The chief information officer for ExpressVPN once helped the United Arab of Emirates orchestrate a massive cyberspying campaign on computers across the globe.
According to the Justice Department, ExpressVPN CIO Daniel Gericke and two others worked as hackers for hire for the UAE to develop “zero-click” attacks capable of breaking into internet accounts and devices, including those in the US.
All three formerly worked for the US intelligence community or the US military. However, by offering their hacking expertise to a foreign country from 2016 to 2019, the trio broke US export controls, which required them to obtain a license from the State Department to provide such services. Reuters originally reported on the hire-for-hacking scheme with the UAE, and said the spying ensnared iPhones and internet accounts belonging to activists, political rivals, and even Americans.
The cyberspying naturally raises questions about the security around ExpressVPN. However, the VPN service is sticking with Gericke, who ceased his work with the UAE once he joined ExpressVPN in December 2019.
“We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start,” ExpressVPN wrote in a blog post on Wednesday. “In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.”
Despite breaking US laws with the hacking, the Justice Department is refraining from charging Gericke with a crime. Instead, he’s entered into an agreement that forbids him from ever conducting “computer network exploitation” operations on behalf of an employer ever again. He also agreed to pay a $335,000 fine.
ExpressVPN adds that it constantly vets its VPN service for security. “Of course, we do not rely on trust in our employees alone to protect our users,” it wrote in Wednesday’s blog post. “We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and products.”
ExpressVPN’s VPN service can encrypt your internet connection to prevent snooping, but that assumes its employees aren’t doing any funny business on the backend. By routing your internet through a VPN, you're also pushing your browsing history to a server under someone else's control. This can allow them to log and collect your data.
However, ExpressVPN says Gericke, who formerly worked in the US military in network engineering, has been using his expertise to improve the VPN service. “Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats. Our product and infrastructure have already benefited from that understanding in better securing user data,” the company adds.
The news comes after ExpressVPN this week sold itself to British-Israeli digital security software provider Kape Technologies for a reported $936 million. "With their support and resources, we’ll be able to innovate faster and provide you with protection from a wider range of threats," ExpressVPN says.
Editor's note: This story has been corrected to note Gericke formerly worked for the US military.
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!Sign up for other newsletters