DoubleVPN Servers, Logs, and Account Info Seized By Law Enforcement

Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities. BleepingComputer reports: DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service. When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination. The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.

"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised," says the now-seized doublevpn.com website. "International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue." Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.

I bet that...

[denelson83]

Regional copyright enforcement was the prime motivation for this seizure.

Re: I bet that...

[bug_hunter]

You're out of line... but you're right.

> While no further information is available at this time, the splash screen states that the operation was conducted by Germany's BKA, Netherland's Politie, the FBI, the UK National Crime Agency, the United States Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police.

Indeed, that looks like it's more serious than copyright infringement enforcement, but we can always wait for tomorrow when details of the operation will be revealed.

Re: I bet that...

[phalse phace]

With all those organizations in the operation, maybe they're going after the ransomware gangs.

Re:

[m1970]

The Dutch Police doesn’t give a shit about copyright. But disrupting criminal communications is an other matter.

Re:

[Applehu Akbar]

All those foreign police organizations can make a physical raid (to get "servers, logs and account info") on a Russian site? What I find more believable is that they swiped the orgnization's DNS entries so they could replace its website front page with the aforementioned seizure notice.

Re:

[sg_oneill]

Depends on what the claimed crime is (As well as hosting location).

We might not always trust the Russians, but we can trust that they take their commercial reputation personally. They don't give a shit about copyright, internationally its small biscuits. But criminal gangs indiscriminating hitting everyone (including russians), that might not be something they want to be associated with.

Plus if the servers not in Russia, I'd doubt they have much say in the matter.

Re:

[Impy the Impiuos Imp]

European laws requiring servers in the local country, what could possibly go wrong?

Also, logs.

Anyway, would be nice if they were going after ransomeware peeple.

Re:

[xlsior]

Depends on what the claimed crime is (As well as hosting location).

We might not always trust the Russians, but we can trust that they take their commercial reputation personally. They don't give a shit about copyright, internationally its small biscuits. But criminal gangs indiscriminating hitting everyone (including russians), that might not be something they want to be associated with.

Plus if the servers not in Russia, I'd doubt they have much say in the matter.

FWIW, supposedly some of the Russian crypto malware has been trying to stay below the radar of Russia's own law enforcement agencies by not initiating malicious activity on computers that have a Russian or Ukrainian keyboard layout installed. In general the Russian authorities aren't losing all that much sleep over it as long as it is just other countries losing time & money.

Re:

[Bu11etmagnet]

> the Royal Canadian Mounted Police

Now I have this image stuck in my mind: a Mountie on horseback, carrying a server under his/her arm.

(I know they only use horses on ceremonial occasions)

Re:

[Mystic102]

Who says they only mount horses?

Re: I bet that...

[Goatbot]

I believe the mount w hores too!

Re:

[Opportunist]

the Royal Canadian Mounted Police

Well fuck. Without them, you had a chance.

The LAST thing you do with a drive you just seized is to mount it!

Next time, send the unmounted police. Way better at forensics.

Re:

[TheGratefulNet]

you need to call the right agency.

the royal COWs are more trustable. copy on write, you hoser!

Re:

[LenKagetsu]

more serious than copyright infringement enforcement

Holy shit they raided adfly.

Re:

[thegarbz]

I do find it hilarious that these crimes are the function of a federal specialist bureaus in every country other than the Netherlands where cybercrime is the jurisdiction of the police instead of the BVD or AIVD which would be the equivalent of the FBI / CIA.

VPN logs?

[NFN_NLN]

I thought reputable VPNs advertised they didn't keep logs?

Re:

[Anonymous Coward]

Yeah, the better ones do - to such as extent they claim that even they themselves can't determine what traffic is being run by any given customer - however they still need to keep billing info and such, so that even though they don't know what your doing and can't tell law enforcement either as no such data is kept, law enforcement can at least see you were a customer (unless a VPN outlet has a 'kill switch' that wipes all such data in the event of a raid, but no idea if that is a thing).

Re:

[Anonymous Coward]

No VPN service can accurately say they don't keep logs. Even if they don't normally keep logs, if at some point law enforcement tells them to keep logs then they will be forced to start keeping logs.

There is no VPN on Earth not subject to these rules.

Re:

[NFN_NLN]

> There is no VPN on Earth not subject to these rules.

Is this some sort of low key flex that Starlink is going to be offering traceless VPN services not subject to any earth laws?

Re: VPN logs?

[Goatbot]

If I can access the process on the box I can make my own log files. Data is generated, how long that data is kept is another story, however it is trivial to redirect as well as increase or decrease verbosity of log data. Unless you surgically remove it from the source which is not trivial.

Re:

[Yurka]

Guess which word in that sentence doesn't belong there.
Hint: it's a Russian site we're talking about.

Re:

[bill_mcgonigle]

You need to look for reputable third-party auditors and payment via onion hidden services with ZCash/Monero payments. Anything else is tracking you.

Re:

[haus]

They might not keep logs, but once someone takes over their environment that group can start logging whatever they would like.

Re:

[gweihir]

Everybody keeps logs. You need it for problem management. The interesting question is whether they have any user information in these logs. That is _not_ needed. IP addresses are also pretty much optional unless somebody starts to DoS you.

Will be interesting if anything comes from this. Because while logging user activity is not needed, it makes things easier and cheaper to run. Hence a dishonest VPN provider may well keep all of that information.

Re:VPN logs?

[tlhIngan]

I thought reputable VPNs advertised they didn't keep logs?

EVERY VPN LOGS. They have to as part of regular business operations, or they'd go out of business.

Take a look at any VPN service out there right now, and they all have a connection limit. Usually 1 smartphone, 1 tablet and maybe a couple of PCs. Or some combination thereof.

Without a log, there's no way that can be enforced.

So when you log into the service, the log entry is created. When you try to log in again, the log entry shows you're already connected and fails to connect you again. The only way to clear that log entry is to disconnect, at which point there no longer exists any log of your activity.

This means you really shouldn't be connecting and staying connected - you really should be disconnecting periodically - at least once a day to delete the log entry and effectively erase your presence.

At the same time, you should also choose busy VPN servers if you have a choice - being the only person on a VPN server is very identifying. And US based VPN services support a so-called "real time DMCA" which effectively is a DMCA notice sent in real time. If you're the only person on a VPN server and can be positively identified, you get the notice. If you're sharing the server with someone else, it no longer applies because it's impossible to tell who that notice is for. Likewise, decline any "port forwarding" or "port mapping" or "static" services your VPN provider might have. Sure it makes your torrents faster if you are reachable, but those things are a dead giveaway to identifying you.

Of course, most people don't really know and just believe a VPN makes you invisible.

Re:

[Anonymous Coward]

There's a difference between an integer against your username (how many connections you have currently active) and a proper, bona-fide log that lists the times you last were connected, disconnected, and possibly the DNS names you looked up, the IPs you connected to, how many bytes you transferred, etc.

One's a log - the kind that some providers say they don't keep. The other is just user meta data - which yes, likely all VPN providers keep.

Re:

[thegarbz]

Without a log, there's no way that can be enforced.

There's a difference between storing a log and monitoring a state. You absolutely can track who is currently logged in from which device without every committing that data to disk.

Re:

[Malifescent]

I'd assume the logs are encrypted if this were a reputable, privacy focused VPN company, but we'll see.

commonly used by threat actors to evade detection

[oldgraybeard]

So anyone encrypting anything.

Double ROT13

[arosenfield]

I encrypt all of my traffic with double ROT13. It's indecipherable!

Re:

[CaptQuark]

That joke was funny back in the 80s. Almost as well known as "There's no place like 127.0.0.1"

Re:

[NFN_NLN]

> That joke was funny back in the 80s.

There's 10 types of people.

Those that find double ROT13 jokes funny and 10 other types of people.

Re: Double ROT13

[Anonymouse Cowtard]

If it's too cold: logon If it's too hot: logoff If it's still too hot: put out the fire

Re:

[Impy the Impiuos Imp]

That's 11 types of people.

Re: Double ROT13

[MrNaz]

Think harder.
Nobody finds double ROT13 funny.

Re:

[bustinbrains]

127 is a class A assignment (127.0.0.0/8). So the "no place like 127.0.0.1" joke actually has about 16.7 million variants like "There's no place like 127.80.0.85"

That's a lot of boobs!

Re:

[jmccue]

Amateur, I use "caesar 26", it is twice as secure because 26 is double 13.

Re:

[Beryllium Sphere(tm)]

I use the full 16 rounds in case a workload reduction attack is discovered on reduced-round variants.

Safe havens

[Anonymous Coward]

Common practice for some VPN outfits is to run their operations out of a country (think tropical island nations) that has more lenient laws on the books where cyber security is concerned - and in the event that said country calls upon the VPN company to release IP information they can just say they don't have it as they don't collect such information.

Is double encryption really better?

[Tony Isaac]

Statistically speaking, is the randomization better from double-encryption actually improved over single-encryption? Triple-DES, with it's three-time encryption, is far less secure than today's RSA encryption. It seems like a gimmick to me.

Re:

[Rockoon]

Compare like for like, like a god damned reasonable person, ok?

DES vs Triple-DES
AES vs Triple-AES
etc...

Now you can answer your own fucking question.

Re:

[Tony Isaac]

Of course you need to compare apples to apples. But you didn't answer the question: Is double or triple encryption actually more secure than single-encryption (of the same type)? Or does it just *feel* more secure?

Re:

[sonofusion82]

triple DES was mainly meant to increase key size, the increased security come mainly from much larger keyspace compared to the original 56-bit, not so much from encrypt/decrypt 3 times.

Re:

[Tony Isaac]

Thank you, I had always assumed that the same 64-bit key was used each time, but your post prompted me to look up more info.

Re:

[BadDreamer]

That's not what double encryption means in this context.

How it works:

content -> VPN 1 -> VPN 2 -> destination

At the end of that chain, it is non-trivial to find the entry point. A lot of people used to set that up by hand, which is hard to do while ensuring anonymity. Having it done by a third party makes it much harder to backtrace. Except if one has the logs, that is.

Re:

[Canberra1]

Design is Critical. VPN1 server should be in room one, VPN Server2 should be in room 2 behind room 1, and usage logs in Room3 , preferably in a firepit. The doors are very strong. Bonus points for wire rope triggered locking pins - like on safes. Every operation has a panic button. Every door has a timer delay, and an unattended alarm. Every server has a thermite blob over the disk drives or SSD's. Offsite backups are encrypted strongly. Buss bars interconnect panic switch and forced entry switches. There

Re:

[oblom]

Are you feeling OK?

Re:

[bd580slashdot]

Nice comment. Ignore your critics. Physical OpSec.

Re:

[AcidFnTonic]

Reminds me of my interest in creating safes that cannot be cracked without destroying the contents.

Props to you.

Re:

[Tony Isaac]

I understand how VPNs work, and your diagram is accurate. But it has nothing to do with encryption or double-encryption.

Re:

[Longblue]

Poorly phrased name.
The security coming from 'double', according to the article, is really about having an extra hop:
User-> VN1 node 1 -> VPN node 2 -> destination

That's one more problem for an observer to figure out vs
User -> VPN node -> destination

It might seem like you can just draw a line around the VPN nodes and call it one "thing" you are watching traffic in and out of, but it's a much harder problem for observers (bad actors if the user is a good guy or the police if the us

Re:

[Tony Isaac]

I would call that double VPN, not double encryption.

Trust

[Tony Isaac]

In the end, if you use one of these systems, you have to decide how much you trust them. Do they really keep no logs? Do they really keep all traffic encrypted?

How trustworthy is an organization that caters to criminal enterprise? After all, the whole point of criminal organizations is to lie, cheat, and steal for financial gain. Why would they not lie and cheat their own criminal customers?

Re:

[Tony Isaac]

Not all VPN providers are criminal organizations, and not all uses of VPNs are crime-related. The one in this story, however, was in fact catering to criminals.

Re:

[Opportunist]

When using a VPN, what you do is to replace the ISP as the single point of logging with the VPN. That's all. That's all the "privacy" they afford you.

Re:

[Tony Isaac]

That's what they SAY they do. My point is not about the technology, but about whether it's possible to trust that the provider is actually doing what they say they are doing.

Re:

[SethJohnson]

Why would they not lie and cheat their own criminal customers?

You do not want to duckduckgo search 'Mexican gang face peeling'.

Awesome

[EtsSpets]

I love it when law enforcement agencies end businesses while their own governments legitimate spy organizatons keep forcing their back doors into everything and well, just spying on whomever they want. And everybody that gets into the way gets squashed.

Log-files?

[nospam007]

What log-files? VPNs are famous for not recording those.

How'd they seize Russian servers?

[sabbede]

Double VPN is based in Russia, but it doesn't look like there was anyone involved who could seize servers in Russia. So, even if they got a bunch of the 2nd step servers, wouldn't the important stuff still physically be in Russia?

Re:

[Longblue]

We can't tell from the information we have.

The business end of the service being based in Russia (or even a primary technical facility) doesn't tell us what information is stored and where it's kept.

Further, we don't know the actual goals of the police involved. As was said, you don't necessarily need to raid a particular physical location to:
1. shut down the service (maybe they got to the dns people for it, or shut down enough nodes to effectively if not literally kill the network)
2. seize some e

Re:

[sabbede]

Since this is implied to be part of an effort to deal with Russian hackers, and assuming DoubleVPN wasn't incredibly sloppy, it seems to me like this would inconvenience them but not help identify them.

But maybe instead of being sloppy, DoubleVPN thought they were being clever. Instead of keeping data on Russians in Russia, they kept it in Germany, and vice versa. That would keep data about German users from being accessible to German law enforcement, which would be a great selling point up to the point