An individual, Zhenyun Sun (https://find-and-update.company-information.service.gov.uk/officers/svz68usL11Hfb5q2_65DDqlFd2Y/appointments), is registering UK "fibre ISPs" at Companies House at an unusual rate.

spamhaus@infosec.exchange

An individual, Zhenyun Sun (https://find-and-update.company-information.service.gov.uk/officers/svz68usL11Hfb5q2_65DDqlFd2Y/appointments), is registering UK "fibre ISPs" at Companies House at an unusual rate. On the surface, they could pass for legitimate broadband providers. But look closer, and the picture soon changes ️ ...

Some of these companies are assigned an ASN, sharing the same abuse contact: onesproxy[.]com. ️

spamhaus@infosec.exchange

For anyone actually trying to buy internet service from this list of providers? Good luck! We haven't observed abuse traffic emanating from these ASNs yet. But the infrastructure suggests this one is one to keep an eye on!

spamhaus@infosec.exchange

This same company markets itself as a Chinese provider of "residential proxies." These ASNs are registered at RIPE (@ripencc) as assigned to ISPs delivering fibre to UK homes.

One explanation is that this makes proxy traffic appear to originate from genuine residential broadband customers. But it may not necessarily be for malicious purposes. It could be targeting SEO and those who want to "cheat the system" by simulating traffic from a large pool of users for marketing. ️