[BGP Hijack] AS202734 hijacked multiple Chinese Carriers on May 16-17 – Full evidence and attribution

[me via NANOG <nanog () lists nanog org>]

Dear NANOG community,

I am sharing a fully-attributed BGP hijacking incident that occurred on May 16-17, 2026.

**What happened:**

Between May 16-17, 2026, AS202734 announced 3,948 IPv4 prefixes that it does not legally own, targeting major Chinese 
carriers and infrastructure, including:
- China Telecom (125.104.0.0/13)
- China Unicom (123.144.0.0/12)
- China Mobile
- China Education and Research Network (CERNET)
- China Postal Bureau (120.72.160.0/24)
- Alibaba Cloud, Tencent Cloud, Huawei Cloud

The same ASN also announced China Telecom's IPv6 backbone (240e::/20). 

**Key technical evidence:**
- Attacker's own BIRD config shows manual injection of hijacked routes on May 1 (premeditation).
- Attacker's own Looking Glass shows the hijacked routes were active in his routing table.
- Attacker's GitHub shows he submitted a new ASN (AS402333) on May 16, the day of the hijack.
- Sponsoring org (MoeDove)'s official website shows they operate 36 global PoPs, including nodes in mainland China 
(Shanghai, Hangzhou, Zhengzhou, Chengdu).

**Who is behind it:**
AS202734 is registered to Junqi Tian (Jacob Tian), a graduate student at McGill University and researcher at Mila - 
Quebec AI Institute. His RIPE WHOIS address is: 1103-2100 Rue de Bleury, Montreal, Canada.

**The sponsoring org:**
MoeDove LLC (ORG-ML942-RIPE) is the sponsoring organization. Their network engineer responded to my abuse report by 
calling me an "idiot" and refused to investigate.

**What I have done:**
- Reported to RIPE NCC, Vultr, HE, Cloudflare, Mila, and his academic supervisor.
- Vultr has cut IPv4 peering and is "working with the customer" on IPv6.
- RIPE NCC opened tickets #1042641 and #1043090, but stated they "do not have the scope to act."

**Attached原始邮件 (.eml) 供验证：**
- `moedove_abuse_reply_idiot.eml` (MoeDove engineer's response)
- `ripe_carl_guderian_1042641.eml` (RIPE NCC first reply)
- `ripe_carl_guderian_1043090.eml` (RIPE NCC second reply)

**Questions for the community:**
1. Has anyone else observed unusual prefixes from AS202734 / AS402333 / AS44324?
2. What operational steps can the community take to filter bogons from these ASNs?
3. Are there best practices for dealing with a sponsoring LIR that refuses to act?

**Public evidence:**
- HE BGP Toolkit: https://bgp.he.net/AS202734
- RIPE WHOIS: https://apps.db.ripe.net/db-web-ui/query?searchtext=AS202734

Thank you for reading. I welcome any technical scrutiny or advice. Full evidence archive (with PII redacted) is 
available upon request.

---
zhong miao
me () haoziwan xyz
Independent Security Researcher
> --- Begin Message ---
>
>
> From: RIPE NCC Support <ncc () ripe net>
>
> Date: Thu, 21 May 2026 13:39:32 +0000
>
> ##- Please type your reply above this line -##
>
> Carl Guderian (RIPE NCC Support)
>
> May 21, 2026, 15:39 GMT+2
>
> Dear Colleague,
>
> Thank you for your update.
>
> 1.  WHOIS shows "EU" for the inet6num 
> 2001:678:1184::/48<https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=2001:678:1184::%2F48&type=inet6num> and 
> "CA" for the organisation 
> ORG-JT121-RIPE<https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=ORG-JT121-RIPE&type=organisation> it's 
> registered with (and "US" for the sponsoring organisation 
> ORG-ML942-RIPE<https://apps.db.ripe.net/db-web-ui/lookup?source=ripe&key=ORG-ML942-RIPE&type=organisation>). RIPE 
> policy requires only a member (or sponsored End User) to have an accurate country code, but does not require this for a 
> resource. There is no inconsistency.
>
> cguderian@cguderian-pro ~ % whois 2001:678:1184::/48 | grep EU
> country:        EU
>
> cguderian@cguderian-pro ~ % whois ORG-JT121-RIPE | grep CA
> country:        CA
> address:        1103-2100 Rue de Bleury, Montreal, QC, H3A0H4, CA
>
> cguderian@cguderian-pro ~ % whois ORG-ML942-RIPE | grep US
> country:        US
>
> 2. As noted before, RIPE members can and do sponsor resources for End Users located outside our service area, as long 
> as the sponsored End User shows an active network element within our service area. Evidence we accept includes--for 
> example--an invoice for rental of a real or virtual server at a European, Middle Eastern, or Central Asian location, 
> when applying for the resource. We may not disclose the specific evidence provided in this instance.
>
> For service purposes, "Europe" includes the UK.
>
> 3. Naturally, we do not consider behaviour such as you have reported to be professional, but RIPE policy, as determined 
> by our members, does not grant us the scope to act on that.
>
> I wish you a pleasant afternoon.
>
> If you have any (further) questions, please do not hesitate to contact us.
>
> Kind regards,
>
> Carl Guderian
> Internet Resource Analyst
> RIPE NCC
>
> abuse
>
> May 20, 2026, 16:26 GMT+2
>
> Dear Carl,
>
> Thank you for your response. However, several key questions remain
> unanswered.
>
> **1. Data Contradiction (EU vs CA)**
> You stated that "country code CA is permissible". But the RIPE WHOIS
> still shows "EU", while RIR Stats shows "CA".
> - Which one is correct?
> - If CA is correct, why does WHOIS still show EU?
> - Will RIPE NCC correct this inconsistency?
>
> **2. Out-of-Region Assignment**
> You stated that the sponsoring member provided evidence of a network
> element in the RIPE NCC service area.
> - Can you disclose what evidence was provided?
> - JIANYUELAB LTD is a UK-registered virtual organization. How does it
> maintain a "network element" in Europe?
>
> **3. Abuse Response**
> You stated that "RIPE policy does not address replies". I understand
> that RIPE does not require a specific response. However:
> - MoeDove LLC, as a sponsoring org, called an abuse reporter an "idiot".
> - Does RIPE NCC consider this acceptable professional conduct from a
> LIR?
> - If not, what action will be taken?
>
> I am not asking for an investigation into every reply. I am asking
> whether RIPE NCC has any expectation of basic professionalism from its
> member organizations.
>
> Please clarify.
>
> abuse () haoziwan xyz<mailto:abuse () haoziwan xyz>
>
> This email is a service from RIPE NCC Support.
> [59DXL0-EWP42]
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: RIPE NCC Support <ncc () ripe net>
>
> Date: Wed, 20 May 2026 14:08:37 +0000
>
> ##- Please type your reply above this line -##
>
> Carl Guderian (RIPE NCC Support)
>
> May 20, 2026, 16:08 GMT+2
>
> Dear Colleagues,
>
> Thank you for reporting this issue to us. RIPE NCC policy on country codes requires an organisation to use the country 
> code consistent wih its legal address, so the country code CA is permissible here.
>
> Sponsoring a resource outside the RIPE NCC service area is allowed as long as the sponsoring member can show evidence 
> of a network element in use within our service area. The sponsor has done this.
>
> Regarding abuse, the RIPE policy requires the abuse contact address noc () tianshome net<mailto:noc () tianshome net> 
> is valid and apparently able to receive abuse reports. Our policy does not address replies or even lack thereof, so we 
> unfortunately cannot investiage any further.
>
> We wish you a fine day.
>
> If you have any (further) questions, please do not hesitate to contact us.
>
> Kind regards,
>
> Carl Guderian
> Internet Resource Analyst
> RIPE NCC
>
> abuse
>
> May 19, 2026, 17:49 GMT+2
>
> Dear RIPE NCC,
>
> I am writing to report a data contradiction and potential policy violation regarding the PI assignment 
> 2001:678:1184::/48.
>
> ISSUE 1 - Data Contradiction:
> - RIPE WHOIS shows country: EU
> - RIR Stats Country (from RIPE NCC) shows CA
> - The registrant's address is Montreal, Canada
>
> Which is correct? If CA is correct, why does WHOIS still show EU?
>
> ISSUE 2 - Out-of-Region Assignment:
> A Canadian resident received a PI assignment from RIPE NCC's European pool (parent 2001:600::/23). What policy permits 
> this?
>
> ISSUE 3 - Subsequent Abuse:
> The same registrant's AS202734 has announced 1,454 RPKI-invalid prefixes, including hijacked China Telecom address 
> space. The sponsoring org MoeDove LLC responded to abuse reports with insults ("idiot") and refusal to cooperate.
>
> I request:
> 1. Clarification of the correct country for this assignment
> 2. The policy basis for this out-of-region PI assignment
> 3. A review of MoeDove LLC's membership compliance
>
> Full evidence (traceroute, HE data, GitHub commits, insult email) is available upon request.
>
> Thank you.
>
> This email is a service from RIPE NCC Support.
> [59D0PY-X0DMP]
>
> --- End Message ---
> --- Begin Message ---
>
>
> From: Rinne Miyano <pigeon () moedove com>
>
> Date: Mon, 18 May 2026 19:28:35 +0000
>
> To idiot haoziwan.xyz<http://haoziwan.xyz>,
>
> I’ve finished reading your ridiculous email, and what I want to know is: how could a prefix with zero public visibility 
> possibly hijack your traffic?
>
> Secondly, according to Section 6.3 of RIPE’s End User Assignment Agreement: “The End User shall be liable for all 
> aspects of the use of the Independent Internet Number Resources assigned to it and all that ensues from its use of the 
> Independent Internet Number Resources.”
>
> We have no obligation to take any action, nor will we cooperate with you in any way.
>
> If you are dissatisfied with my response, contact RIPE NCC or IANA.
>
>
> abuse <abuse () haoziwan xyz<mailto:abuse () haoziwan xyz>> 於 2026年5月18日週一 下午10:24寫道：
> To MoeDove LLC Abuse Team,
>
> This is an abuse report regarding AS202734 (Tianshome.net), which is
> listed under your sponsorship (ORG-ML942-RIPE).
>
> The AS is continuously announcing prefixes it does not legally own,
> including but not limited to China Telecom's 125.104.0.0/13<http://125.104.0.0/13>
> (APNIC-registered enterprise segment).
>
> Hurricane Electric flags this AS as "announces bogons". RIPE IRR shows
> its route announcements as invalid.
>
> The operator's BIRD configurations (including plaintext passwords) are
> publicly exposed on GitHub, and his geofeed lists a router in Shanghai,
> China.
>
> My traffic (originating from within the hijacked prefix) is being routed
> through AS202734. I have submitted abuse reports to RIPE NCC, his
> upstreams (Vultr, HE, Cloudflare), his employer (Mila), and his academic
> supervisor. The hijacking is still ongoing.
>
> As the sponsoring organization for this AS, you have a responsibility to
> ensure its compliance with RIPE policies and BGP best practices.
>
> Please investigate and take appropriate action.
>
> Public evidence:
> - https://bgp.he.net/AS202734
> - https://apps.db.ripe.net/db-web-ui/query?searchtext=AS202734
> - https://github.com/tianshome/bird-configs-output
> -
> https://raw.githubusercontent.com/tianshome/geofeed/refs/heads/master/geofeed.csv
>
> Thank you.
>
> abuse () haoziwan xyz<mailto:abuse () haoziwan xyz>
>
> ________________________________
> WARNING: This email (including its attachments) may contain confidential information protected by confidentiality 
> agreements or other rights, and is intended only for the designated recipient or individuals who need to know it for 
> the stated purpose. The recipient is prohibited from disclosing this information to unauthorized parties without prior 
> permission from MoeDove LLC. If you have received this email in error, please notify the sender immediately and delete 
> this email and its attachments from your system. Any use, dissemination, transmission, or copying of this email by 
> someone other than the intended recipient is prohibited and may be unlawful.
>
> --- End Message ---
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/MI6VWOX7XOCDIS244RLJSMS2ITZWTGED/