Summary

  • AFRINIC's later audit showed that the central governance problem was a broken chain between a valid request, policy evaluation, approval, inventory movement and the public WHOIS record; corruption risk grew wherever one role could alter several links without an independent check.
  • WHOIS was a public statement of custodianship, not self-proving evidence of lawful allocation. A changed record could look authoritative even when the underlying ticket, approval or inventory justification was absent or disputed.
  • The distinction between addresses taken from AFRINIC's available pool and changes made to legacy records matters: the first concerns creation of apparent entitlement, while the second concerns substitution of identity and custodianship in historically fragile records.
  • Controls AFRINIC described after the scandal - senior final review, change traceability, daily reconciliation, qualified privileges and a permanent audit mechanism - are best read as a map of the control surfaces that required stronger protection before 2019, not as proof that every safeguard had previously been absent.
  • Board accountability should be measured by whether directors required operational audits, exception reports and closure evidence for the registry's core asset, rather than by whether they personally knew the name attached to a suspicious block.

The file should have been the institution

An Internet number registry does not manufacture address space. It administers a finite inventory and records who is entitled to use defined portions of it. That modest description hides an unusual concentration of power. A hostmaster can evaluate need, an operations team can move a block from available to delegated status, and a public record can make the result appear settled to networks, brokers, security researchers and the supposed holder. When those acts are properly separated and documented, the allocation file is the institution: it preserves the reasons, approvals and history that make an entry legitimate.

When they are not, the public record can become an attractive fiction.

The scandal that emerged around AFRINIC in 2019 is often compressed into a bad-person story. That is emotionally tidy and institutionally useless. A named employee can be dismissed. A criminal referral can be made. Neither action explains why unauthorised changes were possible, why anomalies persisted, why internal evidence did not trigger decisive review, or why outsiders helped assemble a picture that the custodian itself had not publicly produced. A registry that treats the episode as the biography of a culprit leaves the enabling system substantially unexamined.

The more demanding question is what an allocation file between 2013 and 2019 had to prove. It needed to show that an identifiable applicant was eligible; that a resource request existed; that staff evaluated the request against the policy then in force; that the approved quantity matched the demonstrated need; that contractual and payment conditions were satisfied where applicable; that the inventory was changed by an authorised person; and that the public WHOIS entry reproduced, rather than invented, the authorised result. Every later amendment needed its own authority, actor, timestamp, evidence and approval.

A reviewer should have been able to move both forward and backward through that chain.

AFRINIC's 2021 WHOIS Database Accuracy Report provides the strongest public institutional account of what the later examination found. It says the audit checked records for 2,824 IPv4 prefixes delegated to resource members from 2005 through 2019. Nine did not have a ticket number and were associated with Fiber Grid allocations made in 2012-13; of 2,815 records with ticket references, 2,800 contained a resource request that had been evaluated, while inconsistencies in 15 concerned prefixes imported from other registries through the earlier registration transfer project.

Those figures do not show that the whole allocation estate was chaotic. They show something more precise: a mostly populated archive contained a small set of exceptional files whose consequences were very large, and the institution needed a way to detect the exceptions before an external crisis did.

An exception rate can sound reassuring when expressed as a percentage. That is the wrong denominator for a registry. One unsupported /14 represents 262,144 addresses. One unsupported /16 represents 65,536. Control risk follows the quantity, status and reversibility of the affected resources, not merely the count of deficient tickets. An audit that reports 99 per cent documentation completeness can still conceal a material failure if the missing one per cent includes large blocks, privileged changes or records capable of being monetised.

Scarcity turned small numbers of exceptional files into balance-sheet-sized temptations without making the addresses private property.

Four acts that must never collapse into one

The integrity of an allocation depends on separating four acts: assessment, authorisation, execution and publication. Assessment asks whether an applicant and request satisfy policy. Authorisation converts that assessment into an institutional decision. Execution changes inventory and associated internal records. Publication changes what the outside world sees in WHOIS and related services. One employee may contribute to more than one stage in a small organisation, but no consequential allocation should be completed solely on that employee's uncorroborated action.

The first separation is between the analyst who develops the case and the person who approves it. Hostmasters necessarily exercise judgment. The policy cannot anticipate every network plan, utilisation pattern or corporate form. That discretion is why a second review matters. The reviewer should not merely confirm that boxes are filled. The reviewer should challenge identity, eligibility, quantity, related organisations, prior allocations, unusual speed, out-of-region indicators and conflicts of interest. A large or exceptional request should move to a higher approval tier.

The approving identity and rationale should be fixed before the resource can leave the pool.

The second separation is between approval and technical execution. An operations interface should accept only an immutable approval reference whose approved prefix and organisation match the proposed change. If staff can directly create the destination organisation, classify a block, alter the inventory and publish the WHOIS entry, the institution has replaced a chain of authority with a powerful account. Logging such an account is not enough. Logs watched only after suspicion arises are forensic residue, not preventive control.

The third separation is between execution and reconciliation. A daily delegated statistics file, the internal resource inventory, the membership system and WHOIS are different representations of the same institutional act. Differences should be expected occasionally because systems update at different times. They should also be visible, aged and cleared. An unexplained difference involving resource status, organisation handle or prefix size should create an exception owned by someone outside the team that made the change. The exception should remain open until supporting authority is attached or the record is reversed.

The fourth separation is between management and assurance. The team responsible for allocation cannot be the only team that decides its controls are adequate. Internal audit needs read access to the full sequence, a mandate covering registration services and technology, and a reporting line to a committee able to demand action from executives. External financial audit may test revenue, liabilities and accounts without reconstructing number-resource changes. A registry board that receives a clean financial opinion has not thereby received assurance that the core registry is accurate.

These separations are not bureaucratic ornaments. They create disagreement at the moment when disagreement is cheapest. A reviewer can stop an unsupported request before publication. A reconciler can identify a mismatch before addresses are routed, leased or sold. An auditor can detect a pattern before counterparties accumulate reliance interests. Once years have passed, every correction becomes a contest among historical holders, current users, purchasers, networks and the registry itself.

WHOIS could publish confidence it did not earn

RFC 7020, published in 2013, describes registration accuracy as a core requirement of the Internet Numbers Registry System. The registry must ensure uniqueness and provide accurate information about allocations. The requirement is operational, not decorative. Networks, incident responders and resource holders use registration data to understand who has responsibility for a block. Yet a WHOIS entry is only the final assertion. It cannot prove the authority that produced it.

This distinction is central to the AFRINIC case. Public reporting traced suspicious changes through historical WHOIS records, contact addresses, domain registrations and routing observations. Those sources were useful because they exposed contradictions. They were not a substitute for the allocation file. A public record saying that an organisation holds a prefix establishes what the registry represented at that time. It does not establish that the organisation made a valid request, that the request was approved, or that the person changing the entry was entitled to do so.

The public nature of WHOIS can produce false comfort inside the institution as well. If staff see a block registered to an apparently coherent organisation, and the interface treats the current entry as the starting truth, the record begins to validate itself. A later support request may be accepted because it comes from the contact that an earlier unauthorised change inserted. A maintainer credential may then allow further amendments. With each transaction, the forged premise acquires a longer administrative history.

The antidote is not simply stronger authentication for the current contact. A compromised claim can be authenticated perfectly. The registry must preserve the root of authority: the original request, verified legal identity, policy evaluation, approval, contract where required, payment, prefix decision and every subsequent transfer or update. Changes to a contact or maintainer deserve particular scrutiny because they alter who can authorise the next change. A request to replace both the organisation identity and its access credentials is not routine maintenance; it is a potential change of control.

AFRINIC's later report says every WHOIS entity had been protected by a maintainer since August 2017 and describes PGP authentication for staff changes and power maintainers. Those are useful safeguards against unauthenticated editing. They do not answer whether an authenticated staff member was substantively authorised to make a particular change. Access control proves which credential acted. Governance must prove why the act was permitted.

That difference explains why monitoring cannot be reduced to account security. The relevant alerts are semantic as well as technical. A large block changed from available to delegated without a linked approved request; a resource reclassified as legacy; a dormant historical organisation given a newly registered email domain; several unrelated holders assigned common contact details; an organisation handle changed shortly before a transfer; or a prefix appearing in WHOIS but not in the membership system all require investigation even if every login succeeded.

The free pool and the legacy estate were different control problems

The later audit separated two broad classes of affected resources. The first comprised addresses that AFRINIC said had been misappropriated from its available pool and attributed to organisations without justification. The report quantified these at 2,371,584 IPv4 addresses. The second comprised legacy resources: allocations made before the mature regional registry system, migrated into AFRINIC's care, often without a current contract and sometimes attached to organisations that had changed name, merged, dissolved or lost knowledgeable contacts.

The distinction matters because the control tests differ. Moving a block from the available pool should require a contemporaneous request and decision. The inventory starts with AFRINIC as administrator of unallocated space. An unsupported delegation is therefore visible through the absence of a valid allocation event. The audit can ask: where is the request, who evaluated it, who approved it, what policy justified it, and how did the internal resource file change?

A legacy change presents a harder title problem. The block already has an historical holder. The registry may be asked to update a name, contact, corporate successor or maintainer. A defunct email address is not proof that the resource is abandoned. A newly active claimant is not proof of succession. The decisive file may include old registration data, corporate records, merger documents, correspondence and evidence from another registry. An employee who can replace stale contact details without independent verification can effectively select the person who will speak for an absent holder.

AFRINIC's report described features that made the legacy estate vulnerable: some holders had no contractual agreement with the registry; contacts could be retired or departed; organisations might be defunct or restructured; and some purported transactions included transfer of maintainer passwords. The report also recorded that historical contacts between 2012 and 2015 were sometimes updated to email domains that appeared to match the named holder but had been registered too recently to fit the organisation's supposed history. This is exactly the kind of anomaly that a registry can test automatically.

The two problems can converge. The audit said some resources that should have remained in AFRINIC's pool had been tagged as purported legacy space before becoming subjects of sale transactions. If accurate, that sequence shows why status fields are control variables, not descriptions. Reclassifying a block can move it from a process requiring a new allocation decision into a more ambiguous process framed as maintenance of an old entitlement. A system that protects allocation but permits lightly reviewed reclassification leaves a side door around its strongest gate.

A robust design would therefore treat status changes as privileged transactions. No single analyst should be able to declare a pool block legacy. The change should require evidence from historical delegated records, at least two approvals, automated comparison with the registry's received-pool history, and notice to an assurance function. The previous status should remain immutable. If a later reviewer cannot see both the old and new classifications and the authority for the transition, the registry has not preserved history; it has overwritten it.

Scarcity changed the threat, not the mandate

During 2013-19, IPv4 scarcity made control weaknesses increasingly valuable. AFRINIC entered the first phase of its final-/8 policy in 2017. Public markets and private transactions attached significant prices to addresses, while many old allocations remained underused, poorly documented or associated with dormant organisations. The gap between administrative treatment and commercial value created an obvious corruption hazard.

The market price should not, however, define the institutional wrong. IPv4 addresses are not bars of metal in a vault. The registry administers unique identifiers under community policy. The immediate harm from an unsupported allocation is that the institution makes conflicting or false claims about custodianship, deprives eligible applicants of scarce pool space, and exposes networks to later reversal. A secondary market amplifies the incentive and multiplies reliance, but the failure begins in the authority record.

This matters because spectacular value estimates can distort remedies. A headline may multiply the number of addresses by an observed price and announce a loss in tens of millions of dollars. Such an estimate can express scale, but it does not establish legal title, realised proceeds or recoverable damages. Nor does it tell the board which control failed. The relevant unit for governance is the unauthorised decision: how the block changed status, which evidence was missing, which account acted, what review should have stopped it, and how long the exception remained visible.

Scarcity should have caused AFRINIC to increase scrutiny before the scandal. Large allocations, legacy updates and changes to dormant records became economically sensitive transactions. An institution need not assume every employee is corrupt. It should assume that a valuable privilege will eventually attract error, pressure, collusion or abuse. Maker-checker approval, mandatory leave, rotation on high-risk queues, conflict declarations, independent exception sampling and automated anomaly detection are ordinary responses to that assumption.

The threat also extended beyond the first act. A block with a questionable registration could be routed through an unrelated network, leased to customers, used as collateral in a commercial arrangement or sold to a purchaser who believed the public record. Each additional party raises the cost of correction. That means timeliness is part of control effectiveness. An alert investigated three years later may help explain the past while doing little to prevent legal and operational entanglement.

What the retrospective audit actually proves

AFRINIC's 2021 report is indispensable and limited. It is indispensable because it identifies the institution's own categories, methods, counts and remedial controls. It says the later examination used internal resource files, WHOIS logs and history, delegated statistics, ticket records, membership and resource requests, reverse DNS, the Internet Routing Registry, external historical records, public reports and whistleblower information. That is close to the evidence set an effective continuous-control system should reconcile.

It is limited because AFRINIC authored it after the crisis, while legal disputes and a police enquiry were active. It states conclusions about misappropriation and rightful custodianship that may have been contested by affected parties. Readers should distinguish a registry's administrative finding from a final judicial determination. The report can establish what AFRINIC found and what actions it said it took. It cannot, standing alone, resolve every disputed block or establish the criminal liability of an individual.

The report's numbers reveal the complexity of repair. At November 2020 it listed 1,060,864 addresses reclaimed from the pool and placed in quarantine, 1,310,720 pool addresses still under review, 467,968 legacy addresses whose unsubstantiated changes had been reversed, 394,496 legacy addresses consolidated at the request of holding companies, and 936,704 legacy addresses under dispute pending determination of custodianship. These categories show that correction was not a simple delete operation. Some records could be restored, some required corporate consolidation, and many involved competing claims.

AFRINIC acknowledged that reversals were slow. Where multiple organisations claimed custodianship, it locked the addresses against further WHOIS change pending agreement or competent determination. Where holders did not respond to update requests and no objection was received, it said suspected updates were reversed and the addresses locked until a legitimate holder completed due diligence. Those actions may preserve the status quo, but they also demonstrate why prevention mattered: an allocation file that could have settled authority before the change became a dispute was no longer sufficient to do so cleanly afterward.

The report also described controls adopted or strengthened after discovery. It referred to automation, a planned change-control policy for additional checks and traceability, final senior review of resource and membership requests, a fraud and corruption policy adopted in June 2019, an independent whistleblowing platform launched in 2020, stronger verification for legacy updates, daily inconsistency reports between MyAFRINIC and WHOIS, comparison with delegated statistics, PGP authentication, qualified access by role and escalation of changes outside ordinary staff privileges.

These measures should not be read as admissions that none existed before. Institutions often describe improvements without publishing a precise before-and-after control matrix. But the list is analytically revealing. Each measure responds to a recognisable failure mode: automation limits discretionary shortcuts; final review interrupts self-approval; traceability preserves who changed what; reconciliation detects divergent records; qualified privileges reduce excessive access; independent reporting bypasses managerial suppression. The reform list points directly to the surfaces on which earlier assurance had been inadequate.

Logs that nobody challenges are only archives

It is tempting to imagine that complete technical logs would have solved the problem. They would have helped, but a log is not a control unless an institution defines what to detect, who reviews it, how quickly, and what happens next. A record showing that an authorised staff credential changed an organisation handle is neutral. An alert showing that the same person evaluated the request, approved the change and altered a large block is governance information.

Effective registry logging needs at least three layers. The event layer records authentication, actor, time, interface, entity, old value and new value. The authority layer links the event to the ticket, policy version, approval and evidence. The assurance layer records whether automated checks passed, whether a reviewer inspected the change, what exceptions arose and how they closed. Without the authority layer, a reviewer knows what happened but not whether it should have happened. Without the assurance layer, the institution cannot prove that anyone looked.

Logs must also be tamper-resistant and retained for the life of the relevant claim. IPv4 custodianship can outlast staff, systems and companies. A short operational retention period may be sensible for routine application traces but disastrous for the authoritative history of a /16. The registry should preserve a signed, append-only history of status, organisation, contacts, maintainers, tickets and approvals. Sensitive applicant material can be protected separately while hashes and references preserve integrity.

Alert design should follow value and pattern. Large prefixes, repeated changes by the same actor, updates outside ordinary hours, newly created organisations receiving substantial space, recently registered contact domains, reuse of addresses across otherwise unrelated holders, status changes involving legacy classification, and mismatch among authoritative stores are high-value signals. No single signal proves wrongdoing. Their purpose is to require a second pair of eyes while evidence is fresh.

Closure is as important as detection. Every alert should end in one of four recorded outcomes: authorised and supported, corrected as error, escalated for investigation, or accepted as a documented exception by a named senior officer. Repeated benign explanations should improve the rule. Repeated exceptions involving the same actor, organisation or broker should widen the review. An alert queue that grows without ownership creates the appearance of monitoring while allowing risk to age.

The board did not need to be a hostmaster

Directors cannot inspect every allocation. They should not try. Their responsibility is to make management demonstrate that the core registry remains accurate and that exceptions are contained. In a number registry, that duty cannot be satisfied by financial statements alone. The scarce inventory and the authority record are operational assets whose corruption can produce liabilities, litigation and loss of legitimacy without first appearing as an accounting discrepancy.

The board should have required a concise control report at every meeting. It could have included the number and address volume of new allocations; high-risk legacy changes; changes made outside standard interfaces; unmatched records among inventory, membership and WHOIS; open alerts by age; overrides; privileged accounts; unresolved conflict declarations; and audit findings by severity. The report would not expose applicant secrets. It would tell directors whether control was functioning.

Audit committee mandates published around the period referred to financial reporting, internal financial control, risk management, internal audit, information systems and technology governance. That scope was broad enough to ask about registration services. Yet public minutes from 2018 show the committee discussing recruitment of an internal auditor, while April 2019 minutes describe an internal audit plan covering corporate compliance, finance and accounting, registration services and business continuity. The existence of a plan is not evidence that the relevant tests were completed before the problem became public.

That distinction - mandate, plan, execution, finding, remediation - is the proper accountability chain. Boards often announce a charter and assume assurance follows. It does not. The committee must approve a risk-based plan, ensure the auditor has access and independence, receive findings, assign owners and dates, and verify closure. If registration services entered the 2019 audit plan only after years of growing scarcity, directors should ask why the core asset had not been subject to comparable operational testing earlier. If it had been tested, they should ask which tests failed to detect unsupported status and identity changes.

Individual knowledge remains relevant but is not the sole test. A director who received a specific warning and did nothing bears a different responsibility from one who was never told. The institution still cannot defend itself by saying the board lacked detailed knowledge if its reporting design kept material exceptions below the board's line of sight. Governance is partly the construction of that line.

Public reporting was an external control of last resort

The reports published by MyBroadband, KrebsOnSecurity and other outlets assembled public and commercially obtained records into a disturbing account. They traced historical entries, companies, domains, contacts and routing. Their work was valuable because it forced inconsistencies into a form that institutions and affected holders could no longer easily ignore. It should not have been the registry's primary detection mechanism.

Investigative reporting has different evidentiary standards from an allocation decision. Journalists can identify anomalies, seek comment and publish a supported inference. A registry reversing a record must determine authority block by block and provide due process to competing claimants. That difference is not a reason to dismiss reporting. It is a reason for the registry to ingest credible external signals as leads while conducting its own documented examination.

The reporting also carries limits. Price estimates vary with date, block reputation, transaction terms and market liquidity. Historical WHOIS services may contain incomplete snapshots. Corporate links can show control or association without proving that a particular resource transaction was authorised. Routing from a block does not by itself identify the party that changed registration. Responsible institutional analysis therefore attributes allegations, separates observation from conclusion, and avoids treating repetition as corroboration.

AFRINIC's later findings provided institutional support for the central concern: its report said internal staff may have acted with third parties, that APNIC's investigation led to disciplinary proceedings, and that a former hostmaster had abused rights and privileges. It also quantified pool resources it concluded had been attributed without justification. Those are serious findings. They still do not eliminate the need to examine the controls. On the contrary, the stronger the finding against an insider, the clearer the evidence that insider-resistance had to be part of the registry's design.

The most useful public question is not why an employee allegedly wanted to profit. Scarce resources create obvious incentives. It is why an institution holding daily inventory, tickets, change history and account data did not convert anomalies into a timely, independent challenge. Outsiders could see fragments; the registry possessed the joins. A control system should have made those joins routinely.

Repair requires a provable record, not a cleaner-looking one

After a scandal, there is pressure to make WHOIS look correct quickly. That pressure can reproduce the original error by treating publication as truth. A registry should not replace one unsupported holder with another because the second claim feels more plausible. It needs a recovery standard that preserves evidence, protects continuity and makes uncertainty visible.

First, the original state and complete change history should be frozen. Investigators need copies of tickets, messages, approvals, identity documents, logs, delegated statistics, routing observations and relevant corporate records. Second, access associated with a credible manipulation risk should be constrained without erasing evidence. Third, each block should receive a case record separating pool origin, legacy history, current registration, current use, claimant evidence and legal status.

Fourth, remedy should match confidence. A pool block with no valid request and a clear unauthorised path may be reclaimed, subject to notice and review. A legacy block with competing successors may need a lock while a court or agreed process determines custodianship. A current user that purchased in apparent good faith may have no superior claim against the rightful holder, but abrupt technical disruption can still harm customers. Registration correction, routing reality and commercial remedy are related but distinct questions.

Fifth, the registry should publish aggregate progress without prejudging cases. Counts by status, address volume, aging and remedy let members assess whether the institution is working through the problem. The public does not need private evidence or accusatory detail about unresolved claimants. It does need to know the scope, decision rules, review route and whether corrections are becoming faster.

Finally, the recovered file should be stronger than the pre-scandal file. It should contain the evidence supporting the final position, every notice, objection, decision, reviewer and operational change. Recovery is not complete when the current WHOIS entry appears tidy. It is complete when an independent person can explain why that entry is now authoritative.

A control architecture for a scarce public registry

The practical reforms are neither exotic nor punitive. Identity verification should be independent of the analyst advocating the request. Large allocations and legacy-control changes should require two approvals. The system should bind approved prefix, organisation and status to the execution command. Current and historical records should be append-only at the authoritative layer. Privileges should be role-limited, reviewed quarterly and removed immediately when duties change. No person should administer their own access.

Reconciliation should run daily across the resource inventory, membership records, ticket system, delegated statistics and WHOIS. High-risk differences should block further changes until resolved. The internal auditor should sample ordinary files and inspect every material exception, not merely confirm that a procedure exists. The audit committee should receive findings directly and track remediation. An independent reporting channel should allow staff, members and outsiders to submit concerns with protection against retaliation.

Conflict controls deserve equal attention. Employees involved in resource evaluation should disclose outside businesses, close financial interests and relationships with brokers or applicants. Declarations should be updated, tested against known counterparties and reviewed by someone outside the employee's management line. A declaration is not a ritual form; it should change case assignment and access when a conflict appears.

Metrics should resist averages that hide exposure. The board needs address-weighted exception counts, not only ticket-completion percentages. It should see the largest unsupported or unresolved blocks, the oldest exceptions, override frequency, concentration by actor and the time between first alert and containment. A single /12 anomaly deserves more attention than hundreds of harmless contact corrections.

Independent review should periodically attempt a cold reconstruction. Select a block from WHOIS and prove its path back to received inventory or historical delegation. Then select an approval ticket and prove its path forward to the exact published block. The two directions catch different failures. Forward testing finds approved actions that were executed wrongly. Backward testing finds public entries for which no sufficient authority exists.

Members should have a verification role without carrying the registry's burden. Periodic statements can ask a holder to confirm resources, contacts and maintainers. Non-response should trigger follow-up and heightened review, not automatic forfeiture. A holder should be able to obtain a change history for its resources and challenge an unauthorised amendment promptly. This distributes detection while preserving the registry's responsibility for its own acts.

The institutional verdict

Between 2013 and 2019, AFRINIC administered a resource whose scarcity and commercial utility rose sharply. Its public record carried authority far beyond the office that maintained it. The later evidence shows that some files and changes could not sustain the claims the registry had published, and that repair required a broad retrospective examination, external assistance, disciplinary action, locks, reversals and litigation-sensitive decisions.

Calling that outcome the work of one bad person is an evasion. An insider may initiate abuse, but only an institution gives that abuse durable authority. The allocation file should have forced each request through independent assessment, approval, execution, reconciliation and audit. The change history should have made exceptional acts visible quickly. The board should have known the condition of the control environment without needing to know every prefix.

The lesson extends beyond AFRINIC. Distributed Internet governance often celebrates trust, community and technical competence. Those virtues do not replace controls. A registry's legitimacy rests on the ability to prove that the person shown in its record received authority through a fair, documented and reviewable process. When it cannot do that, the loss is not merely a quantity of addresses. The institution has lost control of its own word.

Sources and analytical boundaries

The principal institutional evidence is AFRINIC's WHOIS Database Accuracy Report, read as a retrospective account by an interested institution rather than a final judgment in every resource dispute. RFC 7020 supplies the registry system's requirements of uniqueness and registration accuracy. AFRINIC's archived Consolidated Policy Manual version 1.0 shows the public policy environment in which staff exercised allocation responsibility. The 2018 annual report and published board material describe the formal audit remit and the development of internal-audit capacity. MyBroadband's December 2019 investigation supplies attributed public-record findings and is not treated as adjudication.

This analysis does not determine criminal liability, beneficial ownership, damages or the rightful custodian of any disputed prefix. It does not assume that every control described after 2019 was wholly absent before then. It evaluates the publicly visible authority chain and the institutional implications of AFRINIC's own later findings. Where the evidence supports only an allegation, administrative finding or inference, it is treated as such.