The black market for IPv4 addresses is flourishing as demand remains high in the enterprise and criminals are swarming to hijack, clean and resell them.
IPv6 became the only option for IP addresses in September 2015 when North America's existing pool of IPv4 ran out.
There have been 25 instances of IPv4 address hijackings since that date, which doesn't sound very much but compares with only 50 in the previous decade.
Leslie Noble, senior director of global registry knowledge at the American Registry for Internet Numbers (ARIN), explained during last week's North American Network Operators' Group 67 conference that people still "desperately" want IPv4 addresses.
A waiting list is full to bursting, but those joining the list simply have to "hope that some space will come back in time", he said.
ARIN has observed that some buyers and sellers of IPv4 addresses simply operate around an ecosystem of "brokers" who help companies fill IPv4 gaps more legitimately.
"These people are basically looking for IPv4 space to use in their networks. They're still growing their business with IPv4," said Noble.
But she warned that another group is "actually looking for space to sell and looking to make money off it, so we have seen an increase in hijackings and attempted hijackings at the registry."
ARIN has discovered that most hijackings take place inside the legacy space, targeting defunct websites or websites for defunct brands.
Fraud rings began to set up shell companies to hoard IPv4 space just before depletion, so a lot of activity was very much planned before October 2015, according to Noble.
A hijacking usually takes the form of unauthorised changes to a website's database record to gain control of IP resources, i.e. "someone pretending to be that registrant in order to take control of that record", said Noble.
After checking the routing - the way IP information moves from place to place across the internet - expired domain names may then be reregistered. It can also be carried out by reactivating defunct business names.
"Ultimately, their goal seems to be selling those addresses and reassigning them to other businesses," Noble told delegates.
She warned that it is now "very common" for routes to be hijacked completely, mostly by forging a Letter Of Authority for the address and taking it to ISPs.
"This can encourage ISPs to reroute the space to a hijacker. We're expecting [black market] activity to increase, but we're always on the alert. We know the red flags," said Noble.
AlphaBay users had flocked to Hansa after it was closed down - not realising it had already been taken over by Dutch police
Microsoft closes in on $100bn annual revenues with sales weighing-in at $23.3bn
Moves to take down cyber-squatted domains reveals Fancy Bear hacking network, claims Microsoft
Intel claims 'world first' in artificial intelligence that can be plugged-in almost anywhere