[BGP Hijack] AS202734 hijacked multiple Chinese Carriers on May 16-17 – Full evidence and attribution - NANOG - lists.nanog.org
×<br>Keyboard Shortcuts
Thread View
j: Next unread message
k: Previous unread message
j a: Jump to all threads<br>j l: Jump to MailingList overview
thread
[BGP Hijack] AS202734 hijacked multiple Chinese Carriers on May 16-17 – Full evidence and attribution
me
21 May
2026
21 May
'26
2:33 p.m.
Dear NANOG community,
I am sharing a fully-attributed BGP hijacking incident that occurred on May 16-17, 2026.
**What happened:**
Between May 16-17, 2026, AS202734 announced 3,948 IPv4 prefixes that it does not legally own, targeting major Chinese carriers and infrastructure, including:<br>- China Telecom (125.104.0.0/13)<br>- China Unicom (123.144.0.0/12)<br>- China Mobile<br>- China Education and Research Network (CERNET)<br>- China Postal Bureau (120.72.160.0/24)<br>- Alibaba Cloud, Tencent Cloud, Huawei Cloud
The same ASN also announced China Telecom's IPv6 backbone (240e::/20).
**Key technical evidence:**<br>- Attacker's own BIRD config shows manual injection of hijacked routes on May 1 (premeditation).<br>- Attacker's own Looking Glass shows the hijacked routes were active in his routing table.<br>- Attacker's GitHub shows he submitted a new ASN (AS402333) on May 16, the day of the hijack.<br>- Sponsoring org (MoeDove)'s official website shows they operate 36 global PoPs, including nodes in mainland China (Shanghai, Hangzhou, Zhengzhou, Chengdu).
**Who is behind it:**<br>AS202734 is registered to Junqi Tian (Jacob Tian), a graduate student at McGill University and researcher at Mila - Quebec AI Institute. His RIPE WHOIS address is: 1103-2100 Rue de Bleury, Montreal, Canada.
**The sponsoring org:**<br>MoeDove LLC (ORG-ML942-RIPE) is the sponsoring organization. Their network engineer responded to my abuse report by calling me an "idiot" and refused to investigate.
**What I have done:**<br>- Reported to RIPE NCC, Vultr, HE, Cloudflare, Mila, and his academic supervisor.<br>- Vultr has cut IPv4 peering and is "working with the customer" on IPv6.<br>- RIPE NCC opened tickets #1042641 and #1043090, but stated they "do not have the scope to act."
**Attached原始邮件 (.eml) 供验证:**<br>- `moedove_abuse_reply_idiot.eml` (MoeDove engineer's response)<br>- `ripe_carl_guderian_1042641.eml` (RIPE NCC first reply)<br>- `ripe_carl_guderian_1043090.eml` (RIPE NCC second reply)
**Questions for the community:**<br>1. Has anyone else observed unusual prefixes from AS202734 / AS402333 / AS44324?<br>2. What operational steps can the community take to filter bogons from these ASNs?<br>3. Are there best practices for dealing with a sponsoring LIR that refuses to act?
**Public evidence:**<br>- HE BGP Toolkit: https://bgp.he.net/AS202734<br>- RIPE WHOIS: https://apps.db.ripe.net/db-web-ui/query?searchtext=AS202734
Thank you for reading. I welcome any technical scrutiny or advice. Full evidence archive (with PII redacted) is available upon request.
zhong miao<br>me@haoziwan.xyz<br>Independent Security Researcher
Attachments:
1043090-Re_RE_1042641-DataContradictionandPolicyViolation_2001_678_1184___48EUvsCA.eml<br>(message/rfc822 — 6.5 KB)
1042641-Re_DataContradictionandPolicyViolation_2001_678_1184___48EUvsCA.eml<br>(message/rfc822 — 5.0 KB)
Re_AbuseReport_AS202734Tianshome.net_JunqiTian-BGPRouteHijackingIRR_ROAInvalidOngoing.eml<br>(message/rfc822 — 5.8 KB)
Reply
Sign in to reply online
>Use email software
Back to the thread
Back to the list