Cops seize criminal VPN used by ransomware gangs

The DoubleVPN virtual private network (VPN) service has been forced offline and servers seized in a coordinated law enforcement operation against the service, which is accused of providing a safe haven for malicious actors, including ransomware crews, to attack their victims.

In an operation with echoes of recent stings against Encrochat, an encrypted telecoms network that is currently the subject of legal action in multiple jurisdictions, the coordinated takedown was let by the Dutch National Police with international action overseen by Europol and Eurojust under the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

Other agencies involved in the operation, which has been eight months in the planning, include law enforcement bodies from Bulgaria, Canada, Germany, Italy, Sweden, Switzerland and the US, as well as the UK’s National Crime Agency (NCA).

“This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cyber crime operations,” said Dutch public prosecutor Wieteke Koorn.

“By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped.”

Edvardas Šileris, head of Europol’s EC3, added: “Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear.”

The operators of DoubleVPN had allegedly heavily advertised their service on Russian and English-language dark web forums as a useful means to hide the location and identity of ransomware gangs and phishing scammers. They claimed to provide high-levels of anonymity via single, double, tripe and sometimes quadruple VPN connections to its client servers. Its cheapest connection is understood to have cost as little as £19. At the time of writing, its web domains have been replaced with relevant law enforcement splash pages.

John Denley, deputy director of the NCA’s National Cyber Crime Unit, which took the UK node of the DoubleVPN network offline on 29 June, described the operation as significant as it was the first time law enforcement had been able to take direct action against a crime-enabling service of this nature.

 “Double VPN was a multi-layered virtual private network service run by cyber criminals, to enable fellow cyber criminals to mask their identities online. It allowed them to anonymously communicate, identify victims then effectively sneak in and conduct reconnaissance on their systems as a precursor to launching a cyber attack,” he said.

Denley added that the NCA had established the identities of several UK-based victims whose networks were unlawfully accessed by DoubleVPN, all of which have been notified and are receiving support if needed.

“We know that criminal services such as DoubleVPN are used by the organised crime groups behind some of the world’s most prominent ransomware strains, which have been used to steal data from and extort victims,” he said.

“Ransomware attacks have evolved and increased in severity over recent years, with government and national infrastructure being targeted. The NCA is working closely with partners to bolster our capability to respond to this national security threat and strengthen the UK’s response to cyber crime.”