DoubleVPN Servers, Logs, and Account Info Seized By Law Enforcement (bleepingcomputer.com) 69
Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities. BleepingComputer reports: DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service. When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination. The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.
"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised," says the now-seized doublevpn.com website. "International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue." Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.
"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised," says the now-seized doublevpn.com website. "International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue." Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.
I bet that... (Score:4, Interesting)
Regional copyright enforcement was the prime motivation for this seizure.
Re: I bet that... (Score:5, Informative)
You're out of line... but you're right.
> While no further information is available at this time, the splash screen states that the operation was conducted by Germany's BKA, Netherland's Politie, the FBI, the UK National Crime Agency, the United States Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police.
Indeed, that looks like it's more serious than copyright infringement enforcement, but we can always wait for tomorrow when details of the operation will be revealed.
Re: I bet that... (Score:4, Interesting)
With all those organizations in the operation, maybe they're going after the ransomware gangs.
Re: (Score:1)
Re: (Score:2)
All those foreign police organizations can make a physical raid (to get "servers, logs and account info") on a Russian site? What I find more believable is that they swiped the orgnization's DNS entries so they could replace its website front page with the aforementioned seizure notice.
Re: (Score:3)
Depends on what the claimed crime is (As well as hosting location).
We might not always trust the Russians, but we can trust that they take their commercial reputation personally. They don't give a shit about copyright, internationally its small biscuits. But criminal gangs indiscriminating hitting everyone (including russians), that might not be something they want to be associated with.
Plus if the servers not in Russia, I'd doubt they have much say in the matter.
Re: (Score:2)
European laws requiring servers in the local country, what could possibly go wrong?
Also, logs.
Anyway, would be nice if they were going after ransomeware peeple.
Re: (Score:2)
Depends on what the claimed crime is (As well as hosting location).
We might not always trust the Russians, but we can trust that they take their commercial reputation personally. They don't give a shit about copyright, internationally its small biscuits. But criminal gangs indiscriminating hitting everyone (including russians), that might not be something they want to be associated with.
Plus if the servers not in Russia, I'd doubt they have much say in the matter.
FWIW, supposedly some of the Russian crypto malware has been trying to stay below the radar of Russia's own law enforcement agencies by not initiating malicious activity on computers that have a Russian or Ukrainian keyboard layout installed. In general the Russian authorities aren't losing all that much sleep over it as long as it is just other countries losing time & money.
Re: (Score:2)
> the Royal Canadian Mounted Police
Now I have this image stuck in my mind: a Mountie on horseback, carrying a server under his/her arm.
(I know they only use horses on ceremonial occasions)
Re: (Score:1)
Re: I bet that... (Score:1)
Re: (Score:2)
the Royal Canadian Mounted Police
Well fuck. Without them, you had a chance.
The LAST thing you do with a drive you just seized is to mount it!
Next time, send the unmounted police. Way better at forensics.
Re: (Score:2)
you need to call the right agency.
the royal COWs are more trustable. copy on write, you hoser!
Re: (Score:2)
more serious than copyright infringement enforcement
Holy shit they raided adfly.
Re: (Score:2)
I do find it hilarious that these crimes are the function of a federal specialist bureaus in every country other than the Netherlands where cybercrime is the jurisdiction of the police instead of the BVD or AIVD which would be the equivalent of the FBI / CIA.
VPN logs? (Score:5, Informative)
I thought reputable VPNs advertised they didn't keep logs?
Re: (Score:2, Informative)
Re: (Score:1)
No VPN service can accurately say they don't keep logs. Even if they don't normally keep logs, if at some point law enforcement tells them to keep logs then they will be forced to start keeping logs.
There is no VPN on Earth not subject to these rules.
Re: (Score:2)
> There is no VPN on Earth not subject to these rules.
Is this some sort of low key flex that Starlink is going to be offering traceless VPN services not subject to any earth laws?
Re: VPN logs? (Score:1)
Re: (Score:1)
Guess which word in that sentence doesn't belong there.
Hint: it's a Russian site we're talking about.
Re: (Score:2)
You need to look for reputable third-party auditors and payment via onion hidden services with ZCash/Monero payments. Anything else is tracking you.
Re: (Score:3)
They might not keep logs, but once someone takes over their environment that group can start logging whatever they would like.
Re: (Score:2)
Everybody keeps logs. You need it for problem management. The interesting question is whether they have any user information in these logs. That is _not_ needed. IP addresses are also pretty much optional unless somebody starts to DoS you.
Will be interesting if anything comes from this. Because while logging user activity is not needed, it makes things easier and cheaper to run. Hence a dishonest VPN provider may well keep all of that information.
Re:VPN logs? (Score:5, Informative)
EVERY VPN LOGS. They have to as part of regular business operations, or they'd go out of business.
Take a look at any VPN service out there right now, and they all have a connection limit. Usually 1 smartphone, 1 tablet and maybe a couple of PCs. Or some combination thereof.
Without a log, there's no way that can be enforced.
So when you log into the service, the log entry is created. When you try to log in again, the log entry shows you're already connected and fails to connect you again. The only way to clear that log entry is to disconnect, at which point there no longer exists any log of your activity.
This means you really shouldn't be connecting and staying connected - you really should be disconnecting periodically - at least once a day to delete the log entry and effectively erase your presence.
At the same time, you should also choose busy VPN servers if you have a choice - being the only person on a VPN server is very identifying. And US based VPN services support a so-called "real time DMCA" which effectively is a DMCA notice sent in real time. If you're the only person on a VPN server and can be positively identified, you get the notice. If you're sharing the server with someone else, it no longer applies because it's impossible to tell who that notice is for. Likewise, decline any "port forwarding" or "port mapping" or "static" services your VPN provider might have. Sure it makes your torrents faster if you are reachable, but those things are a dead giveaway to identifying you.
Of course, most people don't really know and just believe a VPN makes you invisible.
Re: (Score:1, Interesting)
There's a difference between an integer against your username (how many connections you have currently active) and a proper, bona-fide log that lists the times you last were connected, disconnected, and possibly the DNS names you looked up, the IPs you connected to, how many bytes you transferred, etc.
One's a log - the kind that some providers say they don't keep. The other is just user meta data - which yes, likely all VPN providers keep.
Re: (Score:2)
Without a log, there's no way that can be enforced.
There's a difference between storing a log and monitoring a state. You absolutely can track who is currently logged in from which device without every committing that data to disk.
Re: (Score:2)
commonly used by threat actors to evade detection (Score:3)
Double ROT13 (Score:4, Funny)
I encrypt all of my traffic with double ROT13. It's indecipherable!
Re: (Score:2)
Re: (Score:2)
> That joke was funny back in the 80s.
There's 10 types of people.
Those that find double ROT13 jokes funny and 10 other types of people.
Re: Double ROT13 (Score:2)
If it's too cold: logon If it's too hot: logoff If it's still too hot: put out the fire
Re: (Score:2)
That's 11 types of people.
Re: Double ROT13 (Score:1)
Think harder.
Nobody finds double ROT13 funny.
Re: (Score:2)
127 is a class A assignment (127.0.0.0/8). So the "no place like 127.0.0.1" joke actually has about 16.7 million variants like "There's no place like 127.80.0.85"
That's a lot of boobs!
Re: (Score:2)
Re: (Score:2)
I use the full 16 rounds in case a workload reduction attack is discovered on reduced-round variants.
Safe havens (Score:1)
Is double encryption really better? (Score:2)
Statistically speaking, is the randomization better from double-encryption actually improved over single-encryption? Triple-DES, with it's three-time encryption, is far less secure than today's RSA encryption. It seems like a gimmick to me.
Re: (Score:2, Flamebait)
DES vs Triple-DES
AES vs Triple-AES
etc...
Now you can answer your own fucking question.
Re: (Score:2)
Of course you need to compare apples to apples. But you didn't answer the question: Is double or triple encryption actually more secure than single-encryption (of the same type)? Or does it just *feel* more secure?
Re: (Score:2)
Re: (Score:2)
Thank you, I had always assumed that the same 64-bit key was used each time, but your post prompted me to look up more info.
Re: (Score:3)
That's not what double encryption means in this context.
How it works:
content -> VPN 1 -> VPN 2 -> destination
At the end of that chain, it is non-trivial to find the entry point. A lot of people used to set that up by hand, which is hard to do while ensuring anonymity. Having it done by a third party makes it much harder to backtrace. Except if one has the logs, that is.
Re: (Score:2)
Re: (Score:2)
Are you feeling OK?
Re: (Score:2)
Nice comment. Ignore your critics. Physical OpSec.
Re: (Score:2)
Reminds me of my interest in creating safes that cannot be cracked without destroying the contents.
Props to you.
Re: (Score:2)
I understand how VPNs work, and your diagram is accurate. But it has nothing to do with encryption or double-encryption.
Re: (Score:1)
The security coming from 'double', according to the article, is really about having an extra hop:
User-> VN1 node 1 -> VPN node 2 -> destination
That's one more problem for an observer to figure out vs
User -> VPN node -> destination
It might seem like you can just draw a line around the VPN nodes and call it one "thing" you are watching traffic in and out of, but it's a much harder problem for observers (bad actors if the user is a good guy or the police if the us
Re: (Score:2)
I would call that double VPN, not double encryption.
Trust (Score:5, Insightful)
In the end, if you use one of these systems, you have to decide how much you trust them. Do they really keep no logs? Do they really keep all traffic encrypted?
How trustworthy is an organization that caters to criminal enterprise? After all, the whole point of criminal organizations is to lie, cheat, and steal for financial gain. Why would they not lie and cheat their own criminal customers?
Re: (Score:2)
Not all VPN providers are criminal organizations, and not all uses of VPNs are crime-related. The one in this story, however, was in fact catering to criminals.
Re: (Score:2)
When using a VPN, what you do is to replace the ISP as the single point of logging with the VPN. That's all. That's all the "privacy" they afford you.
Re: (Score:2)
That's what they SAY they do. My point is not about the technology, but about whether it's possible to trust that the provider is actually doing what they say they are doing.
Re: (Score:2)
You do not want to duckduckgo search 'Mexican gang face peeling'.
Awesome (Score:2)
Log-files? (Score:2)
What log-files? VPNs are famous for not recording those.
How'd they seize Russian servers? (Score:3)
Re: (Score:1)
The business end of the service being based in Russia (or even a primary technical facility) doesn't tell us what information is stored and where it's kept.
Further, we don't know the actual goals of the police involved. As was said, you don't necessarily need to raid a particular physical location to:
1. shut down the service (maybe they got to the dns people for it, or shut down enough nodes to effectively if not literally kill the network)
2. seize some e
Re: (Score:3)
But maybe instead of being sloppy, DoubleVPN thought they were being clever. Instead of keeping data on Russians in Russia, they kept it in Germany, and vice versa. That would keep data about German users from being accessible to German law enforcement, which would be a great selling point up to the point