DoubleVPN was taken down yesterday by a consortium of law enforcement agencies led by the Dutch National Police (Politie). The operation among international partners across Europe, the US and Canada was coordinated by Europol. It has seen the web domains and server infrastructure that DoubleVPN relied upon seized.
The service was marketed across both English and Russian speaking cybercrime forums. It offered users a way to mask their identities and where they were. It made it harder for cybersecurity teams to block the attackers and prevent attacks.
The leading Dutch Public Prosecutor, Ms Wieteke Koorn, stated: “This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations.
“By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped.”
How did DoubleVPN work?
DoubleVPN works just like the VPN most people use to protect their Internet connections when working remotely. Users log into the service, which routes them to another location using an encrypted link where they appear back onto the Internet. To the observer, it seems as if this last location is where you are coming from. The more you paid, the more jumps you could take. It made you anonymous and evaded several different detection techniques.
It also makes it increasingly difficult for cybersecurity teams to say where attacks are coming from. Attackers in North Korea could make it look like they were in Russia, or attackers in China could appear to be in the US. It is one reason why many of the statistics that show where attacks originated from are confusing and inaccurate.
But there is a catch here. A good VPN service does not log its users. It doesn’t capture details of their account and connect that to the date, time and IP address they used the service. Nor does it record where they were then routed to.
It seems DoubleVPN was not a good service in that respect. According to the takedown notice, personal information, logs and statistics were seized along with the infrastructure. Not only will it help identify cybercriminals, but it has also identified a number of their victims.
Enterprise Times: What does this mean?
Yet again, coordinated action, this time by 11 different agencies across Europe, the US and Canada, has seen a major cybercrime threat taken down. More importantly, that takedown is not just denying the criminals a conduit to attack victims. It is yielding key intelligence about the criminals themselves. This really does count as a significant win in the war on cybercrime.
However, it is not a time to get carried away. While a lot of intelligence and infrastructure has been seized, there is no announcement of any arrests. The initial goal here seems to have been disruption and intelligence gathering. It will take time to see how many, if any, arrests are made and for what charges.