Joint action by Europol and law enforcement authorities in ten countries has shut down VPNLab, a VPN service said to have been used to commit cybercrimes including malware distribution and ransomware campaigns. The service's domain now displays a seizure banner claiming the service's involvement in major international cyber attacks.

vpnlabIn common with all communications systems such as telephone networks, internet service providers and even email, VPN services can be used by honest citizens and criminals alike.

In terms of staying within the boundaries of the law, the important factor is whether the communications provider or service actively and knowingly encourages or facilitates illegal activities. According to an announcement by Europol, VPN provider VPNLab appears to have overstepped the mark.

VPNLabs Domain Seized, Service Shut Down
Historical visitors to the website were previously greeted with the kind of message associated with many privacy-focused services.

“VPNLab is a service providing your security on the Internet by encryption of original traffic. Our service is designed for a broad spectrum of clients: webmasters, SEO-optimizers, traders, businessmen and people, who care about their personal security,” the site read.

“Average users don’t see the necessity of the described procedure and may even find it useless, however the latest featured legal proceedings involving people who were just expressing their opinions in their own web-diaries show the seriousness of Internet security issue.”

Following a long-running international investigation by authorities in Germany, the Netherlands, Canada, Czech Republic, France, Hungary, Latvia, Ukraine, the United Kingdom and the United States, a new message is visible – one that suggests that the service was more than just a vehicle for enabling free speech.

vpnlab seize
VPNLab – 2008 to 2022
According to a Europol announcement, VPNLab began its operations in 2008, offering an OpenVPN-based service designed to provide online anonymity for as little as $60 per year. Exactly when the service came to the attention of law enforcement isn’t currently being made clear but according to Europol, at some point VPNLab became popular with cybercriminals.

“Law enforcement took interest in the provider after multiple investigations uncovered criminals using the service to facilitate illicit activities such as malware distribution. Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware,” Europol says.

The European Union Agency for Law Enforcement Cooperation adds that as a result of the VPNLab investigation, more than 100 businesses have been identified as “at risk of cyberattacks” with law enforcement agencies currently working with these potential victims to mitigate their exposure.

International Cooperation
There seems little doubt that law enforcement authorities viewed VPNLab as a major cybersecurity problem.

In Germany, the Hanover Police Department played a key role and in the Netherlands, the country’s Hi-Tech Crime Unit was called upon. Also taking part in the operation were the Royal Canadian Mounted Police, the Czech National Organized Crime Agency, the UK’s National Crime Agency, the FBI in the United States, plus specialized agencies across Europe.

“On 17 January, disruptive actions took place in a coordinated manner in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom. Law enforcement authorities have now seized or disrupted the 15 servers that hosted’s service, rendering it no longer available,” Europol adds.

vpnlab seize2
Criminals “Running Out of Places to Hide”
According to Edvardas Šileris, Head of Europol’s European Cybercrime Centre, the action against VPNLab shows that bad actors can’t take anonymity for granted.

“The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online. Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches,” Šileris says.

An important feature of the announcement lies in the description of VPNLab. Rather than simply just another VPN provider offering anonymity on the regular internet, the service is claimed to have advertised itself on the dark web. While that certainly isn’t a crime in itself, Chief of Hanover Police Department Volker Kluwe suggests an unacceptable level of participation in the illegal activities of VPNLabs’ customers.

“One important aspect of this action is also to show that, if service providers support illegal action and do not provide any information on legal requests from law enforcement authorities, that these services are not bulletproof,” Kluwe says.

“This Operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands.”

The action against VPNLab follows a similar operation in June 2021 that targeted DoubleVPN. In that matter the VPN provider was also claimed to be complicit in the actions of its users, not simply by providing anonymity, but by advertising itself on cybercrime forums as a means for ransomware operators and phishing fraudsters to hide their locations.