International law enforcement op nukes Russian-language DoubleVPN service allegedly favoured by cybercriminals

Europol, the US Department of Justice, and Britain's National Crime Agency have taken down a VPN service they claimed was mainly used by criminals – boasting that they hoovered up "personal information, logs and statistics" from the site.

The DoubleVPN site went dark yesterday after law enforcement agencies swooped on its servers, with a joint public statement this afternoon confirming that the takedown was genuine.

Led by the Dutch national police, servers behind DoubleVPN in multiple jurisdictions were seized by law enforcement.

Europol said the service was "heavily advertised on both Russian and English-speaking underground cybercrime forums," offering double, triple or even quadruple-layered VPN services to its customers.

This kind of setup is the old hacker joke about staying behind seven proxies put into practice: multiple VPN tunnels, onion-layered inside one another, were supposed to make accessing internet traffic inside them an extra difficult challenge for adversaries – whether law enforcement, criminals, or commercial rivals.

The operation began in October last year, a few months after a Franco-Dutch police operation to take down encrypted comms app EncroChat.

Archive.org's last capture of DoubleVPN-dot-com, on 28 June, shows it operating like most other VPN sites – complete with Russian text stating: "We have relatively high prices because customer payments for subscriptions are our only source of income. Ask yourself a question: where do free and cheap VPN services get money to pay for their expenses?"

• FBI paid renegade developer $180k for backdoored AN0M chat app that brought down drug underworld
• Hard cheese: Stilton snap shared via EncroChat leads to drug dealer's downfall
• Won't somebody please think of the children!!! UK to mount fresh assault on end-to-end encryption in Facebook
• Belgian police seize 28 tons of cocaine after 'cracking' Sky ECC's chat app encryption

Marketing text also said: "We can declare with full responsibility that there is no logging of client activity in our service," something which may or may not prove to be true when criminal charges are brought.

It seems unlikely that law enforcement would have killed off the service without finding a way of compromising it first – even if only to map out its infrastructure.

A UK-based node of the VPN service was the National Crime Agency's main target. John Denley, deputy director of the NCA's National Cyber Crime Unit, said in a statement: "Double VPN was a multi-layered virtual private network service run by cyber criminals, to enable fellow cyber criminals to mask their identities online. It allowed them to anonymously communicate, identify victims then effectively sneak in and conduct reconnaissance on their systems as a precursor to launching a cyber attack."

NCA investigators also contacted a number of UK businesses that were apparently unlawfully accessed by DoubleVPN's operators.

The agency's deputy director added: "We know that criminal services such as DoubleVPN are used by the organised crime groups behind some of the world's most prominent ransomware strains, which have been used to steal data from and extort victims."

Alongside the EU coordinating agencies, the US and the UK's NCA were police agencies from Germany, the Netherlands, Canada, Sweden, Italy, Bulgaria, and Switzerland.

Police seizures of crime-linked web infrastructure has ramped up over the past year, with the EncroChat seizure followed by the Anom chat app shutting down and revealing to its horrified criminal users that the whole service had been operated by the US FBI for years. ®