VPNLab.net Shuttered in Latest Spate of Global Takedowns

Europol and 10 nations seized servers and disconnected the anonymous network allegedly used by many cybercriminals in the latest effort to hobble cybercrime groups.

4 Min Read
VPNLab.net takedown notice
Takedown notice from VPNLab.netSource: Europol

The European Union's law enforcement agency, Europol, worked with investigators in 10 nations, including the United States and Canada, to take down a virtual private network (VPN) service allegedly used by cybercriminals to hide the origin of their intrusion attempts, the group said on Jan. 20.

Law enforcement agencies from a group of 10 nations — Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom — worked with Europol to seize or disrupt 15 servers hosting the VPNLab.net VPN service. Starting in 2008, the service had offered encrypted communications to cybercriminals for as little as $60 a year, preventing law enforcement from tracking the source of attacks, Europol officials said in a statement. By analyzing the servers, authorities found that attacks were in progress against more than 100 businesses.

The takedown aims to cut off the number of ways that cybercriminals can hide their actions, Edvardas Šileris, the head of Europol’s European Cybercrime Centre, said in the statement.

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," he said. "Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches."

The takedown is the latest law enforcement action against cybercriminals who have generally been able to avoid consequences for their actions. Earlier this week, Nigerian police and Interpol arrested nearly a dozen people in connection with a business e-mail compromise (BEC) fraud that had targeted tens of thousands of businesses worldwide. And, on Jan. 14, the Russian Federal Security Service (FSB) stated that it had detained or arrested 14 members of the REvil ransomware group and searched more than two dozen locations, seizing $6.8 million in cryptocurrency and various other currencies as well as a score of premium vehicles.

Law enforcement targeted VPNLab.net after cybercriminals started using the service to distribute malware, communicate during ransomware extortion campaigns, and for other illegal activities, Europol said in its statement. Europol helped bring the various nations' law enforcement agencies together under an analysis project, dubbed "CYBORG," involving 60 coordination meetings and three in-person workshops.

The in-depth collaboration is a positive sign, Neil Jones, a cybersecurity evangelist for content-security firm Egnyte, said in a statement sent to Dark Reading. "It is a breath of fresh air to see that international law enforcement is focusing their efforts on technology providers that offer cyber-attack-friendly environments and make it easy for ransomware-as-a-service (RaaS) providers to perpetrate potential attacks," he said. "In this particular case, dozens of companies may have thwarted cyberattacks."

While the takedown of the alleged VPN service for cybercriminals is important, the service can easily be replaced without too much technical know-how, says Karl Sigler, senior security research manager at Trustwave SpiderLabs. 

"Open VPN based services are certainly used by cybercriminals and are almost a dime a dozen," he says. "It seems like VPNLab was advertising its service specifically for cybercriminal use, especially with features like 'Double VPN.' However, Tor alone is often enough for criminals and can be layered with any VPN service to obtain that 'dual protection.'"

Cybercriminals often use Tor to anonymize their traffic, but recent reports that some threat actors run their own Tor nodes has led some cybercriminals to worry that large cyber operators — possibly nation-states — are polluting Tor to de-anonymize its users

Other attackers lease networks of proxy servers, often made up of compromised servers or Internet of Things devices, to hide the origin and content of their traffic. 

"The alarming progression in hacking has been the specialization and federation of duties of the hacking groups," Garret Grajek, CEO of cloud-based identity services firm YouAttest, said in a statement. "The specialization of duties aids in the ability of the overall attack and increases the likelihood of success, which is why enterprises need to double down on key concepts of security like zero trust and real-time identity governance."

Companies will have to wait and see if law enforcement agencies' efforts have a sustainable impact on cybercriminals and their tactics, techniques, and procedures (TTPs), Sigler says.

"I think that international cooperation is getting better, [and] I think it's essential for curbing cybercriminal activity, which typically respects no borders," he says. "It's a constant 'cat and mouse' game, though, so whether law enforcement cooperation can keep up with the new TTPs criminals adopt will be a critical component to whether this becomes a sustained law enforcement action or a game of 'whack-a-mole.'"

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights