DOUBLEVPN TAKEDOWN: Cyber criminals dealt bitter blow as 'fraud masking VPN service' seized


CYBER criminals across the globe have been dealt a bitter blow after law enforcement in the UK, Europe, USA and Canada seized a network they used to mask their location and identities. An international investigation involving the British National Crime Agency (NCA), the FBI and Eurojust has led to the takedown of DoubleVPN the service being used by ransomware operators and phishing fraudsters around the world to mask their location and identities online.

The activity, led by the Dutch National Police, saw the seizure of server infrastructure across the world, with NCA officers taking the UK node of the network offline yesterday (29/06/2021). The service claimed to provide a high level of anonymity by offering single, double, triple and even quadruple VPN-connections to its clients.Web domains were replaced with a law enforcement splash page explaining that the network has been seized and is no longer available for use.

DoubleVPN was advertised on both Russian and English-speaking cyber crime forums as a service which provided anonymity to those seeking to carry out cyber attacks.

Its cheapest virtual private network (VPN) connection cost as little as £19.

John Denley, Deputy Director of the NCA’s National Cyber Crime Unit, said:

“This operation is extremely significant. Not only have we successfully effected the takedown of DoubleVPN, but it is the first time law enforcement has been able to take direct action against a criminal enabling service of this type.

“Double VPN was a multi-layered virtual private network service run by cyber criminals, to enable fellow cyber criminals to mask their identities online.

“It allowed them to anonymously communicate, identify victims then effectively sneak in and conduct reconnaissance on their systems as a precursor to launching a cyber attack.

“Working with partners across Europe, the US and Canada, we have dismantled this network and therefore the service that cyber criminals so heavily relied on. This included taking servers offline which were hosted in the UK.

“NCA investigators were also able to identify a number of UK businesses whose networks had been unlawfully accessed by DoubleVPN. They were notified and officers helped them protect themselves against potential network intrusions.

“We know that criminal services such as DoubleVPN are used by the organised crime groups behind some of the world’s most prominent ransomware strains, which have been used to steal data from and extort victims.

“Ransomware attacks have evolved and increased in severity over recent years, with government and national infrastructure being targeted. The NCA is working closely with partners to bolster our capability to respond to this national security threat and strengthen the UK’s response to cyber crime.” Europol’s European Cybercrime Centre supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised over 30 coordination meetings and four workshops to prepare for the final phase of the takedown, alongside providing analytical and crypto-tracing support. A virtual command post was set up by Europol on the action day to ensure seamless coordination between all the authorities involved in the takedown. Eurojust facilitated the judicial cross-border cooperation and coordination, to ensure an adequate response in order to take down the network. For this purpose, and since October last year, six dedicated coordination meetings took place, organised by Eurojust, and set up a coordination centre during the action day, during which the operation was rolled on the ground by the various national authorities involved. The leading Dutch Public Prosecutor Ms Wieteke Koorn said: "This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations. By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped." The Head of Europol’s EC3, Edvardas Šileris, added: "Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear."