In the modern world, wars no longer occur only on the battlefield. Today, conflicts also extend into the invisible world of cyberspace. Russia now poses a hidden but very real threat to Europe and Ukraine by using stolen Ukrainian digital resources, specifically IP addresses, to carry out cyberattacks and spread disinformation. These digital “passports” control internet traffic, and Russia is now weaponizing them in the ongoing conflict.
What Are IP Addresses and Why They Matter
Every device connected to the internet has an IP address, a unique set of numbers similar to a home address. This address allows information to reach the correct device, much like a letter being delivered to the right home. IP addresses also show the approximate location of the device, such as the city or country.
In Europe, IP addresses are managed by an organization called RIPE NCC. This non-profit group assigns these addresses to internet service providers, businesses, governments, and other institutions. IP addresses are limited resources, especially older IPv4 addresses. Experts say they now carry real economic value, much like land or mobile network frequencies. One IPv4 IP address can sell for 35 to 50 euros in unofficial markets. Losing even a small number of IP addresses can cost millions.
Europe warns of hybrid warfare threats as drone incursions and cyberattacks raise security concerns
Beyond their financial worth, IP addresses hold strategic importance. Government communications, banking systems, and critical infrastructure rely on them. If the wrong hands control these digital resources, they can manipulate information, intercept communications, or disguise cyberattacks as coming from another country.
How Russia Took Over Ukrainian IP Addresses
When Russia occupied parts of Ukraine in 2014 and again in 2022, several Ukrainian internet service providers lost both property and their IP addresses. As a result, these digital resources were forcibly taken over and re-registered under Russian companies through RIPE NCC. In some cases, operators in occupied regions were reportedly pressured, threatened, or even tortured to hand over login credentials for these networks.
Once in Russian control, these IP addresses allowed the aggressor to carry out cyber operations that appear to originate from Ukrainian or European networks. This “masking” therefore makes it extremely difficult to trace cyberattacks back to their real source. In other words, cyberattacks carried out by Russia could look like they are coming from Ukraine.
German Intelligence Warns of Russian GRU Cyberattacks Targeting NATO and EU
Furthermore, some of the largest blocks of stolen IP addresses are now controlled by Russian-backed enterprises in the occupied territories. These include state-owned communication providers and telecom companies established by occupying authorities. In addition, they provide internet access to residents, collect payments, and use the money to support the occupying administration. They also facilitate propaganda campaigns and illegal elections in the territories under Russia’s control.
Legal and Security Challenges
The organization responsible for managing internet resources in Europe, RIPE NCC, has maintained a strict stance of “neutrality” and claimed that these resources are beyond politics. However, this position has created a loophole that allows stolen digital identifiers to remain in Russian hands. Ukraine has repeatedly raised concerns, providing evidence that the stolen resources are being used by entities under EU sanctions. Despite this, RIPE NCC has refused to freeze them, citing freedom of internet access as their justification.
This inaction has significant consequences. By not enforcing EU sanctions on these resources, RIPE NCC indirectly enables Russia to use them for cyberattacks, disinformation campaigns, and financial gain. The organization’s decisions have turned what should be a technical tool into a strategic instrument in the ongoing hybrid war. Experts warn that controlling these resources is akin to holding a “red button” over a portion of Europe’s digital space.
Ukraine has blocked most Russian digital identifiers within its own networks but has not been able to block the stolen IP addresses. This allows Russia to continue using them for cyber operations, putting not just Ukraine but the entire continent at risk. Beyond national security, the financial stakes are high. Returning the stolen IP addresses would cut off a revenue stream that Russia could otherwise exploit through the sale or use of these resources.
The weaponization of stolen IP addresses is a stark reminder of how modern warfare extends far beyond tanks and missiles. In cyberspace, even a string of numbers can be turned into a tool of power, control, and destruction. As the conflict continues, the battle over IP addresses highlights a hidden dimension of war that affects economies, security, and the flow of information across the globe.