Law enforcement authorities from 10 countries took down VPNLab.net, a VPN service provider used by ransomware operators and malware actors. The disruptive joint action was coordinated by Europol and took place on January 17, 2022. It involved simultaneous law enforcement actions in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom.
The law operatives seized 15 servers used by the VPNLab.net service and took down its main site, so the platform is no longer available.
A VPN service for criminals
Cybercriminals use VPN (virtual private network) services to hide their real location and identity and obfuscate their online tracks by redirecting network traffic through multiple encryption tunnels.
Compared to standard consumer VPN services, the solutions geared towards illicit use are slower and more cumbersome because they feature multiple layers of encryption and bouncing.
VPNLab.net was one of the longest-standing and trustworthy services of this kind, established in 2008 and offering OpenVPN-based technology and 2048-bit encryption for just $60/year.
Its servers were located in various countries, offering relative proximity to malicious actors worldwide, thus keeping the performance within an acceptable level.
“Law enforcement took an interest in the provider after multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution,” Europol said.
“Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.”
As further detailed by the Ukrainian cybercrime police in a separate press release, this particular service has been used in at least 150 ransomware attacks.
As a direct result of these actions, VPNLab.net caused financial damages of at least 60 million Euros ($68.3 million).
Operators still free, but maybe not for long
The owners and operators of VPNLab.net haven’t been identified, charged, or arrested yet. However, the law enforcement claims to hold valuable evidence on that front now, a result of the servers’ seizure.
Moreover, customer data stored within them will also be scrutinized, so the police will likely identify more ransomware affiliates.
In December 2020, Europol coordinated another similar take-down action against Safe-Inet and Insorg VPN, two service providers known for catering to cybercriminal activity.