DNS delegation is contested, the registry should preserve the last verified state or a neutral continuity state rather than letting one side use naming as pressure.
This is not an argument for RIPE NCC to manage routing strategy. Operators decide how to route, secure and engineer their networks. The registry's job is to ensure that the authority surfaces it controls are not captured by false claimants. The distinction is small in language and large in legitimacy.
Emergency freezes need a sharper edge than dispute notation
Every registry needs a way to stop immediate harm. If RIPE NCC sees credible evidence of account compromise, forged authority, unauthorized contact displacement or malicious RPKI change, it should be able to contain the risk quickly. A freeze can preserve the last verified state, stop transfer, prevent further contact replacement, block high-risk authorization changes and create time for notice. Without that tool, the registry would be forced to choose between blind processing and slow normal review while an attacker moves.
The danger is that emergency language expands. A counterparty calls a transaction suspicious because it dislikes the price. A creditor calls a sale fraudulent because it wants leverage. A rival director calls an account update unauthorized because the corporate fight is unresolved. A regulator raises concern without a direct legal instruction. A large customer asks for stability. Each may be serious. Not every concern is an emergency.
Emergency freezes should therefore have a sharper edge than ordinary dispute notation. The trigger should be imminent or recent risk to registry-layer control: account compromise, false identity, forged signer authority, suspicious complete contact replacement, contested recovery, malicious ROA action, unauthorized reverse-DNS delegation, or a transfer request that appears to rest on false authority. A commercial disagreement, by contrast, may justify notation, notice or a request for clearer authority, not necessarily a full freeze.
Time matters. An emergency freeze should have an initial period, a review point and a path to narrow or lift it. The first hours or days may require speed and limited explanation, especially if revealing details would help an attacker. The later period requires reasons. What is frozen? What remains possible? Which evidence would cure the concern? Which parties have been notified? What is the next review date? A freeze without these features becomes discretion by inertia.
Scope matters as much as time. If the suspected compromise concerns transfer authority, it may be unnecessary to block ordinary abuse-contact repair. If the concern is a malicious ROA change, it may be unnecessary to prevent a billing update. If the concern is a disputed M&A file, it may be unnecessary to break continuity for existing customers. Narrow scope lowers the cost of caution.
Due process does not mean letting a thief move while paperwork is prepared. It means that emergency action must be tied to a reviewable reason and a route back to normal. The registry can act first where needed. It should not hide behind urgency after the immediate danger has passed.
Audit trails are a substitute for private trust
Fraud-control systems are only as credible as their audit trails. The market cannot rely on a registry because staff members are trusted individually. It relies on the registry because the institution can show who did what, under what authority, with what evidence, after what notice and with what review. Auditability converts private staff judgement into institutional reliability.
The internal file should be granular. It should distinguish the requester, account used, credential path, claimed role, signer, holder, resource, requested action, accepted evidence, rejected evidence, notices sent, responses received, staff approvals, escalations, policy basis, sanctions or legal checks where relevant, and final decision. A later reviewer should be able to reconstruct not only the outcome but the reasoning. Without that trail, every hard case becomes a battle of memory.
Dual control is equally important. A high-consequence action should not depend on one staff account, one support message or one unchecked reviewer. Maker-checker separation, escalation thresholds, privileged-access logging and independent review reduce both insider risk and social-engineering risk. They also protect staff. A reviewer who follows a documented control is less exposed to pressure from an urgent claimant, a major customer, a broker or an angry holder.
Staff-access boundaries matter because registry staff have practical power over high-value surfaces. The ability to add a credential, reset access, approve a transfer, alter a lock, change a maintainer path, or affect RPKI services must be permissioned according to role and risk. Fraudsters exploit institutions by finding the person able to help, not the policy able to justify help. A control that requires two roles for high-risk changes is not bureaucracy. It is insurance.
Notification logs are part of the same economics. If last verified contacts were notified, the file should show how and when. If notice failed, failure should not automatically become consent. If urgent action prevented advance notice, the file should show why. If a claimant asked for secrecy, the file should show the basis. Notice is not a ritual. It is the mechanism by which the lawful holder has a chance to prevent displacement.
Aggregate reporting can improve incentives without exposing private files. RIPE NCC could report categories such as transfer-review timing, lock use, recovery cases, emergency restrictions, disputed authority files and cure outcomes in bounded form. The market does not need names to know whether the control system is timely and predictable. It needs enough statistics to see whether fraud prevention is becoming hidden capital control or whether convenience is creating capture risk.
Small networks pay the highest verification tax
Anti-fraud controls are often designed around the documents that sophisticated holders can produce. Large carriers, cloud providers, public companies and professional address-market actors may have current company extracts, board resolutions, counsel letters, delegated authority matrices, transaction schedules, escrow instructions, security teams and account-administration playbooks. They can respond to review with a clean file.
Small networks often cannot. A regional ISP may have been founded by two engineers, acquired a small customer base, inherited addresses through a local transaction and changed legal form without a perfect paper trail. A university department may have used a range for decades while staff changed and records moved from paper to old ticket systems. A public-service provider may have a procurement file that proves operational use but not every historical link. A family business may have a founder succession problem. A conflict-affected firm may have lost archives. A small hosting company may rely on a single administrator who left.
These cases are not excuses for weak control. They are reasons for proportional evidence. A registry that accepts only the large-company file will push small holders into delay, legal expense or dependence on brokers and counsel. That creates an incumbency tax. The holder with the least spare capital pays the most to prove continuity. The result can be forced sale, discounting, postponed cleanup or vulnerability to those who know how to speak the registry's documentary language.
Proportional evidence can include historical invoices, prior validated registry interactions, old correspondence, tax records, company continuity documents, public filings, board minutes, government procurement records, operational routing history, domain-control evidence, upstream confirmations, customer continuity evidence and sworn statements where appropriate. Not all evidence deserves equal weight. But a credible chain can be built from multiple weaker facts when one perfect document does not exist.
The registry should also distinguish between evidentiary poverty and suspicious behaviour. A small holder with messy archives that answers notices, preserves service, explains gaps and seeks limited repair is different from a newly arrived claimant pushing a large transfer under urgency. A proportional system raises questions where the loss from error is high but does not assume that imperfect history equals bad faith.
This has competitive significance. If anti-fraud controls are predictable and proportional, small networks can maintain records, transact and defend against theft without being forced into expensive gatekeeping channels. If controls are opaque, the market rewards those who can afford delay, legal advice and institutional familiarity. Fraud prevention then becomes an unintended subsidy for the largest holders.
Too little control rewards thieves, too much control rewards discretion
The moral hazard is double-sided. Weak controls reward thieves. If account recovery is easy, stale credentials are enough, corporate letters are accepted without scope review, and routing or reverse-DNS changes follow account access automatically, attackers will invest in social engineering. They will buy old domains, find former staff, forge board letters, mimic M&A files and exploit urgent transfer windows. The expected return is high because scarce IPv4 can be monetized quickly.
Weak controls also punish honest market actors. Buyers must discount uncertain ranges. Escrow providers demand more conditions. Brokers charge more for diligence. Cloud and data-centre teams become more suspicious of bring-your-own-address claims. Lenders treat address-dependent revenue as less reliable. Holders with old records face more private scrutiny because the public control system is not trusted. Soft registry review does not create liquidity; it creates a fraud premium.
Excessive controls create a different hazard. If every transfer, recovery, M&A update, ROA change or reverse-DNS repair can be delayed by undefined concern, registry staff become private allocators of scarce capital. They may not intend to set prices or decide ownership disputes, but delay can do both. A frozen range cannot be sold on time. A blocked update can impair service. A vague request for more evidence can kill a closing. A refusal framed as fraud concern can become a hidden judgement on a business model.
Excessive controls also create forum shopping. Parties who cannot win a private dispute may try to win by convincing the registry to freeze, delay or doubt. Creditors, rivals, counterparties, former employees, unhappy buyers and state-linked actors may all discover that a registry pause is cheaper than litigation. If RIPE NCC becomes the easiest place to create commercial leverage, it will be pulled away from its ledger role.
The correct equilibrium is narrower strength. Make false authority expensive. Make legitimate maintenance easy. Make high-consequence movement reviewable. Make emergency action fast but time-bound. Make locks available but costly enough to choose carefully. Make evidence requests specific. Make staff decisions auditable. Make registry facts reliable without pretending that the registry decides the private market.
This equilibrium is not an ideological preference for less control. It is a design principle for a scarce ledger. The registry's power is strongest when it is bounded. The more precisely RIPE NCC can say what it verifies, the less pressure it will face to verify everything else.
The boundary is prevention, attribution and reversibility
The right boundary for RIPE NCC can be stated simply. It should prevent unauthorized registry changes. It should make authorized changes attributable. It should preserve enough history for review. It should support reversibility where the registry surface allows it. It should make continuity possible during emergencies. It should not decide private ownership fights, punish market actors, set prices, seize resources, operate as a commercial court or use anti-fraud language to impose capital control.
Prevention means refusing to treat mere plausibility as authority. A credential, account, letter, company extract, merger file, insolvency claim or route request must be matched to the specific action. The higher the consequence, the stronger the match. Prevention also means protecting low-risk maintenance so records do not rot into future vulnerabilities.
Attribution means every high-value change should have a traceable requester, reviewer, evidence set and approval path. Markets can tolerate hard decisions better than unexplained decisions. A buyer, lender, operator or holder needs to know that a registry action followed a controlled file rather than private persuasion.
Reversibility means designing processes around the possibility of error. Some registry changes can be undone quickly. Some cannot be undone without harming innocent reliance. Transfers, ROA changes, reverse-DNS moves and contact replacements should therefore be graded by how hard they are to unwind. A more irreversible action deserves more pre-change verification and clearer post-change evidence.
Continuity means fraud control should not break service where service can be preserved safely. Existing customers, public agencies, hospitals, schools, broadband users, enterprise applications and emergency services may depend on addresses under review. A narrow freeze can protect them while preventing value movement. A broad freeze can make the registry the cause of harm it meant to avoid.
The refusal to adjudicate private ownership does not mean ignoring courts or law. It means reading legal materials for their registry relevance. A court order with clear scope may bind action. A private claim without clear authority may justify notation or evidence review. A dispute between sellers and buyers belongs primarily in contracts, courts and escrow terms. RIPE NCC should not convert disagreement over value into a registry verdict unless the law or authority chain requires it.
This boundary also protects the registry from mandate laundering. Fraud prevention is popular because everyone opposes theft. That makes it a tempting label for unrelated goals: slowing address sales, discouraging leasing, punishing disliked actors, expressing sanctions anxiety beyond legal requirement, protecting regional capital, or giving powerful incumbents time. The discipline is to ask, in every case, what unauthorized registry change is being prevented. If the answer is unclear, the control may be outside the lane.
What to watch from 2026 to 2029
The first watchpoint is account recovery. The market should care less about whether recovery is fast in the abstract and more about whether it is staged by risk. A healthy system will allow low-risk maintenance quickly, require stronger proof for complete authority replacement, notify last reliable contacts where feasible and prevent recovery from becoming immediate transfer power.
The second watchpoint is transfer-lock use. A rise in voluntary locks may mean holders are becoming more sophisticated about theft risk. It may also mean they are anxious about insider disputes, market timing or account compromise. The key questions are who uses locks, which resources are excluded from similar protection, how locks affect deal timing and whether maintenance remains possible during lock periods.
The third watchpoint is M&A and insolvency handling. Business-structure changes should become more resource-specific. Deal files should identify ranges, registered holders, successor chain, signer authority, customer continuity, RPKI state, reverse-DNS control, existing locks, dispute history and intended timing. Insolvency files should separate continuity from value movement. If those practices spread, the registry's review burden will fall because private files will become cleaner.
The fourth watchpoint is RPKI control. As ROA coverage and route-origin validation become more normal, the authority to issue or revoke ROAs becomes more valuable. The fraud question is whether RPKI management is protected as a high-consequence surface without turning routing-security policy into market adjudication. A compromised account should not be able to create a plausible route story before authority is checked.
The fifth watchpoint is small-network burden. If anti-fraud review increasingly requires counsel-heavy files, larger holders will adapt and smaller ones will struggle. The evidence standard should become more precise, not merely heavier. A small network should be able to understand what fact is missing and how to cure it. Opaque review will become a hidden tax on competition.
The sixth watchpoint is emergency language. A temporary freeze should remain temporary, scoped and reviewable. If emergency status becomes a standing category for commercial discomfort, fraud control will have become a capital gate. If emergency tools are too weak, false claimants will exploit speed. The metric is not maximum action or minimum action. It is whether action is tied to a demonstrable registry-control risk.
The seventh watchpoint is aggregate transparency. RIPE NCC does not need to publish private fraud files to show the market that controls are working. It can publish bounded statistics, timing distributions, lock counts, recovery categories, dispute outcomes and policy-facing lessons. Markets price what they can see. Silence makes both fraud and discretion harder to detect.
The final watchpoint is institutional humility. RIPE NCC is most valuable when it is a strong ledger, not a market governor. The registry can verify authority, protect account surfaces, preserve history, contain emergencies and make resource changes reviewable. It cannot, and should not try to, solve every private fight over scarce IPv4. The mature answer to hijack and fraud risk is not a weaker registry. It is a narrower and more auditable one.
The false-transfer review that opened this article has no perfect ending. Sometimes the urgent request is real. Sometimes it is theft. Sometimes both sides are partly right and the corporate file is simply broken. The registry's legitimacy depends on not pretending to know more than its role allows. It should stop the unauthorized change, protect the last verified safe state, demand specific proof, preserve service where possible and leave private value disputes to the institutions built for them. In a scarce market, that restraint is not passivity. It is the control that keeps the ledger from becoming the prize.

