BGP hijacking: real-world examples and how to prevent it

Author. Olivier Moll     Jun 1, 2026
BGP hijacking: real-world examples and how to prevent it

BGP hijacking continues to threaten businesses around the world - what can you do about it?

BGP hijacking occurs when an attacker falsely announces ownership of IP address prefixes via the Border Gateway Protocol (BGP), redirecting Internet traffic through their own network. Because BGP has no built-in authentication, the entire Internet is vulnerable to route manipulation.

Border Gateway Protocol (BGP) hijacking has been a thorn in the side of private individuals and businesses everywhere since the dawn of the Internet. However, what is BGP hijacking, and how can you as a business, protect yourself from such attacks - find out in this blog post.

What is BGP hijacking?

BGP hijacking refers to cybercriminals maliciously intercepting or rerouting Internet traffic.

Today's Internet comprises thousands of interconnected public and private networks, grouped into Autonomous Systems (ASes). Each AS is identified by a unique 32-bit AS number (ASN) and is associated with one or more blocks of IP address space, identified by their prefixes. These networks connect using routers that dynamically build a map of the Internet by exchanging reachability information through the Border Gateway Protocol (BGP). Each router constructs a routing table, enabling traffic to be forwarded hop by hop until it reaches its final destination.

BGP determines the best path for data to travel across the globe by having each AS announce the IP prefixes it owns and the routes it can reach. When an AS connects to the Internet, it advertises its prefixes to its peers, which in turn propagate those announcements further. Through this chain of announcements, every AS eventually learns how to reach every other network. However, BGP was designed in an era when the Internet was a small community of trusted institutions, built on implicit trust rather than verification. The protocol has no native mechanism to confirm that an AS actually owns the prefixes it advertises, that the routes it announces lead to legitimate destinations, or that packets carry accurate source IP addresses.

Attackers exploit this weakness by falsely announcing ownership of IP address blocks, promising a faster or more direct route to a destination and it is along this fraudulent path that traffic interception and data theft occur. It is unfortunately common for ASes to announce incorrect routing information, whether accidentally through misconfiguration or deliberately through malicious action, and to allow packets with forged or spoofed IP source addresses. 

Such incidents can cause widespread service disruption, traffic redirection, modification, and large-scale Distributed Denial-of-Service (DDoS) attacks, posing significant security risks to enterprises, governments, and end-users alike.

Many companies around the world have fallen victim to BGP hijacking, causing thousands of people to have their access disrupted and their data compromised.

Real examples of BGP hijacking

Since the start of 2020, there have been over 1430 BGP hijacking incidents, averaging a total of 14 hijackings a day. These attacks include high profile incidents involving companies such as MasterCard, Amazon, Google and national telecom operators.

Here are a few notable incidents from recent years:

December 2017 - Google, Apple, Facebook, Microsoft, TwitchTV, Riot Games

Eighty high-traffic prefixes usually used by Google, Apple, Facebook, Microsoft, TwitchTV and Riot Games were hijacked by an unknown Russian Autonomous System (AS) simply known as DV-LINK-AS (AS39523). User information such as email addresses, passwords, usernames and other login details were suspected to be compromised.

April 2018 - Amazon

Approximately 1300 IP addresses belonging to Amazon Web Services were hijacked by eNet (or a customer of theirs), an ISP in Columbus, Ohio. Several partners, such as Hurricane Electric routed traffic through the hijacked addresses, exacerbating the issue. The attacker was suspected to be after cryptocurrency, stealing a total of about $150,000 from MyEtherWallet users.

November 2018 - Google

China Telecom was suspected of hijacking a total of 180 prefixes, affecting a vast scope of Google services, including a massive denial of service to GSuite and Google Search. Regardless of whether intention was involved, valuable Google traffic data fell into the hands of the attackers.

May 2019 - Taiwan Network Information Center

Taiwan fell victim to an unknown Brazilian attacker using two prefixes for advertising purposes that belonged to The Taiwan Network Information Center, a non-profit organisation officially funded by the Taiwanese Directorate General Telecommunications of the Ministry of Transportation and Communication. The attack lasted three and a half minutes where public data was vulnerable.

June 2019 - European telecommunication networks

A Swiss data centre hosting company accidentally leaked over 70 000 routes from its internal routing table to China Telecom. Instead of ignoring the BGP leak, China Telecom re-announced these routes as its own and declared itself as the shortest way to reach the network of the Swiss data centre operator and other nearby European telecommunication companies and ISPs.

Some of the most impacted European networks included Swisscom (AS3303) of Switzerland, KPN (AS1130) of Holland, and Bouygues Telecom (AS5410) and Numericable-SFR (AS21502) of France. This particular incident was severe, lasting over two hours. Users of the affected networks suffered slow connections and denial of service to some servers.

April 2020 - Akamai, Amazon and Alibaba

A massive BGP hijack involving over 8800 prefixes affected companies such as Akamai, Amazon and Alibaba on April 1, 2020. Initiated by a Rostelecom user, the attack caused service disruptions throughout the world. It is currently unknown how much data was leaked or for what purposes, but it generally acknowledged that stricter network filtering by Rostelecom could have prevented the attack.

September 2020 - Telstra

500 prefixes wrongfully advertised as belonging to Telstra caused lengthy data detours via the Australian telecommunications company in September 2020. Telstra later apologised for the unintentional hijacking, stating the incident was caused by post verification testing to address an unrelated software bug. While this incident may have caused widespread connectivity challenges, no data or personal information is suspected to be breached.

BGP hijacking can have detrimental effects from those who steal your data as well as from legal sources such as the GDPR. If regulations such as the GDPR find that you are unfit to protect the private data of your customers or users, you could be liable for a fine of up to 20 million Euros.

Since BGP hijacking cannot be countered through the Internet as we know it, companies must look elsewhere for secure, reliable internet solutions.

Recent BGP hijacking incidents (2021–2026)

February 2025 – SingNet / Innove Communications

A stealthy BGP hijacking incident, a particularly elusive form of BGP hijacking where malicious routes divert traffic without reaching (and thus alerting) the victims, targeted the sub-prefix 203.127.225.0/24 belonging to SingNet (Singapore) as discovered by researchers in February 2025.  

The sub-prefix was fraudulently announced by Innove Communications, a Philippine network with no established relationship to SingNet. Traffic from major transit providers, including SEACOM, was silently diverted to the illegitimate origin without the victim ever seeing the malicious route on the control plane.  

The incident persisted throughout the researchers' two-month study window. Whether the cause was misconfiguration or deliberate hijacking remains unconfirmed, as the responsible operator was still under investigation at the time of publication. 

June 2024 – Cloudflare

In June 2024, Cloudflare's public DNS resolver service  (1.1.1.1) became unreachable or severely degraded for users across the globe. The root cause was a combination of BGP hijacking and a route leak. Despite Cloudflare being an early adopter of Resource Public Key Infrastructure (RPKI) for route origin validation (ROV), the incident still occurred, rendering the DNS resolver unreachable from over 300 networks across 70 countries. 

July 2022 – Apple / Rostelecom

For just over 12 hours on 26–27 July 2022, Russia's Rostelecom began announcing routes for part of Apple's network, with the effect that users in parts of the Internet trying to connect to Apple services may have been redirected to the Rostelecom network. The false announcement propagated globally. 

Apple Engineering responded by announcing a more specific route to redirect traffic back to the correct destination, but this countermeasure did not appear until more than five hours after the hijack began. Rostelecom's announcement persisted for 12 hours and 14 minutes in total before being withdrawn. Whether the incident was the result of misconfiguration or deliberate action remains unconfirmed. 

April 2021 – Google, Microsoft, Akamai

A major BGP hijack on April 16th, 2021 saw Vodafone Idea (AS55410) announce over 34,000 networks not belonging to it, causing a large portion of user traffic to be redirected away from its legitimate destinations and disrupting services for around 3,500 companies worldwide. Among those affected were Google, Akamai, and major telecoms including Deutsche Telekom, Orange, and Telefónica. 

Traffic to Vodafone Idea spiked to 13 times its usual levels, while traffic to other networks drained into an Internet black hole. The error was caught within minutes, but faulty routes continued to propagate for at least an hour. 

Around 80% of the hijacked routes had no ROAs, meaning they propagated globally unchecked, while the roughly 7,000 prefixes with valid ROAs were filtered out by many network operators demonstrating that broader RPKI adoption could have significantly contained the incident. 

Why RPKI alone won’t solve BGP hijacking


Since BGP hijacking cannot be countered through the Internet as we know it, companies must look elsewhere for secure, reliable internet solutions.

Resource Public Key Infrastructure (RPKI) enables the cryptographic verification of route ownership, allowing networks to publish Route Origin Authorizations (ROAs), digitally signed records stating which Autonomous System (AS) is permitted to originate a particular IP prefix. Routers enforcing Route Origin Validation (ROV) can then reject announcements that contradict these records, providing a meaningful first line of defence against accidental misconfigurations and opportunistic hijacking attempts.

However, RPKI has significant limitations. Most critically, it only validates the origin of a route, the first AS to announce a prefix, but provides no protection against path manipulation. A malicious actor can still intercept or manipulate traffic further along the routing path without triggering any RPKI alert. 

Furthermore, with only around 54% of IP prefixes currently covered by valid ROAs, large portions of the Internet remain entirely unprotected. Deployment is voluntary, uneven, and slow-moving, meaning the effectiveness of ROV depends heavily on how many networks choose to enforce it.

RPKI is also fundamentally reactive: it attempts to filter out bad announcements after they are made, rather than preventing them at the architectural level. It patches a vulnerability that is deeply embedded in how BGP was designed, without addressing the underlying assumption of implicit trust.

These limitations highlight the need for a more fundamental architectural solution, one that builds trust, verification, and path control directly into the network layer. This is precisely what SCION delivers.

How SCION eliminates BGP hijacking

Companies must protect themselves from BGP hijacking to avoid exposing data to cybercriminals and damaging their reputation. Anapaya's connectivity services are built on SCION (Scalability, Control, and Isolation On Next-generation networks), an architecture that makes BGP hijacking impossible rather than simply difficult.

Unlike solutions such as Cloudflare, which detect suspicious route announcements and react after the fact, SCION eliminates the conditions that make hijacking possible in the first place.

With SCION, every path segment in the network is cryptographically signed. Routers will only forward packets along paths they have explicitly authorised, meaning a forged route announcement simply cannot take hold. The network is further organised into isolation domains each with its own root of trust, ensuring that traffic cannot be silently redirected outside its intended domain and that sensitive data stays where it belongs.

Within the isolation domain, it is the sender who defines the path for a data packet. Rather than leaving routing decisions to the network, SCION places that control with the sender, who assembles an end-to-end path from cryptographically verified segments based on their own preferences and policies. Routers do only what they should: forwarding, nothing more. And if any segment along the path fails, an equivalent one is substituted automatically, with no loss of performance.

With Anapaya, you get business continuity, robust resistance to DDoS attacks, and complete immunity to BGP hijacking, not as features added on top of a vulnerable foundation, but as properties of the architecture itself.

Protect yourself from BGP hijacking with state-of-the-art technology

BGP hijacking is a serious threat to all companies who use the Internet, but it doesn’t have to be. With SCION, enterprises can regain safety and the peace of mind they need to offer online services and communications to their customers with confidence.
Anapaya EDGE enables enterprises to build private, invite-only WANs on the SCION Internet where BGP hijacking is architecturally impossible. With SCION Secure Access Groups, a feature of Anapaya EDGE, your enterprise WAN is invisible to unauthorized entities, eliminating entire categories of cyberattacks including BGP hijacking and DDoS attacks.
Anapaya - The SCION Company - builds the enterprise products that make SCION’s architectural security accessible to organizations today. Learn how SCION compares as an alternative to MPLS, SD-WAN, and VPNs.

 

BOOK A DEMO today and discover how the next generation of the Internet can change the way you think about security.

Frequently Asked Questions

What is BGP hijacking?
BGP hijacking is a cyberattack in which an attacker falsely announces ownership of IP address prefixes via BGP (Border Gateway Protocol), the protocol that routes traffic between networks on the Internet. This redirects traffic through the attacker’s network, enabling data interception, service disruption, or denial of service.
How can you prevent BGP hijacking?
Prevention approaches include RPKI (Resource Public Key Infrastructure) for origin validation, BGP monitoring services for anomaly detection, and architectural solutions like SCION that replace BGP entirely with cryptographically verified path control. RPKI reduces risk but does not eliminate it; SCION eliminates the vulnerability at the protocol level.
What is the difference between BGP hijacking and a BGP route leak?
A BGP route leak is typically accidental: a network misconfiguration causes routes to be announced to unintended peers. BGP hijacking is deliberate: an attacker intentionally announces false routes to redirect traffic. Both exploit the same BGP vulnerability (lack of authentication), and both can cause significant traffic disruption.
Does RPKI prevent BGP hijacking?
RPKI helps reduce BGP hijacking risk by allowing networks to validate the origin AS of a route announcement. However, RPKI does not protect against path manipulation attacks, adoption remains incomplete across global networks, and it operates reactively. SCION addresses the root cause by replacing BGP with end-to-end cryptographic path verification.

 

 

TAGS:

Cybercrime, Cyberattacks

Schedule a free
consultation and experience the power of SCION

Our specialists are ready to assist you in becoming SCION-enabled. Fill in the form on the right and elevate your network to the next level.