Understanding the Stealthy BGP Hijacking Risk in the ROV Era

covered 57.1% of globally routable IPv4 prefixes [8] , yet the deployment of ROV is relatively limited, with only hundreds to thousands of ASes identified as ROV-enabled [9]- [11] . Presumably, ROV will remain in partial deployment for a relatively long time, which, in addition to offering incomplete protection as a consequence, results in an unexpected security threat, i.e., highly stealthy BGP hijacking that is effectively invisible from the victim on the control plane. This new threat, which we refer to as ROV-related stealthy BGP hijacking, or for short, stealthy hijacking, occurs when an AS, despite being nominally protected by ROV-enabled ASes from receiving malicious routes, has its traffic silently diverted to a hijacker through legacy ASes along the data plane path. It is particularly insidious because the affected AS remains unaware of malicious routes throughout the hijacking, rendering common control-plane based protections ineffective in practice. This highlights the unexpected downside of partial ROV deployment, yet the issue remains largely unexplored. No realworld stealthy hijacking incidents have been documented, and a systematic investigation into its prevalence and impacts is still missing. A recent study [12] takes a pioneering step towards mitigating stealthy hijacking via proactive rerouting and blackholing. Yet, its mitigation-oriented focus provides limited real-world evidence or heuristics for tracking and profiling the threat (see further discussions in §IX). To bridge this gap, we seek insights from real-world observations. However, the lack of an established definition of stealthy hijacking makes it difficult to identify the threat. To this end, we formalize stealthy BGP hijacking and derive heuristics to discover hijacking instances based on routing table discrepancies observed across vantage points. Our rationale behind is to determine if any AS along legitimate routes can forward traffic to potential hijackers. Using routing tables from RouteViews vantage points, we conduct the first empirical study to track and profile stealthy hijacking in the wild ( §IV). We capture 1,393 potential incidents over a two-month window in 2025, and analyze their impacts and causes extensively. We further validate these observations against a broad knowledge base including RPKI, IRR and WHOIS, which results in a curated dataset of 318 high-confidence incidents covering 2,178 routes. This dataset, along with our long-term monitoring service continuing to report real-world incidents, is Abstract-The partial deployment of Route Origin Validation (ROV) poses an unexpected security threat known as stealthy BGP hijacking, i.e., a particularly elusive form of BGP hijacking where malicious routes divert traffic w ithout r eaching ( and thus alerting) the victims. This risk remains largely unexplored, with neither documented real-world incidents nor systematic characterization available. To bridge this gap, we formalize stealthy BGP hijacking and propose heuristics to discover potential instances through routing table discrepancies. We conduct the first empirical study to track and profile stealthy BGP hijacking in the wild, contributing a curated real-world incident dataset and a long-term monitoring service. Inspired by the empirical insights, we further conduct an analytical study to exhaustively assess the risk. This requires accurate ROV deployment data, complete Internet-wide routes, and tailored analytical models. To address these challenges, we develop SHAMAN, a BGP route inference framework dedicated to assessing stealthy BGP hijacking risk. SHAMAN consolidates multiple sources to construct an accurate view of ROV deployment, infers complete Internet-wide routes through a highly efficient m atrix-based a pproach, a nd facilitates statistical risk analysis via a "victim-target-hijacker" 3-tuple model. By reducing the time for generating Internet-scale routes from over three months to just 5.22 hours, SHAMAN enables systematic risk assessment across 8.3 billion generated routes under real-world ROV deployment. Our findings reveal a 14.1% overall success probability for stealthy BGP hijacking, with targeted attacks reaching 99.5% success in specific cases. Validation against our real-world dataset shows up to 95.9% incident-level accuracy, demonstrating the fidelity o f o ur a nalytical results.