Today at 14:39
At a time when cyber threats have become a new weapon, Europe is facing an invisible but very real danger. Russia is using Ukrainian digital resources seized during the occupation of parts of Ukrainian territory for cyberattacks and disinformation operations. This is not about abstract technologies, but about specific IP addresses—digital “passports” of networks through which all internet traffic passes. This is discussed in a Ukrinform report, UATV English says.
As a result of Russia’s occupation of parts of Ukraine in 2014 and 2022, a number of Ukrainian internet providers lost not only their property but also their IP address resources, which were taken over by Russian companies. Formally, these resources were re-registered through RIPE NCC, an international non-profit organization headquartered in Amsterdam. Despite appeals from Ukrainian lawyers and the Internet Association of Ukraine, RIPE is refusing to respond, citing “neutrality” and the slogan “the internet is outside politics.”
What is an IP address and why it matters
An IP address is a unique digital “passport” of every device or network connected to the Internet. It shows where traffic comes from, where data is sent, and allows systems to communicate with each other.
Each address belongs to a specific range allocated by RIPE NCC, the regional internet registry for Europe, the Middle East, and Central Asia. IP addresses are not unlimited, and getting new ones today is extremely difficult.
“Any number sequence in these digital identifiers is limited. There are virtually no free IP addresses left in the world, so they become highly valuable. They are already seen not just as a technical resource, but as an economic asset that can be monetized,” Member of Parliament and former head of the Internet Association of Ukraine Oleksandr Fediienko explained in a comment to Ukrinform.
So IP is a limited economic asset, similar to land or mobile-spectrum frequencies. According to experts in the IP resources market, on shadow or semi-official exchanges one IPv4 address currently costs between €35 and €50. Large telecom companies own hundreds of thousands of such addresses, so losing even a few thousand units means multi-million euro losses.
Beyond the economic aspect, IP addresses also have strategic value. Government communications, banking transactions, and signals of critical infrastructure pass through them. Therefore, control over them is a matter of national security.
That is why the theft of Ukrainian IP addresses creates risks not only for Ukraine.
Through these resources, Russian structures can disguise their cyberattacks as Ukrainian or European, making it harder to trace the source. This puts the digital security of the entire continent at risk.
How RIPE NCC works
RIPE NCC is one of five regional internet registries in the world. The organization was conceived as a technical community independent of politics—but today aggressor states exploit exactly this principle.
After obtaining IP addresses, a company becomes part of the RIPE system, gains access to the technical platform, and can participate in voting and elections of the organization’s governing bodies. According to Fedienko, this is what enables the Russian side to influence RIPE decisions, because it controls a significant number of IP resources.
Ukraine for a long time remained passive in RIPE processes, while Russia systematically built its influence.
“Over many years, the Russians effectively captured RIPE. They brought their people into the board—among them citizens of EU countries affiliated with Russia. We, for our part, also tried to get our representative in there even before the full-scale war, but it never worked. Because those same Russians would immediately push a narrative: allegedly, Ukraine is a small country, it has few resources, and Russia is big—so it should have more,” the MP added.
Fedienko stresses: the theft of IP addresses is a direct consequence of occupation, accompanied by torture and coercion. Communications operators in the seized territories, who legally obtained these “digital passports” through RIPE NCC, were stripped of them by force.
“I know there was a situation in Kherson where they forcibly took these resources from our telecom operators—they tortured them. Because you cannot just take them like that. You need to obtain the relevant login and password,” Fediienko says.
After gaining access, the Russians submitted requests to RIPE to re-register the resources, and the international registry—referring to its “apolitical” stance—made the changes. The MP emphasizes that this poses a direct security threat.
Moscow’s information expansion in the temporarily occupied territories is carried out through specific “state” unitary communications enterprises and telecom providers created by occupation administrations. They are the ones using the largest pools of stolen IP addresses.
Such structures include:
- “State Unitary Enterprise of the Donetsk People’s Republic ‘Vuhletelekom’”;
- “State Unitary Enterprise of the Donetsk People’s Republic ‘Komtel’”;
- “Republican Communications Operator ‘Phoenix’”;
- “State Unitary Enterprise of the Luhansk People’s Republic ‘Republican Digital Communications’.”
This is only part of the list of enterprises involved in the information expansion.
A hidden shield for Russian cyber aggression
Andrii Pylypenko, a lawyer at a law firm that defended Ukraine’s interests in the Netherlands in the court case over the return of the Scythian gold collection to Ukraine and in the criminal case in Italy involving National Guard serviceman Vitalii Markiv, is now part of a special group helping form Ukraine’s legal position on forcibly blocking the stolen IP addresses. He says these structures play a key role in information support for the occupation regime and have long been under sanctions—something RIPE NCC “obviously fails to notice.”
“They not only expropriated IP addresses, but under the guise of providing access to ‘their internet’ they actively took part in illegally holding referendums and elections in the occupied territories, publicly called for them, and in various forms campaign in support of the aggressor’s actions. They also provide access to digital coordination infrastructure for the occupation authorities and their ‘bodies’ and armed formations, spread Russian propaganda, and carry out cyberattacks against Ukraine,” the lawyer explained.
In addition, these structures collect money from residents of the occupied territories for internet access, which is then used, among other things, to further fill the budgets of the illegal entities “DNR” and “LNR” and local occupation authorities, to finance terrorist and subversive activities aimed at harming Ukraine’s sovereignty and national security.
“The fact that RIPE does not sever relations with these enterprises located in occupied territory is used by Russian propaganda to legitimize those territories and say: look, Europe recognizes us,” the MP emphasizes.
This stolen resource becomes a hidden shield for Russian cyber aggression. If Ukraine has blocked most Russian digital identifiers, the stolen ones have not been blocked.
“Stolen Ukrainian digital identifiers are not blocked in our system. They can use them. It’s like a car with Ukrainian license plates driven by a Russian who tries to blow it up. What will the media report afterward? That a Ukrainian car exploded. But no one will mention who the driver was. Roughly the same story is happening here,” Fediienko says, explaining the mechanism of masking cyberattacks.
Criminal liability for “apolitical neutrality”
RIPE NCC’s inaction has long gone beyond a technical issue and moved into the legal realm. Pylypenko explains that back in 2018, the Internet Association of Ukraine warned RIPE about cooperation with “L/DNR,” but the organization refused to respond, claiming IP addresses were allegedly not an “economic resource” and therefore not subject to EU sanctions.
That continued until the Dutch Ministry of Foreign Affairs—the state body responsible for interpreting sanctions—issued a clear clarification.
“The Ministry of Foreign Affairs clarified to RIPE NCC that IP resources are an economic resource that must be blocked. When they realized this, they came up with a new argument: we don’t see which sanctioned persons we provide services to. They demanded: ‘Show us where DNR/LNR are on our membership lists.’ Of course, illegal quasi-state entities cannot be members, but the members are the entities they control—the same ‘ministries’ and ‘state institutions’ created by the occupiers,” the lawyer explains.
And this is despite the glaring fact that even in RIPE’s official database these illegal structures openly and with impunity indicate full information stating that they are “state enterprises” of the so-called “DNR” or “LNR,” without any consequences.
In 2021, the President of Ukraine took this issue under personal control, instructing officials to develop mechanisms for returning or disconnecting IP resources of illegal quasi-state entities in the occupied territories.
At the end of 2021, a mechanism of returning to the competent authorities of the Kingdom of the Netherlands was discussed, but the process was halted by the full-scale invasion.
The issue was revisited starting in summer 2022.
“Then we held direct consultations with the head of RIPE and the leadership of their legal department. We explained: now, after the full-scale invasion, the world’s political context simply forces you to act… No one will do anything to you if you block their [the Russians’ in occupied territory] IP addresses—people will only applaud, especially since you have all the legal grounds,” Pylypenko recalls.
This communication with RIPE NCC leadership and their legal services continued in various formats throughout 2023, but the organization’s position remained unchanged.
Instead, RIPE NCC published an article about “disputed territories,” confirming it would continue accepting documents from “DNR/LNR,” citing the protection of “freedom of access to the internet.”
“We repeatedly explained how EU legislation applies—it clearly says: if ‘L/DNR’ are included in sanctions, then all entities they control are also automatically covered. It’s like if I am sanctioned, then my hand is also sanctioned,” the lawyer continues.
RIPE NCC even refused to add to its internal rules a ban on accepting documents issued by occupation administrations, despite the fact that under Dutch law such documents have no legal force whatsoever. In practice, by signing contracts with sanctioned entities and providing them with an economic resource, RIPE NCC violated the EU sanctions regime, which creates grounds for criminal liability for the organization’s leadership. Meanwhile, the organization denies direct cooperation with sanctioned persons and shifts responsibility to an outsourcing company that allegedly provides membership screening services.
At the same time, Ukraine successfully provided the EU with a documented database of entities on the occupied territories, after which they have been added to EU sanctions lists one by one (for example, “Komtel,” “Phoenix,” and others were directly included in EU sanctions lists, including in the 16th, 17th, and 19th sanctions packages). This means the EU has obtained sufficient evidence showing harm to Ukraine’s state interests, national security, and sovereignty, and that any cooperation with such entities is not only prohibited but also entails severe consequences, including at the level of EU member states, particularly in the Netherlands.
“As we understand it, they [RIPE] can no longer use such excuses today. The only path for them is to freeze the relevant IP addresses and restrict access to them for sanctioned entities. Moreover, the head of an institution that violated the sanctions mechanism usually bears criminal liability. In the Netherlands, this is an aggravated crime,” Pylypenko emphasizes.
In the Netherlands, criminal cases have repeatedly been initiated for violating or circumventing EU sanctions. Over the past three years, at least 70 companies and individuals have been held liable on charges of violating EU sanctions imposed on Russia due to Russia’s full-scale war in Ukraine.
Recently, the Dutch prosecutor’s office officially opened a criminal case against one of the country’s largest shipbuilding companies, Damen Shipyards, as well as its current CEO and two former board members, over corruption and violations of international sanctions against Russia.
Ukraine is fighting not only for sovereignty in cyberspace but also to deprive the aggressor of a financial resource.
“We are taking huge money away from the Russians (meaning if we return our stolen IP resource—ed.), which they could get by selling those IP addresses. In fact, that isn’t prohibited. We are fighting not only for information resources—we are also fighting to ensure they don’t later use the money obtained this way against us,” Fediienko stresses.
Experts interviewed by Ukrinform note that RIPE NCC’s activities, combined with certain political influences and approaches to “liberalism,” may create risks for Ukraine’s national security under conditions of hybrid war.
“I’m confident we will be able, first of all, to highlight to the European security sector that RIPE needs to be brought under the oversight of European regulatory and state institutions. Because right now it is accountable to no one. That is, we Ukrainians may even become pioneers on this issue,” the MP believes.
He argues that RIPE NCC, which effectively holds a “red button” for part of the European internet space, must be put under control. Otherwise, inaction in cyberspace—which NATO recognized in 2016 as a domain of military operations—becomes a direct threat to the entire continent.
Marina Shashkova, Ukrinform
