Infrastructure Zombies:
When Carrier Acquisitions Leave the Door Open
When one telecommunications carrier acquires another, the acquired infrastructure — physical plant, IP space, routing tables, DNS authority — is supposed to be integrated or decommissioned. In practice, the integration is frequently incomplete. What remains is a persistent boundary condition: legacy infrastructure still operating under the acquiring carrier’s name, but never fully migrated, patched, or shut down. We call these infrastructure zombies. This is the story of finding them — at national scale.
THE JOURNEY — JAN 1 TO MAY 29, 2026
What began as a documented response to observed network anomalies at a single residential location in Northeast Georgia evolved into a national infrastructure survey over five months. The investigation crossed from device-layer forensics into BGP routing tables, ARIN records, physical plant maps, and federal disclosure channels.
The timeline below documents every significant milestone: filings to CISA, FBI, and IC3; ground confirmations; database construction; zombie ASN discovery; and — critically — the confirmed remediation event on May 19, 2026, when four anomalous BGP routes changed state simultaneously, 17 days after the FBI disclosure.
NATIONAL VULNERABILITY SURVEY
The national database was built from public carrier acquisition records — SEC merger documents, FCC franchise transfer filings, and ARIN/RDAP attribution — before any validation data was collected. Case selection was a priori: six acquisition cases were chosen based on publicly documented carrier histories, not based on what the data would show. States with zero records reflect the geographic footprint of those six cases, not filtering.
Every record represents a ZIP code that falls within a predicted carrier acquisition boundary — a location where, by methodology, the subscriber’s broadband infrastructure may be operating at the seam between pre- and post-acquisition plant.
ZOMBIE ASN CONDITIONS — OVERVIEW
A zombie ASN is a pre-acquisition Autonomous System Number that is still announcing IP prefixes in live global routing tables after the acquiring carrier should have assumed or decommissioned that routing authority. A zombie means the IP space is being routed by an entity that, by acquisition records, should no longer exist as an independent network — creating an unaccountable gap between who the public record says controls that IP space and who is actually routing it.
Beyond simple zombies, this investigation documented more complex conditions: retention anomalies (pre-acquisition ASNs kept active by the acquirer in parallel with the successor ASN), third-party control (routing authority held by an unknown external party), and what appear to be law enforcement sinkhole ASNs — legacy routing infrastructure repurposed for network monitoring.
The full ASN registry has been disclosed to CISA, the FBI, and CERT. The methodology is documented here — researchers are welcome to replicate it.
FIVE-TIER CONFIDENCE MODEL
Not all findings are equal. A record inferred from acquisition geography carries less evidentiary weight than one confirmed by physical observation. The investigation uses a five-tier confidence ladder to distinguish what the methodology predicts from what has been directly observed. Confidence upgrades require independent corroboration — they are not self-assigned.
Methodology predicts a SEAM zone from acquisition geography. Conditions not yet directly observed.
Passive OSINT, satellite imagery, and zone indicators confirm boundary conditions exist.
PCAP captures, zombie BGP routing state, and ARIN confirm via forensic-grade remote methods.
Physical plant conditions confirmed on-site. Digital or near-target observation.
Confirmed by victim, law enforcement, ISP, or documented legal action.
DISCLOSURE RECORD
All findings were disclosed to carriers and government agencies through established responsible disclosure channels before any public publication. The goal is infrastructure remediation — not exposure. Carriers are given the opportunity to address conditions before they appear in public reporting.
| Date | Filed To | Subject | Status |
|---|---|---|---|
| 2026-01-03 | FBI | Initial device compromise report (VRF#26-01-PDLPQ) | FILED |
| 2026-01-11 | CISA | Cyber incident report #1 — device/C2 track | FILED |
| 2026-02-02 | CISA | Supplemental filing #2 — device/C2 track | FILED |
| 2026-02-24 | IC3 | Complaint — device compromise and C2 beacon | FILED |
| 2026-04-06 | Spectrum/Charter | HFC dual-plant patchover infrastructure vulnerability (Track 1) | FILED — NO RESPONSE |
| 2026-04-11 | Spectrum/Charter | Winterville node — physical plant access conditions | FILED — NO RESPONSE |
| 2026-04-16 | CISA | New standalone report — HFC patchover vulnerability (VRF#26-04-TPWXX) | FILED |
| 2026-05-02 | FBI (5.2) | Actionable zombie ASN findings — BGP infrastructure layer | FILED |
| 2026-05-02 | CISA | Supplemental — BGP zombie ASN routing findings + statistical analysis | FILED |