top of page
Search

A Real Dutch Church Beat Us to Docker Moreskin — and RIPE Doesn't Ask If You're Sincere

  • Writer: Patrick Duggan
    Patrick Duggan
  • a few seconds ago
  • 4 min read

This morning's traffic sweep dropped a name we hadn't paid attention to before: AS215125, "Church of Cyberology." Sitting in the top-five Tor operator list with 58 active relays, all in the Netherlands, all on a single /24 (192.42.116.0/24), all running the current Tor build with disciplined sequential nicknames. Looked like a wholesome Dutch privacy collective — Kopimism with a node pool.


I told Patrick: "Don't spin up the Church of Docker Moreskin again, this is real and on our side."


He responded: "so funny anyone can stuff some hard pipe hitting motherfuckers in the node pool and own it all."


He's right. That's the post.



What we actually see


Pulled from our hourly Tor consensus snapshots — latest snap May 5, 2026, 20:00 UTC:


  • 58 relays in the latest snapshot, 500+ historical fingerprints across our archive (high churn, well-maintained)

  • 100% Netherlands, 100% on 192.42.116.0/24 — Dutch academic-adjacent address space

  • Role mix (historical): 373 exits, 125 guards, 127 HSDirs — a full-stack contributor

  • Aggregate bandwidth: 17 megabytes per second

  • Tor version: uniform 0.4.9.6 across the fleet (current, actively patched)

  • Naming convention: NTH##R# — Netherlands, sequential relay number. Tidy. Disciplined.

  • Top exit ports: 9001/9002/9003 plus 443. Standard plus camouflage.

This is not a hobbyist running one box at home. This is a coordinated, funded, disciplined operation. Whoever runs AS215125 knows what they are doing.



The legal trick


In 2012, Sweden officially registered the Missionary Church of Kopimism as a recognized religion. Its sacred act: the act of copying. File-sharing, framed as religious practice, gained legal protections that secular civil disobedience does not.


European internet governance accepted it. RIPE — the regional internet registry that hands out IP space and AS numbers in Europe and the Middle East — has no test for theological sincerity. If you can incorporate as a non-profit religious entity under your country's laws, you can be allocated an ASN. The paperwork takes weeks. The cost is a few thousand euros plus annual fees. That's it.


AS215125 went through that door. So did its 192.42.116.0/24 allocation. So did the bandwidth contract. And every layer of that stack now sits behind the social and legal taboo of touching a registered religious entity.


That is the trick.



The inversion


Patrick's instinct cuts straight to the point.


If a Dutch privacy collective can run 58 Tor relays under religious cover, so can a state-sponsored intelligence service. So can a ransomware gang's laundering arm. So can a private-sector deanonymization shop that needs a fleet of "innocent" exits to correlate traffic against. RIPE will not ask. The hosting provider will not ask. The civil society response to "they're harassing this religious organization" is reflexive defense, regardless of what the religion actually is.


This is the trust-lifecycle pattern we keep flagging across reputation systems. Trust → proving → proven → compromise. Silk Road, Mt. Gox, FTX, ransomware brands, social platforms — every reputation-based system gets hollowed eventually. Religious-incorporated ASNs are now another row in that table, and they are particularly nasty because the social cost of investigating them is asymmetric.


The Church of Cyberology might be exactly what its operators say it is. We have no evidence to the contrary. That is not the threat. The threat is the pattern itself, which is now publicly proven viable, and which has no upstream gating mechanism to filter sincere operators from cover ones.



Why we've been laughing at this for months


The archive holds sixteen "Church of Docker Moreskin" posts. We registered churchofdockermoreskin.com as a satirical religious-IT cover and stood up a honeypot under it. Forty-two countries hit it inside the first month. A satirical fake religion gets the same passive trust as a real one — that was the joke, and that was the data.


Cyberology proves the joke was load-bearing. Anyone with mid-five-figures and patience can do this. The reason there are not already a dozen state-actor "churches" in the relay pool is that nobody has been asked to look yet — and the people who run the relay pool have no mechanism to ask. RIPE allocates. Hosting providers bill. Civil society defends. None of them check.



What defenders can do today


We are not crossing the CERT/Carnegie Mellon line. We do not de-anonymize Tor users, do not chase real identities behind operator clusters, and do not hand correlation data to law enforcement. What we do — and what every defender should do — is treat religious-incorporated AS as a first-class category in operator attribution, not as a trust shortcut.


  • Pivot on the AS, not the IP. 192.42.116.0/24 is the surface; AS215125 is the actor.

  • Track relay version uniformity, naming convention discipline, and /24 saturation as fingerprints. AS215125 hits all three. So would a hostile clone.

  • When a new "Church of [something]" ASN appears in the consensus, bookmark the day-one snapshot. The trust-lifecycle clock starts at registration.

  • Read every religious-incorporated operator at the 95% epistemic cap. They might be exactly what they say. Or they might not be. The data tells you, the name does not.


The receipt


AS215125 is in our archive. Its 500-fingerprint history is in our archive. The 192.42.116.0/24 cluster is in our archive. If a peer operator emerges next month with the same playbook and a different patron saint, our hourly Tor cron catches it inside an hour and our blog catches it inside a day.


That is what this platform is for. Not to compete with the actual privacy operators — they are doing important work and we admire them. To map the structural pattern, so that when the playbook gets borrowed by an adversary, the defender community does not have to learn it from scratch.


Patrick called it the moment I showed him the data. The Church of Docker Moreskin was always going to come true. It already did. And RIPE didn't ask if anyone was sincere.


— Patrick Duggan DugganUSA LLC, May 5, 2026




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page