VPN-enabled advance fee fraud

Josh Luthman josh at imaginenetworksllc.com
Mon Mar 21 17:56:35 UTC 2022

What if they're actively connected and you get a subpoena?

On Mon, Mar 21, 2022 at 1:30 PM TJ Trout <tj at pcguys.us> wrote:

> ExpressVPN does NOT and WILL NEVER log:
> IP addresses (source or VPN)
> Browsing history
> Traffic destination or metadata
> DNS queries
> We have carefully engineered our apps and VPN servers to categorically
> eliminate sensitive information. As a result, ExpressVPN can never be
> compelled to provide customer data that does not exist.
> On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew at raellic.com>
> wrote:
>> Nutshell version: a group of criminals who appear to be in Mexico have
>> created an entire fake law firm and deal flow in the U.S., with
>> Photoshopped notary seals and wire instructions.  They reportedly use
>> ExpressVPN-- the owner of the IP block used by the suspects states that
>> it leased the IP block to ExpressVPN under a Letter of Authorization.
>> The suspects make money by causing victims to wire advance fees to
>> Mexico as part of selling their timeshares, and possibly other
>> transactions.  My client has lost $70k or so thus far.  He has received
>> legit-looking documents, but upon even a cursory electronic inspection
>> they are obvious forgeries.  So this gang is savvy enough to steal
>> money, but really reckless as well, which may explain why they are
>> risking clicking on my links as well.  I spoke with the lawyer who they
>> are impersonating, and it was news to him that he is in New York City
>> running a law firm considering that he retired in another state many
>> years ago.
>> So the suspects are offshore and I'm not sure what I can do.  But I
>> would still rather have their IP addresses than nothing.  Can I have a
>> recommendation on the best way to pursue user data from VPN providers
>> such as ExpressVPN?  I already sent in a notice to preserve logs for the
>> involved ASN, and I'm headed to Federal court in the next few days to
>> see if I have a chance to get even some of the victim's money back-- or
>> at least an injunction shutting down the suspects' online presence.  Any
>> tips on getting VPN user data (or best practices in this type of
>> situation) would be greatly appreciated.
>> Best,
>> Andrew Watters
>> --
>> Andrew G. Watters
>> Rællic Systems
>> andrew at raellic.com
>> +1 (415) 261-8527
>> https://www.raellic.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220321/2d14410c/attachment.html>

More information about the NANOG mailing list