BreakglassIntelligence
Back to reports

Part 2: The NEKOBYTE Proxy Farm Tripled — 1,004 AiTM Servers, a Crimean Occupation IT Operative, and New Targets Including kernel.org and Zoom

Six weeks after our initial report documented 300+ MITM proxies, we rescanned. AS206134 alone now hosts 999. The operator built Crimea's IT infrastructure for Russia.

PublishedApril 21, 2026

In March 2026, we published our initial investigation into NEKOBYTE INTERNATIONAL LIMITED — a bulletproof hosting operation running 300+ MITM proxy servers serving stolen TLS certificates for Apple, Google, GitHub, Microsoft, and dozens more, backed by 22 autonomous systems, 13+ UK shell companies directed by teenage Russian nominees, a Russian Government "Trusted Sub CA" certificate, and VK-issued internal CA certs with 30-year validity.

Six weeks later, a community tip brought us back to the same infrastructure. We rescanned. The operation has tripled. A single ASN — AS206134 — now hosts 1,004 confirmed AiTM proxy servers, up from approximately 300 across the entire network in March. New targets include Zoom, Twitch, kernel.org, MEGA, IMDB, and the German domain registry DENIC — while previously identified targets like GitHub, Microsoft, and Apple have seen massive proxy count increases. And we found a new attribution lead connecting the operation to a Crimean IT operative who built infrastructure for the Russian occupation government.

Across 34 subnets announced by a 3-month-old bulletproof ASN, we found 1,004 transparent AiTM proxy servers impersonating 40+ services including GitHub (128 proxies), Microsoft (142), Apple (98), VK, Yandex, Yahoo, Amazon, Oracle, Tesla, Intel, Samsung, Reddit, Zoom, WhatsApp, Wikipedia, and the Linux kernel source distribution infrastructure. Each proxy serves the target's real, CA-signed TLS certificate and relays traffic transparently — making interception invisible to the victim.

The ASN is AS206134 (NEKO-AS), operated by NEKOBYTE INTERNATIONAL LIMITED — a UK shell company registered at a known formation agent address. The director is Sergei Satsukevich — a 20-year-old Russian national (born April 2005), consistent with the teenage nominee director pattern documented in our initial report. The operating entity is IT-Garage LLC, registered in Sevastopol, Crimea at the same address as Alvion Europe — a company run by Igor Tsimbal, who built Crimea's IT infrastructure for the Russian occupation government and served as IT advisor to the self-proclaimed head of Sevastopol. Tsimbal appears in Ukraine's Myrotvorets database of individuals deemed threats to national security.

One proxy server was found serving a self-signed certificate from "VK interm CA" — a Russian deep packet inspection certificate valid from 2022 to 2052. This is not a commercial hosting operation.

Table of Contents

How We Found It

The trail started with a community tip. @Fact_Finder03 flagged an open Auraboros C2 panel at 174.138.43[.]25. Separately, @malwrhunterteam flagged 2.26.116[.]156 as threat infrastructure on the same day. We investigated and found the IP hosted on AS206134 (NEKO-AS / NEKOBYTE INTERNATIONAL LIMITED).

While probing other IPs on the same ASN, we discovered that 147.45.210[.]100 was serving a valid TLS certificate for github.com — issued by Sectigo, with the same serial number as the real certificate. Shodan had indexed the IP with hostnames github.com, www.github.com, and vm23588.it-garage.network.

We checked the .100 address on every other prefix the ASN announces. More proxies appeared. We then scanned every IP across all 34 announced subnets — approximately 8,700 addresses. The results were staggering.

The Proxy Mechanism

Each proxy performs TLS passthrough with SNI-based routing using a Traefik reverse proxy stack (confirmed via leaked default certificates on port 8443). The proxy presents the target's real, CA-signed certificate and relays traffic bidirectionally.

We verified this by comparing certificate serial numbers:

GitHub proxy at 2.26.16[.]79:

FieldProxyReal github.com
Serial1DC289C1EADAFB04E9D1CF53D5D722531DC289C1EADAFB04E9D1CF53D5D72253
IssuerSectigo Public Server Authentication CA DV E36Sectigo Public Server Authentication CA DV E36
SubjectCN=github.comCN=github.com

Identical. The proxy relays the TLS handshake to the real server, which returns its genuine certificate. The proxy forwards this to the client. Certificate validation passes. Certificate pinning passes. The victim sees no warning.

The proxies are SNI-aware. The GitHub proxy at 147.45.210[.]100 returned different certificates based on Server Name Indication:

SNICertificate Served
github.comCN=github.com (Sectigo)
api.github.comCN=*.github.com (Sectigo)
raw.githubusercontent.comCN=*.githubusercontent.com (DigiCert)

Content comparison confirms transparent relay:

PageProxy SizeReal SizeDifference
github.com homepage564,455 B564,452 B3 bytes
github.com/login45,027 B45,028 B1 byte

The proxy passes through all response headers including session cookies (_gh_sess, _octo), request IDs, and the full Content Security Policy. A victim authenticating through this proxy would have their credentials and session tokens captured in transit.

Verification: Every Proxy Is Fraudulent

We verified a representative sample of 25 proxies across all major target categories:

  • 22 of 25 relay the exact same certificate (identical serial number) as the real service — confirmed TLS passthrough
  • 17 of 25 returned byte-identical content to the real service
  • 0 of 25 appear in any legitimate provider's published IP ranges (checked against GitHub's /meta API, Microsoft Azure service tags, Apple CDN, Akamai, Cloudflare, and Fastly edge networks)
  • All 25 resolve via WHOIS to NEKOBYTE INTERNATIONAL LIMITED / it-garage
  • TLS handshakes were 1.3–2.3x slower through proxies versus direct connections, consistent with an additional relay hop

There is no legitimate business reason for a hosting provider to serve other companies' TLS certificates. These are not CDN nodes, authorized mirrors, or sanctioned proxies. They are transparent interception infrastructure.

The Full Target List

We scanned every IP across all 34 subnets announced by AS206134. Of 1,616 IPs serving TLS certificates, 1,004 were confirmed impersonating major services.

Western Technology Targets

TargetCert SubjectProxies
Microsoftwww.microsoft.com, learn.microsoft.com, azure.microsoft.com142
GitHubgithub.com128
Applewww.apple.com, www.icloud.com, itunes.apple.com, images.apple.com, swdist.apple.com98
Cloudflarewww.cloudflare.com, cloudflare-dns.com, cdnjs.cloudflare.com47
Yahooyahoo.com, *.www.yahoo.com37
AMDamd.com27
Oraclewww-cs-02.oracle.com (80+ subdomains incl. container-registry)18
Tesla*.tesla.com16
Samsungwww.samsung.com (50+ subdomains incl. semiconductor)15
Amazonwww.amazon.com, *.peg.a2z.com13
Intel*.intel.com13
Azure Edge CDN*.azureedge.net9
Twitchtwitch.tv8
Lenovo*.lenovo.com3
Steamsteamcommunity.com3
Otto.dewww.otto.de (German e-commerce)2
Reddit*.reddit.com1
Zoom*.zoom.us1
WhatsApp*.whatsapp.net (on port 7777)1
Wikipedia*.wikipedia.org1
MEGA*.static.mega.co.nz1
DENICdenic.de (German domain registry)1
kernel.orgfra.source.kernel.org1
ZDFwww.zdf.de (German public TV)1
IMDBus.dd.imdb.com1
Pinterest*.pinterest.com1

Russian Service Targets

TargetCert SubjectProxiesType
VK*.vk.com, *.mail.ru, *.max.ru, *.userapi.com, *.okcdn.ru, *.dzen.ru76+Social + email
Yandex*.yandex.tr, scale.yandex.ru, api-maps.yandex.ru, *.mirror.yandex.ru75+Search + maps + cloud
Ozon*.ozon.ru22E-commerce
1C*.1c.ru17Enterprise ERP
Petrovich*.petrovich.ru8Retail
Wildberrieswb.ru, wildberries.global5E-commerce
Habr*.habr.com3Developer community
DNS Shop*.dns-shop.ru2Electronics retail
CDEKcdek-llc.store2Logistics
Avito*.avito.ru1Classifieds
MegaMarket*.megamarket.ru1Marketplace
Bitrix24*.bitrix24.ru1CRM
Drom.rudrom.ru1Auto marketplace
MK.ru*.mk.ru1News

Infrastructure Targets

TargetCert SubjectProxiesRisk
Fastly CDNn.sni-347-default.ssl.fastly.net29CDN interception
Cloudflare DNScloudflare-dns.com1DNS query interception
Akamai CDNa248.e.akamai.net1CDN interception
jsDelivr*.jsdelivr.net1JavaScript CDN / supply chain
Vercelno-sni.vercel-infra.com1Hosting platform

Infrastructure: NEKOBYTE / IT-Garage

FieldValue
ASNAS206134 (NEKO-AS)
Created2026-01-20 (3 months old)
OrganizationNEKOBYTE INTERNATIONAL LIMITED
Operating BrandIT-Garage (it-garage[.]pro)
Total IPv4~8,700 addresses (34 subnets)
UpstreamAS49418 (NETSHIELD LTD) via aurologic GmbH (AS30823), Frankfurt — documented by Recorded Future as a top-10 malicious hosting enabler
Proxy StackTraefik (confirmed via default cert leak)
GeofeedFrankfurt (20), Helsinki (7), Moscow (5)

The actual network engineering is performed by Dan Fedoseev (dan.fedoseev.20@gmail.com), who controls the DGTLS-MNT and MNT-DGTL RIPE maintainer objects (250+ objects combined) — as documented in our March report. Fedoseev never appears as a director of any UK company, remaining behind the RIPE infrastructure layer while nominee directors absorb legal liability.

Second ASN

AS207416 (NEKO-ORG-AS), created June 4, 2025, is registered to both "NekoByte Limited" and "WINTELECOM LLC" (Ukraine). This ASN has been reported for announcing bogon routes — invalid IP ranges that indicate BGP hijacking capability.

IT-Garage Service

IT-Garage (it-garage[.]pro) is a Russian-language VPS hosting service:

  • Accepts Russian SBP payments and Russian bank cards
  • AMD Ryzen 9 5950x and Intel Xeon servers
  • Trustpilot: 3.1/5 with 67% negative reviews
  • Customer complaints include being blocked on Telegram after raising issues

Attribution: From Sevastopol to London

IT-Garage LLC — The Russian Entity

FieldValue
Full NameOOO "IT-GARAZH" (IT-Garage LLC)
Address299053 Sevastopol, ul. Rudneva, zd. 41, of. n-25
Tax ID9200013941 (Crimea/Sevastopol registration)
RegisteredNovember 22, 2022
General ManagerTretiakova Mariia Vladimirovna (since August 2023)
Assets167 million RUB (~$1.8M USD)
Revenue667,000 RUB (with 1.6M RUB loss)
OKVED Classification64.99 — "Other financial service activities"

The classification is notable. IT-Garage is not registered as a hosting or telecommunications company. It is registered under financial services — OKVED 64.99. An entity with 167 million rubles in assets but only 667,000 in revenue, classified as financial services, operating a 999-proxy AiTM farm.

The Alvion Connection: IT Advisor to the Occupation

IT-Garage LLC is registered at ul. Rudneva, zd. 41, of. n-25, Sevastopol. This is the same address as Alvion Europe — a company whose history connects directly to the Russian annexation of Crimea.

Igor Tsimbal

FieldValue
RoleCEO of Alvion Europe
LocationSevastopol, Crimea
PreviousHead of SoftServe's Sevastopol office
Political roleIT advisor to Alexei Chaly — self-proclaimed head of Sevastopol during 2014 Russian annexation
Crimea roleBuilt the IT cluster in Crimea under Russian occupation (2017)
MyrotvoretsListed in Ukraine's database of national security threats (2018)
Contacti***@alvioneurope.ru

The timeline:

  1. 2008: SoftServe acquires Alvion for business intelligence services
  2. February 2014: Russia annexes Crimea
  3. April 2014: SoftServe officially closes its Sevastopol office
  4. May 14, 2014: Alvion Europe registered under Russian law in Sevastopol — days after annexation. Alvion becomes the legal successor to SoftServe's Crimean operations.
  5. 2017: Igor Tsimbal builds IT infrastructure for Russian-occupied Crimea, advises occupation leadership
  6. 2018: Tsimbal added to Ukraine's Myrotvorets database
  7. November 2022: IT-Garage LLC registered at same Sevastopol address as Alvion Europe
  8. May 2025: ALVION SERVICES LTD registered in UK
  9. June 2025: NEKOBYTE LIMITED registered in UK; AS207416 created
  10. August 2025: ALVION LIMITED registered in UK
  11. December 2025: NEKOBYTE INTERNATIONAL LIMITED registered in UK
  12. January 2026: AS206134 created
  13. March–April 2026: 999 AiTM proxies deployed across 34 subnets

Alvion and NEKOBYTE companies were registered in the UK in the same period by the same operation. A Crimean IT operative who serves the Russian occupation government is building Western corporate shells to front an industrial-scale AiTM proxy farm.

The Russian DPI Certificate

During verification, one proxy was found serving a self-signed certificate with issuer "VK interm CA" — a Russian deep packet inspection intermediate certificate valid from 2022 to 2052 (30-year validity). This is not a standard web certificate. This is the type of certificate used by Russian SORM (System for Operative Investigative Activities) infrastructure to perform lawful interception of encrypted traffic.

SORM is Russia's state-mandated surveillance system. All Russian ISPs are required to install SORM equipment that allows the FSB to intercept communications without a warrant. The presence of a DPI certificate on this infrastructure directly links it to Russian state surveillance capabilities.

Corporate Shell Structure

SEVASTOPOL, CRIMEA
  |
  +-- IT-Garage LLC (OOO IT-GARAZH)
  |    Tax ID: 9200013941
  |    Address: ul. Rudneva 41
  |    GM: Tretiakova M.V.
  |    OKVED: 64.99 (Financial Services)
  |    Assets: 167M RUB
  |
  +-- Alvion Europe (same address)
       CEO: Igor Tsimbal
       IT advisor to occupation government
       |
       v
LONDON, UK (Formation Agent Addresses)
  |
  +-- NEKOBYTE LIMITED (16487892)
  |    27 Old Gloucester Street, WC1N 3AX
  |    Incorporated: June 2, 2025
  |
  +-- NEKOBYTE INTERNATIONAL LIMITED (16913243)
  |    128 City Road, EC1V 2NX
  |    Director: Sergei Satsukevich (Russian, born Apr 2005, age 20)
  |    Incorporated: December 16, 2025
  |
  +-- ALVION LIMITED
  |    2 Duchess Crescent, Stanmore
  |    Incorporated: August 15, 2025
  |
  +-- ALVION SERVICES LTD
  |    78 Brown Lane, Heald Green
  |    Incorporated: May 6, 2025
  |
  +-- NETSHIELD LTD (LIR / Sponsoring Org)
       71-75 Shelton Street, WC2H 9JQ
       Phone: +79029519859 (Russian mobile)
       |
       v
RIPE / BGP
  |
  +-- AS206134 (NEKO-AS) — 34 subnets, 999 AiTM proxies
  +-- AS207416 (NEKO-ORG-AS) — bogon announcements

Internal Infrastructure Leaks

ArtifactSourceSignificance
PROXYKB.bentonite.localCertificate CN on 178.236.249.100Internal proxy software name + Active Directory domain
C=RUSame certificateConfirms Russian operator
mail.bentonit.ruKerio Connect on same IPOperator email server (IMAP + LDAP exposed)
bentonit.ruWHOISOOO "Kompaniya Bentonit" (taxpayer 7710644764) — Russian bentonite mining company
vpn.Asamantde1.localCertificate on 195.62.48 rangeSecond internal domain leak
+79029519859NETSHIELD LTD RIPE recordRussian Tele2 mobile number on the LIR

Threat Assessment

Continuity With March Findings

Our March report documented additional indicators not repeated here in full: a Russian Government "Trusted Sub CA" certificate for TBank (definitively state-linked), VK internal CA certificates with 30-year validity, Google Analytics interception on 230+ hosts (mass passive surveillance), an HAProxy WhatsApp interception proxy with 62,254+ logged connections, and documented links to the Russian state-linked Doppelganger disinformation campaign via Intrinsec and Qurium reporting. All of these findings remain relevant context for the expanded infrastructure documented below.

Why This Is Likely State-Linked Infrastructure

  1. Dual Russian domestic + Western targeting: The simultaneous impersonation of Russian consumer services (VK, Yandex, Ozon, Wildberries, 1C) alongside Western tech platforms (GitHub, Microsoft, Apple) is operationally consistent with the FSB's unique mandate — domestic security AND foreign counterintelligence. Neither GRU nor SVR target domestic Russian services. Commercial operators don't optimize for both markets simultaneously.

  2. Consistent with documented FSB operations: In July 2025, Microsoft documented Secret Blizzard — an FSB-linked actor using ISP-level AiTM positions to intercept traffic from foreign embassies in Moscow. The NEKOBYTE infrastructure follows the same operational pattern at larger scale.

  3. Russian DPI certificate: The presence of a "VK interm CA" deep packet inspection certificate (2022–2052) directly links this infrastructure to Russia's SORM lawful intercept system.

  4. Scale exceeds commercial AiTM: 999 proxies across 34 subnets far exceeds any documented commercial phishing-as-a-service operation. The largest commercial AiTM platforms (Tycoon2FA, Evilginx ecosystem) typically operate 100–200 IPs.

  5. Financial classification: IT-Garage LLC is registered under OKVED 64.99 (financial services), not telecommunications or hosting. Its 167M RUB in assets with minimal revenue suggests the entity exists to hold infrastructure, not generate commercial hosting income.

  6. Operator profile: Igor Tsimbal built IT infrastructure for the Russian occupation government in Crimea and served as IT advisor to the occupation's leadership. This is not a commercial hosting entrepreneur.

  7. Supply chain targets: Proxies impersonating kernel.org (Linux kernel source), jsDelivr (JavaScript CDN), container-registry.oracle.com, and GitHub suggest preparation for supply chain attacks — a state-level objective with no commercial motive.

What We Cannot Confirm

  • Direct FSB tasking or formal government contracts
  • Whether Igor Tsimbal personally manages the proxy infrastructure or delegates through Tretiakova M.V.
  • Whether the infrastructure is actively intercepting traffic or staged for future operations
  • The relationship between the NEKOBYTE UK shells and the Sevastopol entities (possibly nominee directors)

What This Report Adds

  1. 1,004 AiTM proxy servers mapped across a single ASN — the largest publicly documented transparent proxy farm we are aware of.

  2. The proxy mechanism is verified through certificate chain validation, content comparison, latency analysis, and confirmation that zero proxy IPs appear in any target's authorized IP ranges.

  3. Attribution to a named Crimean IT operative who built infrastructure for the Russian occupation government and is listed in Ukraine's national security database.

  4. The corporate shell structure linking Sevastopol entities to UK companies registered at known formation agent addresses in 2025, with a Russian mobile number on the LIR.

  5. A Russian DPI certificate on the infrastructure directly connecting it to state surveillance capabilities.

  6. The complete target inventory spanning Western tech giants, the Russian consumer internet, and critical infrastructure (kernel.org, DENIC, Cloudflare DNS).

Credit to @Fact_Finder03 for the initial C2 tip, @malwrhunterteam for flagging the infrastructure, and @4_n_0_n_1_3_3_7 for port enumeration.

IOC Table

ASN / Network

TypeIndicatorContext
ASNAS206134 (NEKO-AS)Primary proxy farm
ASNAS207416 (NEKO-ORG-AS)Secondary ASN, bogon announcements
OrgNEKOBYTE INTERNATIONAL LIMITEDUK shell (Company 16913243)
OrgNEKOBYTE LIMITEDUK shell (Company 16487892)
OrgIT-Garage LLCOperating entity (Sevastopol, TIN 9200013941)
PersonSergei SatsukevichDirector, NEKOBYTE INTERNATIONAL LIMITED
PersonIgor TsimbalCEO, Alvion Europe (Sevastopol)
PersonTretiakova Mariia VladimirovnaGM, IT-Garage LLC
Phone+79029519859Russian mobile on NETSHIELD LTD (LIR)
Emailabuse@it-garage[.]proAbuse contact
Domainit-garage[.]proHosting service
Domainit-garage[.]networkVM hostname domain
Domainbentonit[.]ruOperator mail server host
Domainmcgtechlab[.]ruOn 147.45.210.1
InternalPROXYKB.bentonite.localProxy software name + AD domain
Internalvpn.Asamantde1.localSecond internal domain leak

Proxy Subnets (Block Entire Ranges)

PrefixGeofeed LocationKey Targets
147.45.210[.]0/24FrankfurtGitHub (6), Microsoft (12), Apple, VK, Yandex
195.62.48[.]0/23FrankfurtTwitch, Microsoft, Yahoo, Samsung, WhatsApp
212.113.98[.]0/24MoscowGitHub (3), Lenovo, VK, Yandex, Amazon
2.26.16[.]0/24FrankfurtMicrosoft (11), GitHub, Tesla, AMD, Oracle
2.26.17[.]0/24FrankfurtMicrosoft, GitHub, Apple, VK, Yandex
2.26.28[.]0/24HelsinkiApple, Microsoft, GitHub
2.26.29[.]0/24FrankfurtAdditional proxies
2.26.30[.]0/24FrankfurtAdditional proxies
2.26.116[.]0/24HelsinkiC2 listener, Nextcloud
2.26.117[.]0/24FrankfurtAdditional proxies
2.26.119[.]0/24MoscowAdditional proxies
2.27.16[.]0/24FrankfurtGitHub (5), Microsoft, Yahoo, Tesla, VK
2.27.17[.]0/24FrankfurtAdditional proxies
2.27.120-123[.]0/24MixedAdditional proxies
64.188.115[.]0/24FrankfurtAdditional proxies
77.91.79[.]0/24FrankfurtKnown malware hosting range
77.239.127[.]0/24FrankfurtAdditional proxies
138.124.240[.]0/23MixedAdditional proxies
144.31.x[.]0/24MixedMultiple ranges
178.236.240[.]0/24MoscowInternal infrastructure
178.236.243[.]0/24FrankfurtAdditional proxies
178.236.249[.]0/24PROXYKB cert leak, Kerio Connect mail

Recommendations

Immediate

ActionTarget
Block all AS206134 and AS207416 prefixesNetwork perimeter, DNS resolvers
Report to GitHub Security128 proxies impersonating github.com
Report to Microsoft MSRC142 proxies impersonating microsoft.com
Report to Apple Product Security98 proxies impersonating apple.com/icloud.com
Report to CISAState-linked AiTM infrastructure targeting US services
Report to UK NCAShell company abuse, Companies House fraud
Report to BfV (German domestic intelligence)DENIC proxy, German-specific targets
Report to SBU (Ukraine Security Service)Crimean occupation IT operative
Report to SureVoIP / NETSHIELD LTDUpstream providing transit to proxy farm
Alert kernel.org maintainersSupply chain attack staging

Monitoring

  • Track BGP announcements from AS206134 and AS207416 for new prefixes
  • Monitor UK Companies House for new NEKOBYTE or ALVION registrations
  • Watch RIPE for new objects under itgarage-mnt, LIMITED-MNT, or NUXTCLOUD-MNT
  • Monitor Certificate Transparency logs for proxy IP appearances
  • Track bentonit.ru and mcgtechlab.ru for infrastructure changes

Investigation by Breakglass Intelligence. Credit to @Fact_Finder03, @malwrhunterteam, and @4_n_0_n_1_3_3_7 for the initial tips. All IOCs defanged. Verification data and reproducible scripts available to qualified researchers upon request.

Share