There Is No Internet: Cross-Domain Recon of all 4.3 Billion IPv4s
Recon Village @ DEF CON 34 • August 7-9, 2026
Abstract
We scanned every IPv4 address on the planet. Twice. We collected public records in one of at least three places: the RIR registration, the operator's reverse DNS, or whatever service answers on port. Most threat intelligence pipelines read one of those. Darkmouse lines up all of them and flags the disagreements. The result is attack-surface visibility that no single source gives you, and a methodology you can run yourself.
This talk walks the recon pipeline behind three findings from a single cross-domain pass over 4.3 billion IPv4 addresses in five days, plus a 92 million IP targeted scan in 34 hours (Russia, Iran, and North Korea). We used ZMap on single-use Jetstream2 VMs, zdns for PTR and forward verification, bulk RPSL and ARIN XML and APNIC data loaded into DuckDB alongside MaxMind GeoLite2, OpenSanctions, and the US Trade Consolidated Screening List. Enrichment is baked into the scan row at ingest. Every field carries a source-date stamp so longitudinal comparison actually works.
Lead finding for a recon audience: 6,656 Iranian IPs in RIPE where the registrant placed fabricated US street addresses into the authoritative registry. 4,608 of them cite AT&T Mobility's ARIN IP-management address verbatim. 2,048 cite a Philadelphia apartment building. All geolocate to Iran. All trace to one operator through a shared RIPE maintainer object linking a Shiraz Local Internet Registry and an Omani shell.
Between September 2025 and January 2026 the fabricated addresses began rotating out, replaced by netnames like "Datacamp-Limited" that impersonate real UK hosting companies. A single-point-in-time feed cannot see that rotation. Two dated snapshots can. We are currently running follow up scans and expect to have new data before the conference.
Additional Findings: five active PTR records in Russia and the Netherlands claiming US government domains, including .fbi.gov subdomains, four of five still live six months after first observation (April 2026). And 1,534 APNIC-registered IPs for Entity Listed Chinese telecoms, declared country=US, geolocating to One Wilshire in Los Angeles, running production email and DNS on FCC-revoked Section 214 infrastructure.
Every finding ships with the RDAP query, the DNS check, and the cross-reference that verifies it. Every finding ships with the RDAP query, the DNS check, and the cross-reference that verifies it. Attendees leave knowing which four sources to line up, which fields to trust, and what to look for when two dated snapshots disagree.
Speaker
Former DARPA, State Department, now Professor and Builder
John McCary founded Port 194 LLC, where he builds internet-scale measurement and correlation tooling from public data. Former soldier, diplomat, Wall Street Journal journalist, licensed private investigator, and certified ethical hacker. At 29 he helped design and launch a peer-to-peer data sharing platform that became a DARPA program of record and is still in use today. He designed and teaches the Open Source Intelligence course at the University of Arizona as adjunct faculty. Off the clock he is usually underwater, in a Muay Thai gym, or playing live music, though rarely at the same time.
View full speaker profile →