Russian occupation forces in Kherson extracted login credentials from Ukrainian telecommunications operators through physical coercion, seizing control of IP addresses that Moscow now exploits to disguise cyberattacks and disinformation operations as originating from Ukrainian or European sources.

Despite Ukrainian appeals and clear sanctions violations, Amsterdam-based RIPE NCC—the nonprofit organization managing Internet number resources for Europe, the Middle East, and Central Asia—continues facilitating Russian access to these stolen digital assets while citing "neutrality" and insisting "the Internet is beyond politics."

The situation creates direct threats to European cybersecurity. Through stolen Ukrainian IP addresses, Russian entities can camouflage hostile operations as Ukrainian or European activity, making source attribution extremely difficult while undermining continental digital security.

Strategic Value of Stolen Digital Assets

IP addresses function as unique digital passports for devices connected to the Internet, providing information about geographic location and allowing data packets to be correctly routed across networks. These resources carry both economic and strategic value in an era where IP addresses are essentially exhausted globally.

One IPv4 address currently sells for 35 to 50 euros on shadow or semi-official exchanges. Major telecommunications companies own hundreds of thousands of such addresses, meaning the loss of even a few thousand units amounts to millions in losses, according to Oleksandr Fedienko, member of Ukraine's parliament and former head of the Ukrainian Internet Association.

Beyond economic impact, IP addresses carry strategic importance as government communications, banking transactions, and critical infrastructure signals pass through them. "Control over them is a matter of national security," Fedienko told Ukrinform, a state run news agency. That is why the theft of Ukrainian IP addresses poses risks not only for Ukraine.

Occupation-Driven Digital Theft

After Russia occupied parts of Ukrainian territories in 2014 and 2022, numerous Ukrainian Internet service providers lost not only physical property but also IP addresses that were re-registered through RIPE NCC to Russian companies. Communication operators in occupied territories who legally received these digital identifiers were forcibly deprived of them.

"I know about a situation in Kherson where these resources were forcibly taken from our communication operators through tortures. Because they are not that easy to take without knowing the appropriate login and password," Fedienko stated.

Moscow's information expansion in occupied Ukrainian territories operates through state-owned unitary communication enterprises created under installed administrations. These entities use the largest blocks of stolen IP addresses, including State Unitary Enterprise of the Donetsk People's Republic Ugletelecom, State Unitary Enterprise of the Donetsk People's Republic Comtel, Republican Communications Operator Phoenix, and State Unitary Enterprise of the Luhansk People's Republic Republican Digital Communications.

Sanctions Violations and RIPE's Intransigence

Andriy Pylypenko, a lawyer working as part of an ad hoc group helping shape Ukraine's legal position regarding frozen stolen IP addresses, argues these entities play key roles in providing information support to the occupying regime. The enterprises facilitated sham referendums and elections in occupied territories, spread Russian propaganda, conducted cyberattacks against Ukraine, and channeled Internet access payments to budgets of illegal DPR and LPR entities.

In 2018, the Ukrainian Internet Association warned RIPE against cooperating with the DPR and LPR, but the organization refused to react, claiming IP addresses supposedly were not economic resources and therefore did not fall under EU sanctions. This position persisted until the Dutch Foreign Ministry clarified in 2021 that IP resources are considered economic resources under EU sanctions regulations, legally requiring RIPE to freeze registration of IP addresses held by sanctioned entities.

RIPE's board publicly disagreed with this interpretation, arguing that access to the Internet and IP resources should not be affected by political disputes. The organization requested a sanctions exemption, but the Dutch Foreign Ministry stated no legal basis existed for such blanket exemptions.

Also read: Zelenskyy Signs Law Advancing Cybersecurity of Ukraine’s State Networks and Critical Infrastructure

Criminal Liability and European Security

Several sanctioned entities from occupied territories have since been added to EU sanctions lists through the 16th, 17th, and 19th sanctions packages. "The only way for them is to freeze the relevant IP addresses and restrict access to them for sanctioned entities," Pylypenko emphasized. In addition, the head of an organization that violated the EU sanctions regime is held responsible for committing a crime as defined by law.

Over the past three years, at least 70 companies and individuals have been prosecuted in the Netherlands for violating EU sanctions against Russia. The Dutch Public Prosecutor's Office recently launched a criminal case against Damen Shipyards and its executives on charges of corruption and international sanctions violations.

NATO formally recognized cyberspace as an operational domain and battlefield at the 2016 Warsaw Summit, affirming that significant cyberattacks could trigger collective defense responses under Article 5. Ukrainian experts warn that RIPE's inaction, combined with political influences and approaches to liberalism, creates risks for European security infrastructure.