Ddos 
Recently, security analysts had discovered a BGP leak at Venezuela’s state-owned telecommunications company CANTV shortly before the U.S. military operation aimed at apprehending Nicolás Maduro. By reconstructing the incident through post-event data analysis, some observers speculated that the leak was the result of deliberate traffic hijacking by the U.S. government to obtain critical intelligence ahead of military action.
The findings quickly drew widespread attention within the security community and subsequently caught the interest of Cloudflare’s security researchers. However, after reviewing historical routing data, Cloudflare analyst Bryton Herdes concluded that the BGP leak at CANTV was likely not a deliberate attack, but rather the result of crude technical mistakes and misconfigurations by CANTV’s engineering staff. On January 2, 2026, local time—just before the U.S. launched a special military operation against Venezuela—the state-owned carrier CANTV (AS8048) experienced a pronounced BGP leak.
Some analysts observed that traffic from AS8048 was anomalously redirected to Sparkle, an Italian transit provider known for not enforcing RPKI filtering and for its poor security reputation. This routing anomaly was interpreted by some as a deliberate maneuver by intelligence services to facilitate man-in-the-middle interception and traffic collection. Notably, the abnormal paths exhibited extreme self-degradation: AS8048 performed up to ten instances of AS-path prepending. In BGP terms, this renders a route highly unattractive and deprioritized in routing decisions.
Cloudflare’s analysts argue that if an attacker had been attempting to steal traffic, they would have advertised shorter, more appealing routes rather than intentionally forcing traffic to detour multiple times.
A further critical factor is the pattern of recurrence. Since December 2025, AS8048 has experienced as many as eleven similar routing leaks, strongly suggesting long-standing deficiencies in CANTV’s ingress and egress filtering policies rather than a one-off action tied to a specific military operation.
The provider relationship also undermines the espionage narrative. The affected IP prefixes belong to Dayco Telecom (AS21980), a local Venezuelan service provider for which CANTV acts as an upstream carrier. Given that an upstream provider already has legitimate access to customer traffic, orchestrating a complex BGP hijack to obtain intelligence would be both redundant and unnecessary. The incident has nonetheless reignited debate over the fragility of BGP security. While Sparkle was flagged as unsafe for failing to enforce RPKI filtering, even the deployment of RPKI Route Origin Validation (ROV) would not have prevented this anomaly.
RPKI ROV can verify only who is authorized to originate a route, preventing impersonation; in this case, the route origin did not change—only the intermediate path did.
This limitation underscores the importance of Autonomous System Provider Authorization (ASPA), a new standard currently being advanced by the IETF. ASPA allows networks to formally declare their legitimate upstream providers. If widely adopted, it could automatically block globally the kind of hairpin-style leaks seen here, where traffic from AS8048 was improperly forwarded to unrelated providers.
Cloudflare cautions that while attributing Venezuela’s network anomalies to telecommunications-level special operations may be dramatic, the reality is often far more mundane: the most serious weaknesses in internet infrastructure frequently stem from basic operational errors. The incident serves as a reminder to operators worldwide that, in an era of hybrid warfare, fully implementing RFC 9234 and the “Only-to-Customer” (OTC) attribute is no longer merely a technical exercise, but a matter of national infrastructure protection.
Donate