Coordinated action cuts off access to VPN service used by ransomware groups

30 June 2021
Press Release
Press Release/News

This News/Press release is about Cybercrime

View all crime areas

Takedown of DoubleVPN makes it harder for criminal hackers to cover their tracks

This week, law enforcement and judicial authorities in Europe, the US and Canada have seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims. 

This coordinated takedown, led by the Dutch National Police (Politie), under jurisdiction of the National Public Prosecutor’s Office (Landelijk Parket), with international activity coordinated by Europol and Eurojust, has now ended the availability of this service. 

Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters. The service claimed to provide a high level of anonymity by offering single, double, triple and even quadruple VPN-connections to its clients.

DoubleVPN was being used to compromise networks all around the world. Its cheapest VPN-connection cost as little as €22 ($25). 

International coordination

International cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.

  • Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy. Its cybercrime specialists organised over 30 coordination meetings and four workshops to prepare for the final phase of the takedown, alongside providing analytical and crypto-tracing support. A virtual command post was set up by Europol on the action day to ensure seamless coordination between all the authorities involved in the takedown. 
  • Eurojust facilitated the judicial cross-border cooperation and coordination, to ensure an adequate response in order to take down the network. For this purpose, and since October last year, six dedicated coordination meetings took place, organised by Eurojust, and set up a coordination centre during the action day, during which the operation was rolled on the ground by the various national authorities involved. 

The leading Dutch Public Prosecutor Ms Wieteke Koorn stated:

This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations. By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped.

The Head of Europol’s EC3, Edvardas Šileris, commented:

Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear.

 

Participating authorities and agencies: 

  • The Netherlands: National Police (Politie), National Public Prosecutor’s Office (Landelijk Parket)
  • Germany: Federal Criminal Police Office (Bundeskriminalamt), Prosecutor General’s Office Frankfurt am Main – Cyber Crime Center
  • United Kingdom: National Crime Agency (NCA)
  • Canada: Royal Canadian Mounted Police (RCMP)
  • United States: Federal Bureau of Investigation (FBI), US Secret Service (USSS), US Department of Justice (DOJ)
  • Sweden: Swedish Police Authority (Polisen), Swedish Prosecution Authority (Åklagarmyndigheten)
  • Italy: State Police (Polizia di Stato, Servizio Polizia Postale e delle Comunicazioni Roma, Compartimento Polizia Postale e delle Comunicazioni Lombardia), Public Prosecutor’s Office of Milan (Procura della Repubblica di Milano)
  • Bulgaria: General Directorate for the Fight against Organised Crime of the Bulgarian Ministry of Internal Affairs (Главна дирекция "Борба с организираната престъпност" при Министерството на вътрешните работи на Република България)
  • Switzerland: Cantonal Police Ticino (Polizia Cantonale del Cantone Ticino), Public Prosecutor’s Office Ticino (Ministero Pubblico del Cantone Ticino)
  • Europol: European Cybercrime Centre (EC3)
  • Eurojust

EMPACT

In 2010 the European Union set up a four-year Policy Cycle to ensure greater continuity in the fight against serious international and organised crime. In 2017 the Council of the EU decided to continue the EU Policy Cycle for the 2018 - 2021 period. It aims to tackle the most significant threats posed by organised and serious international crime to the EU. This is achieved by improving and strengthening cooperation between the relevant services of EU Member States, institutions and agencies, as well as non-EU countries and organisations, including the private sector where relevant. Cybercrime is one of the priorities of the Policy Cycle.