VPN-enabled advance fee fraud

TJ Trout tj at pcguys.us
Mon Mar 21 17:30:37 UTC 2022

ExpressVPN does NOT and WILL NEVER log:
IP addresses (source or VPN)

Browsing history

Traffic destination or metadata

DNS queries

We have carefully engineered our apps and VPN servers to categorically
eliminate sensitive information. As a result, ExpressVPN can never be
compelled to provide customer data that does not exist.

On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew at raellic.com> wrote:

> Nutshell version: a group of criminals who appear to be in Mexico have
> created an entire fake law firm and deal flow in the U.S., with
> Photoshopped notary seals and wire instructions.  They reportedly use
> ExpressVPN-- the owner of the IP block used by the suspects states that
> it leased the IP block to ExpressVPN under a Letter of Authorization.
> The suspects make money by causing victims to wire advance fees to
> Mexico as part of selling their timeshares, and possibly other
> transactions.  My client has lost $70k or so thus far.  He has received
> legit-looking documents, but upon even a cursory electronic inspection
> they are obvious forgeries.  So this gang is savvy enough to steal
> money, but really reckless as well, which may explain why they are
> risking clicking on my links as well.  I spoke with the lawyer who they
> are impersonating, and it was news to him that he is in New York City
> running a law firm considering that he retired in another state many
> years ago.
> So the suspects are offshore and I'm not sure what I can do.  But I
> would still rather have their IP addresses than nothing.  Can I have a
> recommendation on the best way to pursue user data from VPN providers
> such as ExpressVPN?  I already sent in a notice to preserve logs for the
> involved ASN, and I'm headed to Federal court in the next few days to
> see if I have a chance to get even some of the victim's money back-- or
> at least an injunction shutting down the suspects' online presence.  Any
> tips on getting VPN user data (or best practices in this type of
> situation) would be greatly appreciated.
> Best,
> Andrew Watters
> --
> Andrew G. Watters
> Rællic Systems
> andrew at raellic.com
> +1 (415) 261-8527
> https://www.raellic.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220321/f972fafc/attachment.html>

More information about the NANOG mailing list