Venezuela's internet routes showed anomalies before the helicopters arrived
Public routing data may carry traces of military cyber operations—and reveals an infrastructure built on trust that no longer exists
Fourteen hours before American helicopters descended on Nicolás Maduro's compound, Venezuela's internet traffic started behaving strangely. Eight blocks of IP addresses belonging to Dayco Telecom, a Caracas hosting provider, began routing through paths they had never taken. CANTV, the state telecom, appeared ten times consecutively in the routing chain—a pattern that should have made the route less attractive to traffic, not more. Reverse DNS lookups on the affected addresses returned names belonging to Venezuelan banks, internet providers, and email servers.
Graham Helton, an offensive security practitioner, spotted the anomalies in Cloudflare's public routing data. He publishes a weekly newsletter called Low Orbit Security Radar; this week's edition opened not with the usual industry news but with raw BGP dumps and AS path analysis. The timing, he noted, was "very interesting."
Hours later, General Dan Caine confirmed what many suspected. US Cyber Command and Space Command had provided "effects" to create a pathway for the extraction force. The lights of Caracas, Trump said, "were largely turned off due to a certain expertise that we have."
Whether the routing anomalies Helton documented were part of that expertise, or mere coincidence, cannot be established from public data alone. But the episode illuminates something larger: the infrastructure carrying the world's communications was designed for a network of collaborating universities. It now carries military operations, financial systems, and state secrets—and still runs on trust.
The postal system that trusts every letter
The Border Gateway Protocol is how the internet finds its way. When data travels from London to São Paulo, it passes through dozens of autonomous systems—telecoms, internet providers, corporate networks—each telling its neighbours which destinations it can reach. BGP is the language of these conversations. It is also, by design, credulous.
When CANTV announces it can reach certain IP addresses, its neighbours believe it. They update their routing tables and pass the information along. No verification. No signatures. No proof that CANTV has any legitimate relationship with those addresses. Routers trust what they're told because in 1989, when the protocol emerged, the internet was a few hundred research institutions with no reason to lie to each other.
That world is gone. BGP remains. A system designed to connect collaborating academics now routes banking transactions, military communications, and critical infrastructure—still operating on the assumption that everyone tells the truth. The protocol is, as security researchers sometimes put it, the internet's original sin.
The doctrine made visible
Caine's briefing left no ambiguity. "As they approached Venezuelan shores, the United States began layering different effects provided by SPACECOM, CYBERCOM, and other members of the inter-agency to create a pathway." In military usage, "effects" means outcomes—achieved through whatever means work, kinetic or otherwise.
One hundred and fifty aircraft launched from twenty bases across the Western Hemisphere. F-22s, F-35s, B-2 bombers, drones. But before any of them reached Venezuelan airspace, something had already degraded the country's ability to see them coming. The cyber component was not an afterthought. It was the enabling condition.
This integration has been building for a decade. American military doctrine now treats cyberspace operations as inseparable from conventional warfare. A 2025 Booz Allen Hamilton analysis described the emergence of a "SOF-space-cyber triad"—special operations, space assets, and cyber capabilities working as a unified force. Venezuela appears to be what that doctrine looks like in practice.
What the data can and cannot prove
The anomalies Helton documented are real. Their meaning is contested.
AS prepending—listing a network multiple times in a routing path—is legitimate traffic engineering. Networks do it to steer traffic away from congested links. CANTV uses the technique routinely. The pattern Helton observed could reflect nothing more than a Venezuelan engineer adjusting capacity.
Route leaks, too, are common. The Internet Society counts roughly seven per day worldwide. CANTV propagating routes from Italy's Sparkle to Colombia's GlobeNet could simply be misconfiguration. Coincidence happens.
And yet. The affected infrastructure—banks, telecoms, email—is precisely what a sophisticated actor would want to monitor before a military operation. Sparkle, the Italian provider in the anomalous path, does not implement RPKI filtering, a security feature that would reject suspicious announcements. If you were designing an intelligence collection operation, you would choose exactly this kind of weak link.
The public data cannot resolve which explanation is correct. What it does establish is that civilian observers—a security researcher with open-source tools and a newsletter—can now track these patterns in near-real-time. That fact matters regardless of what happened in Caracas.
The fix that exists but doesn't
A solution to BGP's credulity has existed since 2012. Resource Public Key Infrastructure, or RPKI, lets network operators cryptographically sign their route announcements. Other networks can then verify signatures before accepting routes, rejecting anything that fails. It works. Networks that implement RPKI rarely get hijacked.
The problem is that half the internet hasn't bothered. Cloudflare's measurements show about 50% of global routes covered, with Europe at 70% and North America lagging well behind. Some of the world's largest transit providers still accept whatever they're told.
The White House recognised this as a national security gap. In September 2024, the Office of the National Cyber Director released a roadmap urging faster adoption, noting that route hijacks "can expose personal information; enable theft, extortion, and state-level espionage; disrupt security-critical transactions; and disrupt critical infrastructure operations." The obstacles, the roadmap acknowledged, include cost, ignorance among decision-makers, and a collective action problem: each operator bears the expense of implementation while the benefits flow to the system as a whole.
Making matters worse, researchers at Germany's ATHENE cybersecurity centre found in late 2024 that 56% of deployed RPKI validators were vulnerable to known attacks. Many run in "fail-open test mode," propagating invalid routes even when validation fails. The fix for BGP insecurity has its own security problems.
The last trusted system
Modern security architecture has abandoned the idea of implicit trust. The Department of Defense now mandates "zero trust" across its networks—a model built on the assumption that breaches are inevitable and verification must be continuous. Never trust, always verify. The NSA's guidance is blunt: assume every element, node, and service is potentially compromised.
BGP is the glaring exception. Every other layer of internet security has moved toward cryptographic verification. HTTPS encrypts web traffic. DNSSEC signs domain lookups. Email authentication protocols verify senders. But routing—the mechanism that determines where data actually goes—still runs on neighbourly trust.
This creates asymmetric opportunity. In 2020, Russia's state telecom Rostelecom briefly routed traffic destined for major cloud providers through its own networks. Whether accident or design, the incident demonstrated that exploitation is not hypothetical. States with the capability and will to manipulate routing can do so. Defenders, meanwhile, struggle with coordination problems and implementation costs that make collective action difficult.
BGP is the internet's soft underbelly, and everyone who matters knows it.
The dependency trap
CANTV is state-owned. Venezuela controls its domestic telecom. But its connectivity to the global internet runs through transit providers in other countries, using protocols Venezuelan engineers did not design and cannot unilaterally secure. Sovereignty over wires does not mean sovereignty over routing.
States in similar positions face unpleasant choices. They can invest heavily in RPKI and routing security, but this requires sustained technical capacity and cooperation from international partners with different priorities. They can isolate critical systems from the global internet, accepting economic and informational costs. They can align with alternative technology providers—China promotes its own approach to internet governance—trading one dependency for another.
None of these options addresses the underlying problem: an infrastructure designed for cooperation among trusted parties cannot easily serve an environment of state competition. The trust assumptions encoded in BGP emerged from a specific historical moment. That moment ended decades ago. The protocol endures.
Watching the watchers
The most striking aspect of Helton's analysis may be that he could do it at all. Cloudflare publishes routing anomaly data through its Radar service. RIPE NCC maintains archives of BGP announcements that anyone can download. The tools—bgpdump, WHOIS lookups, AS path analysis—are freely available.
A decade ago, this kind of work required institutional access to specialised monitoring infrastructure. Today, a security researcher with a laptop can document routing anomalies within hours of their occurrence. The barrier to observation has collapsed.
For intelligence agencies, this represents a constraint. Operations that touch routing infrastructure leave traces in public datasets. They cannot be assumed invisible. For civil society, it offers a tool—not one that can prove intent or assign responsibility, but one that can identify patterns worth investigating.
The deeper question raised by Venezuela's routing anomalies is not whether they were deliberate. That may never be established. The question is structural. Global communications depend on infrastructure designed for institutional trust. That trust has evaporated. Implementation of fixes lags years behind understanding. The gap between vulnerability and remedy creates opportunities, and capable actors will continue exploiting them.
The helicopters have left Caracas. The routing tables have stabilised. The underlying architecture remains unchanged—still trusting, still vulnerable, still waiting for the next operation to leave its trace in the data.