Although the range of IP-addresses belonging to the secret service are kept secret, it sometimes happens that all or just a part of it comes to the public.

• Mistakes made by employees unmask secret net-structures
  Employees of the German Intelligence Service (BND) have already unmasked themselves on our web sites due to the fact that their browser contained a referrer to internal BND-sites. Now, we just could have saved the corresponding IP-addresses (something we have not done as a matter of principle), and the range of BND-IP-addresses (or that of the Federal Crime Police Office (BKA) because its proxy was used in some cases) could have been analyzed step by step.
• Staying in contact in a hostile environment is dangerous
  If employees of a secret service want to contact computers in their head quarters, this communication can be intercepted. And if, furthermore, the contacted IP-address is known as one belonging to the secret service, the employee is unmasked.
• Proxy-services can be operated by your enemy
  Proxy- or VPN-services which are controlled centrally can be operated by an enemy of a secret service. It is quite conceivable that secret services are deploying such computers under false names in order to eavesdrop on the data traffic of employees belonging to other secret services and that feel themselves save using these proxies. This is quite a inexpensive opportunity of espionage. Probably, one can even earn some money setting up a commercial service which is faked using this proxy/vpn-service.