AS29073, the most fucked-up network ever (before quasi networks)

This network has existed for more than 10 years and is known for what they host. Over the weekend, I stumbled upon an interesting blog called “Bad Packets”, where a fellow named Troy has written about various unsavory goings on involving various networks. One network that he called out in particular was AS29073 (today AS202425), formerly called “Quasi Networks” and now “IP Volume”. on his blog, this fellow Troy has noted at length some break-in attempts originating from AS29073 and his inability to get anyone, in particular RIPE NCC, to give a damn. The Master Needler, A Conversation with Ripe, Quasi Networks responds as we witness the death of the master needler.

The fact that RIPE NCC declined to accept the role of The Internet Police didn’t surprise me at all… they never have and probably never will… but I decided to have a quick look at what this newtork was routing, at present, which can be easily see here:

So I was looking through the announced routes for AS29073, and it all looked pretty normal… a /24 block, check, a /24 block, check, a /21 block check… another /24 block, and then … WAIT A SECOND! HOLY MOTHER OF GOD! WHAT’S THIS??? !!! So how does a little two-bit network with a rather dubious reputation and a grand total of only about a /19 to its name suddenly come to be routing an entire /14 block?? And of course, its a legacy (abandoned) Afrinic block.

BREIN is Taking Infamous ‘Piracy’ Hosting Provider Ecatel to Court (

And of course, there’s no reverse DNS for any of it, because there is no valid delegation for the reverse DNS for any of it… usually a good sign that whoever is routing the block right now -does not- have legit rights to do so. (If they did, then they would have presented their LOAs or whatever to Afrinic and thus gotten the reverse DNS properly delegated to their own name servers.)

I’ve seen this movie before. You all have. This gives every indication of being just another sad chapter in the ongoing mass pillaging of unused Afrinic legacy IPv4 space, by various actors with evil intent. They already documented this hightly unfortunate fad right here on multiple occasions: November, August

This incident is a bit different from the others however, in that it -does not- appear that the block has been filed to the brim with snoeshoe spammers. Well, not yet anyway. But if in fact the stories are correct, and if AS29073 does indeed have a history of hosting outbound hacking activities, then the mind reels when thinking about how much mischief such bad actors could get into if given an entire /14 to play with. (And by the way, this is a new world’s record I think, for largest singe-route deliberate hijack. I’ve seen plenty of /16 go walkabout before, and even a whole /15. But an entire /14?? That is uniquely brazen.)

ipv4 from quasi networks

In addition to the above, and the points raised within teh Bad Packets blog (see links above) I found, via passive DNS a number of other causes for concern about AS29073, to wit:

(In addition to the above, I’ve also found plenty of additional domain names associated with AS29073 which incorporate the names “Apple” “AirBnB”, “Facebook”, and “Groupon”, as well as dozens of other legitimate companies and organizations.) I confess that I have not had the time to look at any of the web sites that may or may not be associated with any of the above FQDNs, but the domain names themselves are certainly strongly suggestive of (a) the possible hosting of child porn and also and separately (b) the possible hosting of phishing sites. So, given the history of this network (as is well documented on the Bad Packets blog) and given all of the above, and given what would appear to be the unauthorized “liberation” of the entire block by AS29073, one cannot help but wonder Why does anybody still even peer with these jerks?

The always helpful and informative web site indicates that very nearly 50% of the connectivity currently enjoyed by AS29073 is being provided to them by Level3. I would thus like to ask Level3 to reconsider that peering arrangement in light of the above facts, and especially in light of what would appear to be the unauthorized routing of the block by AS29073. Surprisingly, given its history, AS29073 apparently has a total of 99 different peers, at present, and I would likewise ask all of them to reconsider their current peering arrangements with this network. I am listing all 99 peers below.

Before I get to that however, I’d liek to also note that there currently exists, within the RIPE Routing Registry, the following route object: hosted websites

origin: AS29073
mnt-by: EC42500-MNT
mnt-routes: EC42500-MNT
mnt-routes: M247-EU-MNT
created: 2017-03-28T21:47:03Z
last-modified: 2017-08-11T19:58:39Z
source: RIPE

I confess that I am not 100% sure of the exact semantics of the “mnt-routes” tag, but it would appear from the above that the UK’s M247 network (AS9009)… which itself is not even peering with AS29073… appears to have, in effect countersigned the above RIPE route object, vouching for its correctness and authenticity as they did so. Why they would have done that, especially given that they themselves are not even peering with AS29073, is, I confess, beyond me. But I would love to have them explain it, or even try to explain it. It’s enigmatic, to say the least. Anyway, the “created” date in the above record seems to be consistant with that actual start of the announcement of by AS29073, which the RIPE Routing History tool says occured sometime in March of this year.

One additional (and rather bizzare) footnote to this whole story about the block has to do with the entity that allegedly -is- the current rightful owner of the block (as far as Afrinic is concerned). That entity is designated by the Afrinic handle ORG-IA41-AFRINIC and that in turn has an admin-c and tech-c of NAIT1-AFRINIC. The record for that handle is as follows:

person:          Network and Information Technology Administrator
address:        Unit 117, Orion Mall, Palm Street
address:        Victoria, Mahe
address:        Seychelles (SC)
phone:          +972-54-2203545
e-mail:          info at
nic-hdl:         NAIT1-AFRINIC
changed:      info at 20150725
source:         AFRINIC

Upon fetching the current WHOIS record for I found it more than passing strange that all of the contact details therein are associated *not* with anything in Africa, nor even anything in the home country of AS29073 (Netherlands) but rather, the address and ophone numbers therein all appear to be ones associated with a relatively well known Internet attorney in Santa Monica, Califiornia by the name of Bennet Kelly. As it happens, in the distant past (about 10 years ago) I personally crossed swords with this particular fellow. He may

bad packets biggest enemy

be a lot of things, but it never seemed to me that stupid was one of them. And indeed the domain name and all of its connections to the block appear to date from 2015… long before AS29073 started routing this block (which only started in March of this year).

So, my best guess about this whole confuseing mess is that the -original- legitimate owners of the block most probably sold it on, in a legitimate transaction, to some other party in 2015, where that other party was/is represented by Mr. Bennet Kelly, Esq. And my guess is that neither he nor the new owners, who he represents, even know that their expensive /14 has gone walkabout, as of March of this year. I will be trying to make contact with Mr. Kelley today to discuss this with him and will post a follow-up if any new and interesting information arises from that conversation.

Peers of AS29073:

The Group

Many from the scene, especially from Germany, know the group and the old Kinox and Movie4k all originate from and Movie2k. There have been rumours and speculations about who the operators might be. Since the foundation of the portals, the German authority has been working to remove them from the net. It is assumed that the largest Warez and Stream portals in Germany belong to the same operators. These sites are,, and They have the same Cloudflare connections and even before they knew that many of the sites are on the same servers. Among other things it was also said that they belonged to and also these web pages are operated by the same persons. For years was the most famous stream portal in Germany and left the biggest headlines behind. The revenues were in millions in one month. Everything about Kinox, and its history can be read on Tarnkappe (German), or Torrentfreak (English).

My blog post is not about the Warez portals themselves. It’s about the phenomenon of their hosting providers that were used in the past. There used to be very large stream and file hosting sites. These called themselves as follows:,,,, and others. The business model of at that time was not only to run a stream portal, but to run several portals. It even went so far that own hosting and stream hosters were founded to earn money through premium. It was a real business where you could earn a lot of money. That’s exactly what happened. They had reached their goal and thus also the great attention.

Many still have a big question mark. How could a new portal like be created after was taken off the net and the companies were arrested after about two days? It went relatively fast and the copy of appeared after two days out of nowhere and was able to get the throne. It is speculated that belongs to the same operators and until today it was suspected that the real operators were caught although they were not caught or only a part of it?

akrino inc

Even later, after went online, the same DDoS protection from Akrino Inc was used as it was for Akrino Inc was a private and expensive DDoS protection in the form of a reverse proxy that could only be obtained through Russian Business Network contact. Through an inquiry at RIPE you got the mail from Akrino, but you didn’t always get an answer from them.

Then there’s another question I’m asking myself today. Why are and still online today? The subpages are no longer available but you can still see the start page today. Both portals have been inactive for more than 5 years but are still online. Such portals were a part of the old team and were still online after the bust of The German authorities used to think that after the arrest of several portals would go offline which didn’t happen. Some hosting operators were arrested who cooperated with and also later cooperated with the German GVU. was in its time a real company with many employees and partners. There were even some Hetzner employees who cooperated with to earn some money. had all its storage servers at Hetzner. An employee of Hetzner who also knew what was distributed on cooperated. Russian Business Network cooperated with various hosting services that were used. Ecatel, Dragonara and Akrino were all involved.

cloudflare scan

The Kreshnik and Kastriot Selimi brothers from Kosovo are suspected of having run the group. But I still suspect that both brothers are innocent and not the right operators. The German police accuse the brothers of violence, weapons, coercion, arson and threats. But if you look at the pictures of the two brothers, this can hardly be possible. They simply look like two innocent nerds. The German police themselves do not know who the operators are. They speculate and wait until the operators make a mistake, which they didn’t make after went offline. They search for the Selimi brothers and the Warez pages are still online today. Many things don’t make sense and it is questionable how Germany operates against them. Much is veiled and lied. Therefore these Warez pages are a phenomenon today. Many suspect honeypots behind the portals and don’t even want to work with them anymore.

If you scan the Cloudflare name servers or the SSL, you will see how many domains are actually involved with Kinox. Of course this does not mean that all domains are involved. It only means that on the same name there are also domains that others use. But certain domains stand out and one can only think that they must have almost a connection. Like on the photo with

What my thoughts on the whole Kinox Group are, I’ll keep my hands off it. A whole group of operators cooperating with RBN. Have fingers on almost all Warez pages. In principle they control the whole German Warez scene. Be it a hosting operator, proxy provider, stream hoster or just a DDL site. It could also be that a Hetzner employee runs the whole site if they were already involved before? They always say your friend is the biggest enemy and I think it is the same with all these Warez pages. I guess Kinox is run by someone the police would never think. What is your opinion about these portals?

Now it happened with Openload

wjunction users

What I had suspected for months has now also happened with Openload, Streamango and Streamcherry. Rapidvideo had given the go-ahead and now another one follows. It will not be the first hoster to make this decision. There will be some more to follow, I’m sure. Openload announced yesterday around midnight to completely remove their Pay-Per-View system. Users who should have more than 20$ on their account still have the possibility to pay out. Payouts can still be made until April 30th.

Many Wjunction users thank Openload for years of loyalty and a service they could offer. There has never been such a stream host in the streaming scene as Openload. Years ago Streamcloud was number one with an Alexa rank of 500 and Openload made it to the top up to Alexa 105 with 230 million unique visitors per month. Openload accounted for 0.8% of worldwide traffic on the Internet. Openload caused more traffic than HULU or HBO Go. After such a big announcement of Openload, many loyal users and big uploaders will have to put an end to the service. However, it probably doesn’t mean the end of Openload. If a company gets a monopoly position, it is still needed, even if it doesn’t offer anything. Through years of offering, there are uploaders who have become accustomed to the service. Especially visitors. Watch the video of Sandvine to see the Global Traffic Consumption. Global Internet Phenomena report 2018.

wjunction right now

This decision only leads to the drastic changes in the file hosting scene that I wrote some time ago. Big law changes in Europe, the eCPM are extremely pushed down. Adblocker user numbers have almost doubled the last five years. This also means that Pay-Per-Download and View is simply no longer profitable for webmasters today. Small hosting providers like Vidoza or GOUnlimited can still hold their own relatively well. The reason is simple, because the traffic from these sites is not as high as the traffic from Rapidvideo and Openload. The bigger the traffic, the less you earn through the eCPM of the advertisers. Also Vidoza and GOUnlimited have to decide sometime. What we can think, however, is that PPS will be up to date again. Previously there was only PPS on Duckload,, Freakshare or Bitshare. At some point there came a new trend reversal with PPV which seems to disappear again and PPS becomes in.

If an experienced hosting provider like Openload has decided for something like this, there must be reasons for it. This does not happen without a reason.

the new openload?

But it was interesting in the thread of Openload itself. A user shared a page called The site is exactly the same as Openload and you can import the links from Openload to Verystream without having to upload them. It looks like Verystream belongs to Openload. However, so far there has been no official confirmation nor is there an official support thread on Wjunction from this website. That’s why we can only speculate at this time.

The operators of GOUnlimited can now benefit from this whole thing. In a short period of time Rapidvideo and Openload have simultaneously stopped the PPV. GOUnlimited benefits from the whole thing and now has to cope with the massive traffic. This is how the admin of GOUnlimited on Wjunction describes the whole thing. I had already wondered about this hoster before how it is possible to ignore so many deletion requests from companies in the USA. GOUnlimited ignores almost all DMCA requests. We are curious about the whole development and so it looks as if GOUnlimited will take the monopoly at the moment. We hope the best and much success for the whole stream and filehoster webmasters.

affiliate threads @ wjunction

Many uploaders of Wjunction are very suspicious of this whole thing of GOUnlimited. There is almost no trust in the service because they suspect that GOUnlimited would eventually disappear from the net. GOUnlimited moves very deep in the grey area. So far, amazingly enough, the whole scene is very quiet. Many webmasters have not responded to Openload’s action. Maybe many welcome it because they can intercept the traffic as well as GOUnlimited does? Or are there already fierce discussions that some operators should follow? We will see what else will happen. On my blog you will stay up to date. In the comments you can give your opinion.

More information can also be found on Tarnkappe. But only in German.

Drastic changes for filehosters

In the next few years we will experience a revolution in the Internet. I am very convinced of that. Not in the sense of the whole Internet, but in the file hosting industry. Articles 13, 17, 11, Adblocker and advertising companies force filehosters to make massive changes. You guys have to understand the whole thing with articles 13, 17 and 11 all changed again. Adblock numbers have increased rapidly because even the stupidest users use Adblockers today. Advertising companies have pushed the CPM so hard that PPD (Pay Per Download) is no longer profitable today. Only PPS (Pay Per Sale) is profitable. Not only that, the advertising companies are forced today by some governments that they require personal data. There has never been such pressure before. Here for example you can read more. As if this wasn’t enough, the most used browser called Google Chrome has now brought an update that even blocks most pop-ups and ads. That was another slap in the face for all filehosters who actually need income to finance their servers.

We have to admit, we don’t live in golden times anymore where we could earn more than 100$ as webmaster for 20k impressions a day. Today it is for 20k impressions from the same countries with 100 times less CPM only maybe 10$. That is 90% less than 8 – 10 years ago in the file sharing scene. The times when streamhosters like Streamcloud, Duckload,, Filebase, Freeload and many other providers could earn a golden nose is no longer possible today. Also the Movshare group like Nowvideo, Videoweed or the group with Fileserve could enrich itself. Filehoster services such as Uploaded, Share-Online and Rapidgator can actually only keep themselves in the stable level through premium revenue. Even these sites would not be able to achieve anything without the revenue. At the moment there are 4 factors that put extreme strain on filehosters. Uploaded is also massively under pressure and will no longer be able to withstand this. Even a secure place like Switzerland is no longer as secure as it used to be.

A court decision for Rapidshare is still awaited

What filehosters are putting under extreme pressure at the moment:

  • Articles 13, 17, 11 put the file hosters under extreme pressure. This new law has caused extreme upheaval in some countries. Countries like Switzerland are also affected. There, for example, is Uploaded.
  • Adblockers have increased dramatically and the CPM are no longer profitable for filehosters. Bandwidth is still too expensive in Europe even if server prices have become cheaper over the last 10 years. Only PPS is profitable and no longer PPD.
  • Advertising companies like PropellerAds, PopAds that were once safe started using KYC. (Know Your Customer). Now it is mandatory to collect data and personal data from website operators because certain governments require it due to the high pressure. And no filehoster wants to give away data even if the site is on a legal level. Megaupload was also legal and Kim Schmitz was still fucked in the ass.
  • All over the world 80% Google Chrome is used on PCs and this browser will bring a big anti-advertisement update this summer.

Also Rapidshare had his company in Switzerland like Uploaded. Even though Switzerland may be a safe place because of the lax Internet laws, it could be dangerous for uploaded.

Rewards at Openload

On Wjunction some topics are hotly discussed as to why payments are no longer so regular. Many uploaders and well-known uploaders complain about the current situation and some even fear about its existence, because otherwise they could not earn anything more. Wjunction is still a webmaster forum for file sharing services. There are still many uploaders and official threads for filehosters. But also in this forum the activity has drastically decreased if you compare the numbers of the last 8 years. There are always new filehosters that open new topics on Wjunction but close later again because they are simply mistaken in this industry. Today there is only a small amount of successful filehosters left. Exactly because of the reasons that were listed above. It is said again and again that Openload delivers the payouts more and more late. Uploaded delays the payouts also massively and also in other filehoster topics rumors circulate again and again that payouts are delayed. Are some filehosters in a bottleneck? Some uploaders from the scene do not want to realize what is happening or do not understand the current situation. However, it is obvious what is happening here. The internet is changing again due to laws and the technology you have to adapt to.

We are curious how big providers like Rapidvideo, Openload, Vidoza will react and what the next steps will be. Here you can discuss what you think about the current situation. It is also very obvious that currently the Warez Scene is slightly inactive. Since the boom of Netflix and Spotify there are sites that are simply too unattractive for the world. Maybe it’s just in today’s digitalization? Because people are too lazy? I will keep you up to date on everything here on my blog.

Geoblocking because of Article 13?

Click on the picture to see the video

The first stage or the first consents of Article 13 have been approved by the European Union. This will stir up the content industry. However, the Content Mafia can cheer and welcome this decision. After years of debate and negotiations, politicians have passed sweeping changes following a final vote in the European Parliament. The changes have proved controversial, with critics being opposed to two specific parts of the law: Article 11 and Article 13. They form part of the wider regulations which were passed. The European Union Directive on Copyright in the Digital Single Market, to use its full name, requires the likes of YouTube, Facebook and Twitter to take more responsibility for copyrighted material being shared illegally on their platforms. It’s become known by the most controversial segment, Article 13, which critics claim will have a detrimental impact on creators online. YouTube, and YouTubers, have become the most vocal opponents of the proposal. But despite Article 13 and the Directive on Copyright being passed by EU regulators, it will now have to be implemented by the individual countries within the Union. To help clear things up, here’s WIRED’s guide to the EU Directive on Copyright.

What does this mean for filehosters or site operators with sensitive content?


There will actually only be two options, maybe a third one which would be very unlikely.

The first option would be to completely remove the server locations from the European Union, where Article 13 laws do not apply. The best server location with good connectivity would be Switzerland. Because Switzerland will not accept Article 13 at the moment.

As a non-EU country, the new EU copyright law, once in force, will not apply to Switzerland – theoretically. After all, it can hardly be assumed that large international companies will develop the upload filters required by the EU but not apply them to Switzerland. Rather, it can be assumed that Switzerland will be treated like the other EU countries.

The second option would be that website operators would simply add geoblocking to their site and countries where Article 13 came into force would be filtered. This would also be one of the ways to protect yourself.  The development is dangerous for “European innovation” and start-ups. And an incentive will be created for non-European sites to simply block all EU users by geoblocking.

The third option that I think is very unlikely is that website operators would develop an upload filter. Especially for small sites this would be impossible because the effort and programming is too expensive. It is not technically possible, and it would mean the demise of social media and communities.

Then people will just circumvent that by using a VPN. Using a VPN for that purpose does not break any laws in either the EU or the United States, no matter what some commenters over on Techdirt have told me. For it to be a DMCA violation, you have to be making money, that is what the “commercial or private financial gain” part of it means. And the CFAA does not apply, because you are not breaking a password. In order for it to be “unauthorized access”, you have to be using a cracked, stolen, or otherwise illegally obtained password. So you could not be criminally charged in the United States for bypassing geoblocking.

If Article 13 is fully implemented in Europe, VPN trade will boom and there would be a very big change in the Internet. We should not give it a chance and take action before it is too late. Europe does not listen to its people, the EU creates its own laws and implements them against the will of the people. This is no longer a democracy.