Dear Zhong, After analyzing the routing data and verifying the incident with AS202734’s NOC, this was not a DFZ-wide BGP hijack. The invalid announcements were visible only on bgp.he.net due to a route collector filtering issue and were not propagated to the public Internet, with no evidence of upstream acceptance or actual traffic attraction. A route appearing on a single collector is not sufficient evidence of Internet-wide propagation, and incidents like this should be verified across multiple independent sources, such as bgp.tools and unrelated networks’ looking glass, before public attribution is made. Given current operational practice, widespread IRR filtering and increasing RPKI enforcement also make propagation of obviously invalid announcements significantly less likely. Additionally, the MoeDove LLC email you reposted explicitly included a confidentiality notice prohibiting unauthorized redistribution. Republishing private correspondence without consent may itself be improper or unlawful. Routing mistakes and invalid announcements should absolutely be discussed and corrected, but escalating unverified claims simultaneously to RIPE NCC, upstreams, employers, academic supervisors, and public operational mailing lists like NANOG without sufficient evidence of real-world impact is not constructive and unnecessarily consumes community and operational resources. Regards, Yanzheng
On May 21, 2026, at 10:33 PM, me via NANOG <nanog@lists.nanog.org> wrote:
Dear NANOG community,
I am sharing a fully-attributed BGP hijacking incident that occurred on May 16-17, 2026.
**What happened:**
Between May 16-17, 2026, AS202734 announced 3,948 IPv4 prefixes that it does not legally own, targeting major Chinese carriers and infrastructure, including: - China Telecom (125.104.0.0/13) - China Unicom (123.144.0.0/12) - China Mobile - China Education and Research Network (CERNET) - China Postal Bureau (120.72.160.0/24) - Alibaba Cloud, Tencent Cloud, Huawei Cloud
The same ASN also announced China Telecom's IPv6 backbone (240e::/20).
**Key technical evidence:** - Attacker's own BIRD config shows manual injection of hijacked routes on May 1 (premeditation). - Attacker's own Looking Glass shows the hijacked routes were active in his routing table. - Attacker's GitHub shows he submitted a new ASN (AS402333) on May 16, the day of the hijack. - Sponsoring org (MoeDove)'s official website shows they operate 36 global PoPs, including nodes in mainland China (Shanghai, Hangzhou, Zhengzhou, Chengdu).
**Who is behind it:** AS202734 is registered to Junqi Tian (Jacob Tian), a graduate student at McGill University and researcher at Mila - Quebec AI Institute. His RIPE WHOIS address is: 1103-2100 Rue de Bleury, Montreal, Canada.
**The sponsoring org:** MoeDove LLC (ORG-ML942-RIPE) is the sponsoring organization. Their network engineer responded to my abuse report by calling me an "idiot" and refused to investigate.
**What I have done:** - Reported to RIPE NCC, Vultr, HE, Cloudflare, Mila, and his academic supervisor. - Vultr has cut IPv4 peering and is "working with the customer" on IPv6. - RIPE NCC opened tickets #1042641 and #1043090, but stated they "do not have the scope to act."
**Attached原始邮件 (.eml) 供验证:** - `moedove_abuse_reply_idiot.eml` (MoeDove engineer's response) - `ripe_carl_guderian_1042641.eml` (RIPE NCC first reply) - `ripe_carl_guderian_1043090.eml` (RIPE NCC second reply)
**Questions for the community:** 1. Has anyone else observed unusual prefixes from AS202734 / AS402333 / AS44324? 2. What operational steps can the community take to filter bogons from these ASNs? 3. Are there best practices for dealing with a sponsoring LIR that refuses to act?
**Public evidence:** - HE BGP Toolkit: https://bgp.he.net/AS202734 - RIPE WHOIS: https://apps.db.ripe.net/db-web-ui/query?searchtext=AS202734
Thank you for reading. I welcome any technical scrutiny or advice. Full evidence archive (with PII redacted) is available upon request.
--- zhong miao me@haoziwan.xyz Independent Security Researcher<#1043090 - Re_ RE_ #1042641 - Data Contradiction and Policy Violation_ 2001_678_1184___48 (EU vs CA).eml><#1042641 - Re_ Data Contradiction and Policy Violation_ 2001_678_1184___48 (EU vs CA).eml><Re_ Abuse Report_ AS202734 (Tianshome.net _ Junqi Tian) - BGP Route Hijacking, IRR_ROA Invalid, Ongoing.eml>_______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/MI6VWOX7...