DoubleVPN Servers, Logs, and Account Info Seized By Law Enforcement (bleepingcomputer.com) 67

Posted by BeauHD from the international-law-enforcement dept.
Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities. BleepingComputer reports: DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service. When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination. The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.

"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised," says the now-seized doublevpn.com website. "International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue." Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.

DoubleVPN Servers, Logs, and Account Info Seized By Law Enforcement

  • I bet that... (Score:3, Interesting)

    by denelson83 ( 841254 ) on Tuesday June 29, 2021 @09:37PM (#61535602)

    Regional copyright enforcement was the prime motivation for this seizure.

  • VPN logs? (Score:5, Informative)

    by NFN_NLN ( 633283 ) on Tuesday June 29, 2021 @09:43PM (#61535616)

    I thought reputable VPNs advertised they didn't keep logs?

    • Re: (Score:1)

      by Anonymous Coward
      Yeah, the better ones do - to such as extent they claim that even they themselves can't determine what traffic is being run by any given customer - however they still need to keep billing info and such, so that even though they don't know what your doing and can't tell law enforcement either as no such data is kept, law enforcement can at least see you were a customer (unless a VPN outlet has a 'kill switch' that wipes all such data in the event of a raid, but no idea if that is a thing).

      • Re: (Score:1)

        by Anonymous Coward

        No VPN service can accurately say they don't keep logs. Even if they don't normally keep logs, if at some point law enforcement tells them to keep logs then they will be forced to start keeping logs.

        There is no VPN on Earth not subject to these rules.

        • Re: (Score:2)

          by NFN_NLN ( 633283 )

          > There is no VPN on Earth not subject to these rules.

          Is this some sort of low key flex that Starlink is going to be offering traceless VPN services not subject to any earth laws?

        • If I can access the process on the box I can make my own log files. Data is generated, how long that data is kept is another story, however it is trivial to redirect as well as increase or decrease verbosity of log data. Unless you surgically remove it from the source which is not trivial.

    • Re: (Score:1)

      by Yurka ( 468420 )

      Guess which word in that sentence doesn't belong there.
      Hint: it's a Russian site we're talking about.

    • You need to look for reputable third-party auditors and payment via onion hidden services with ZCash/Monero payments. Anything else is tracking you.

    • Re: (Score:3)

      by haus ( 129916 )

      They might not keep logs, but once someone takes over their environment that group can start logging whatever they would like.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Everybody keeps logs. You need it for problem management. The interesting question is whether they have any user information in these logs. That is _not_ needed. IP addresses are also pretty much optional unless somebody starts to DoS you.

      Will be interesting if anything comes from this. Because while logging user activity is not needed, it makes things easier and cheaper to run. Hence a dishonest VPN provider may well keep all of that information.

    • Re:VPN logs? (Score:5, Informative)

      by tlhIngan ( 30335 ) <slashdot&worf,net> on Wednesday June 30, 2021 @05:23AM (#61536416)

      I thought reputable VPNs advertised they didn't keep logs?

      EVERY VPN LOGS. They have to as part of regular business operations, or they'd go out of business.

      Take a look at any VPN service out there right now, and they all have a connection limit. Usually 1 smartphone, 1 tablet and maybe a couple of PCs. Or some combination thereof.

      Without a log, there's no way that can be enforced.

      So when you log into the service, the log entry is created. When you try to log in again, the log entry shows you're already connected and fails to connect you again. The only way to clear that log entry is to disconnect, at which point there no longer exists any log of your activity.

      This means you really shouldn't be connecting and staying connected - you really should be disconnecting periodically - at least once a day to delete the log entry and effectively erase your presence.

      At the same time, you should also choose busy VPN servers if you have a choice - being the only person on a VPN server is very identifying. And US based VPN services support a so-called "real time DMCA" which effectively is a DMCA notice sent in real time. If you're the only person on a VPN server and can be positively identified, you get the notice. If you're sharing the server with someone else, it no longer applies because it's impossible to tell who that notice is for. Likewise, decline any "port forwarding" or "port mapping" or "static" services your VPN provider might have. Sure it makes your torrents faster if you are reachable, but those things are a dead giveaway to identifying you.

      Of course, most people don't really know and just believe a VPN makes you invisible.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        There's a difference between an integer against your username (how many connections you have currently active) and a proper, bona-fide log that lists the times you last were connected, disconnected, and possibly the DNS names you looked up, the IPs you connected to, how many bytes you transferred, etc.

        One's a log - the kind that some providers say they don't keep. The other is just user meta data - which yes, likely all VPN providers keep.

      • Without a log, there's no way that can be enforced.

        There's a difference between storing a log and monitoring a state. You absolutely can track who is currently logged in from which device without every committing that data to disk.

    • I'd assume the logs are encrypted if this were a reputable, privacy focused VPN company, but we'll see.

  • Double ROT13 (Score:4, Funny)

    by arosenfield ( 998621 ) on Tuesday June 29, 2021 @10:02PM (#61535670)

    I encrypt all of my traffic with double ROT13. It's indecipherable!

  • Safe havens (Score:1)

    by Anonymous Coward
    Common practice for some VPN outfits is to run their operations out of a country (think tropical island nations) that has more lenient laws on the books where cyber security is concerned - and in the event that said country calls upon the VPN company to release IP information they can just say they don't have it as they don't collect such information.

  • Statistically speaking, is the randomization better from double-encryption actually improved over single-encryption? Triple-DES, with it's three-time encryption, is far less secure than today's RSA encryption. It seems like a gimmick to me.

    • Compare like for like, like a god damned reasonable person, ok?

      DES vs Triple-DES
      AES vs Triple-AES
      etc...

      Now you can answer your own fucking question.

      • Of course you need to compare apples to apples. But you didn't answer the question: Is double or triple encryption actually more secure than single-encryption (of the same type)? Or does it just *feel* more secure?

    • triple DES was mainly meant to increase key size, the increased security come mainly from much larger keyspace compared to the original 56-bit, not so much from encrypt/decrypt 3 times.

      • Thank you, I had always assumed that the same 64-bit key was used each time, but your post prompted me to look up more info.

    • That's not what double encryption means in this context.

      How it works:

      content -> VPN 1 -> VPN 2 -> destination

      At the end of that chain, it is non-trivial to find the entry point. A lot of people used to set that up by hand, which is hard to do while ensuring anonymity. Having it done by a third party makes it much harder to backtrace. Except if one has the logs, that is.

      • Design is Critical. VPN1 server should be in room one, VPN Server2 should be in room 2 behind room 1, and usage logs in Room3 , preferably in a firepit. The doors are very strong. Bonus points for wire rope triggered locking pins - like on safes. Every operation has a panic button. Every door has a timer delay, and an unattended alarm. Every server has a thermite blob over the disk drives or SSD's. Offsite backups are encrypted strongly. Buss bars interconnect panic switch and forced entry switches. There

      • I understand how VPNs work, and your diagram is accurate. But it has nothing to do with encryption or double-encryption.

    • Poorly phrased name.
      The security coming from 'double', according to the article, is really about having an extra hop:
      User-> VN1 node 1 -> VPN node 2 -> destination

      That's one more problem for an observer to figure out vs
      User -> VPN node -> destination

      It might seem like you can just draw a line around the VPN nodes and call it one "thing" you are watching traffic in and out of, but it's a much harder problem for observers (bad actors if the user is a good guy or the police if the us

  • Trust (Score:5, Insightful)

    by Tony Isaac ( 1301187 ) on Tuesday June 29, 2021 @11:46PM (#61535942) Homepage

    In the end, if you use one of these systems, you have to decide how much you trust them. Do they really keep no logs? Do they really keep all traffic encrypted?

    How trustworthy is an organization that caters to criminal enterprise? After all, the whole point of criminal organizations is to lie, cheat, and steal for financial gain. Why would they not lie and cheat their own criminal customers?

    • When using a VPN, what you do is to replace the ISP as the single point of logging with the VPN. That's all. That's all the "privacy" they afford you.

      • That's what they SAY they do. My point is not about the technology, but about whether it's possible to trust that the provider is actually doing what they say they are doing.

    • Why would they not lie and cheat their own criminal customers?

      You do not want to duckduckgo search 'Mexican gang face peeling'.

  • I love it when law enforcement agencies end businesses while their own governments legitimate spy organizatons keep forcing their back doors into everything and well, just spying on whomever they want. And everybody that gets into the way gets squashed.

  • What log-files? VPNs are famous for not recording those.

  • Double VPN is based in Russia, but it doesn't look like there was anyone involved who could seize servers in Russia. So, even if they got a bunch of the 2nd step servers, wouldn't the important stuff still physically be in Russia?
    • We can't tell from the information we have.

      The business end of the service being based in Russia (or even a primary technical facility) doesn't tell us what information is stored and where it's kept.

      Further, we don't know the actual goals of the police involved. As was said, you don't necessarily need to raid a particular physical location to:
      1. shut down the service (maybe they got to the dns people for it, or shut down enough nodes to effectively if not literally kill the network)
      2. seize some e

