Disruption Beats Registration: How £1 UK Companies Enable ASN Abuse at Scale

Michael Duffy

Cybersecurity

05 April 2026 Hits: 84

Cybercrime does not scale because attackers are sophisticated. It scales because the infrastructure they depend on is easy to obtain, cheap to operate, and even easier to replace. The industry has already learned this lesson at the domain level. Weak identity controls enabled large-scale abuse. The response was clear: blocking alone does not work. Real impact comes from disrupting infrastructure at the source. Now the same pattern is repeating itself - one layer deeper. Autonomous System Numbers (ASNs) and IP address allocations are increasingly being used as the foundation for resilient cybercrime infrastructure. And the entry point is not technical, It is administrative.

The New Entry Point: Company Formation as Infrastructure

The starting point is not a vulnerability. It is a company.

In the UK, companies can be registered quickly, cheaply, and with minimal verification. Formation agents offer fully automated services where incorporation can be completed within 24 hours.

This is not a loophole. It is a business model.

From there, the process is straightforward:

Register a company
Use it to obtain ASN and IP resources
Deploy infrastructure
Operate or lease it
Let the company collapse

No bypassing controls. No exploitation. Just using the system as designed.

The 12-Month Operational Window

This model works because of time.

Companies are often left non-compliant from the start:

Filings are ignored
Confirmation statements are missed
Administrative warnings accumulate

Eventually, the company is struck off.

But not immediately.

The process creates an operational window of approximately 12 months - often longer.

That is more than enough time to:

Run phishing campaigns
Host malware infrastructure
Operate command-and-control systems
Lease IP space to third parties

This is not short-lived abuse.

It is structured, predictable, and sufficient to sustain full-scale cybercrime and industrialised crime-as-a-service operations..

The Reset Problem

The most important part of this model is what happens next.

Nothing.

When the company is dissolved:

The legal entity disappears
Accountability disappears with it
Infrastructure can migrate or persist
A new company is created, resetting the cycle and enabling another 12-month window for continued operations - often within days, sometimes immediately.

Incorporate → Acquire → Operate → Dissolve → Reincorporate

This is not a weakness. It is a feature - and it is being exploited at scale by cybercriminals.

Why Listing and Blocking Fail

The default industry response is still reactive:

Block IPs
Flag ASNs
Share indicators

This does not work. It cannot work.

Because the infrastructure is deliberately structured to outlive detection and disruption::

The lifecycle is long enough to generate value
The cost of replacement is negligible
The ability to reset is built-in

Blocking becomes a delay mechanism. Not a disruption strategy.

If you do not remove the root enabler, the problem regenerates.

Why the System Fails

This is not a failure of one organisation. It is a failure of alignment.

Stakeholder	Responsibility	Limitation	Outcome
Companies House	Legal registration	Cannot verify identity accuracy	Cheap legitimacy layer
RIRs	Resource allocation	No mandate to act on abuse	ASN remains active
ISPs / Upstreams	Connectivity	Commercial incentives vary	Abuse tolerated
Threat intelligence	Detection	No enforcement power	Fragmented mitigation
Law enforcement	Legal action	Slow, jurisdictional	Delayed response

Each actor operates correctly within their mandate. The system fails between them.

Identity Without Accountability

At the centre of this issue is a fundamental mismatch. Company registration is treated as a trust signal. But it is not.

Companies House explicitly states that it does not verify the accuracy of submitted information and that publication should not be interpreted as validation.

At the same time:

Many companies have minimal transparency
Officers are often located outside the UK
Physical presence is unclear or non-existent

The company provides legitimacy. The operator remains invisible.

ASN Allocation: Trust Without Control

Regional Internet Registries operate under a clear mandate: allocate resources and maintain registries. They are not enforcement bodies.

This creates a critical limitation:

ASN allocation is based on policy compliance
Network abuse is not handled within registry processes
Strong action often requires legal intervention

The result is simple: infrastructure used for malicious purposes can remain active because it is formally compliant according to policy.

A System That Works - For the Wrong Side

This is not a failure of individual actors.

It is a system that functions exactly as designed:

Company registration enables access
ASN allocation provides infrastructure
Upstreams provide connectivity
Detection systems provide signals

But none of these components are designed to stop the full lifecycle.

The gap is not technical. It is structural.

What Actually Works: Disruption, Not Observation

The lesson from domain abuse applies directly here.

Visibility does not stop cybercrime
Listing does not stop cybercrime
Blocking does not stop cybercrime

Disruption does.

That means:

Removing access to infrastructure
Preventing reuse of identity
Increasing the cost of re-entry
Breaking the lifecycle

Anything else is containment.

What the Industry Needs to Do

This problem is solvable. But only if the response matches the model.

1. Treat identity as a security control

If companies are used to obtain critical infrastructure, their identity must be verifiable. Not declared. Not assumed. Verified.

2. Introduce lifecycle-based controls

New entities should not receive full trust immediately.

Probation periods for ASN holders
Gradual allocation models
Continuous compliance checks

3. Enable enforcement at the ASN level

Policy must evolve.

There must be mechanisms to act on:

Systematic abuse
Repeated patterns
Proven malicious use

Without this, enforcement does not exist.

4. Break the reset cycle

This is the most important step. As long as actors can dissolve a company, reincorporate within days, and regain access to infrastructure, the model will continue to scale.

Reset must become costly.

Conclusion

The internet has already seen this pattern. Weak identity leads to scalable abuse. The domain ecosystem proved it. Now routing infrastructure is following the same path.

If access is easy, identity is weak, and reset is free, abuse will industrialise.

The world and the internet industry need to stop treating this as a niche abuse problem and start treating it as a structural failure in how trust is granted.

That means raising the cost of entry, making legal identity meaningful, introducing friction for newly created entities, and giving the ecosystem real tools to disrupt malicious ASN use before it becomes entrenched.

The solution is not better observation. It is better disruption.

Until identity, lifecycle, and enforcement are addressed together, this model will continue to reward the actors most willing to exploit the system.

If that does not change, ASN abuse will not slow down. It will continue to scale - predictably, efficiently, and globally.

Michael Duffy

CEO, Excedo Networks AB

Michael Duffy is the CEO and CISO of Excedo Networks, with more than 30 years of experience in IT and cybersecurity. A recognized expert in the field, Michael is driven by a mission to make the internet safer for individuals and businesses. Through his work at Excedo, he has collaborated with major Swedish government entities to protect critical systems against an ever-evolving cyber threat landscape.

Corporate Address

Jan Stenbecks torg 17
164 40 KISTA
SWEDEN

+46-8-50161200

Premium digital solutions