VPN-enabled advance fee fraud

["Andrew G. Watters" <andrew () raellic com>]

Nutshell version: a group of criminals who appear to be in Mexico have 
created an entire fake law firm and deal flow in the U.S., with 
Photoshopped notary seals and wire instructions.  They reportedly use 
ExpressVPN-- the owner of the IP block used by the suspects states that 
it leased the IP block to ExpressVPN under a Letter of Authorization.

The suspects make money by causing victims to wire advance fees to 
Mexico as part of selling their timeshares, and possibly other 
transactions.  My client has lost $70k or so thus far.  He has received 
legit-looking documents, but upon even a cursory electronic inspection 
they are obvious forgeries.  So this gang is savvy enough to steal 
money, but really reckless as well, which may explain why they are 
risking clicking on my links as well.  I spoke with the lawyer who they 
are impersonating, and it was news to him that he is in New York City 
running a law firm considering that he retired in another state many 
years ago.

So the suspects are offshore and I'm not sure what I can do.  But I 
would still rather have their IP addresses than nothing.  Can I have a 
recommendation on the best way to pursue user data from VPN providers 
such as ExpressVPN?  I already sent in a notice to preserve logs for the 
involved ASN, and I'm headed to Federal court in the next few days to 
see if I have a chance to get even some of the victim's money back-- or 
at least an injunction shutting down the suspects' online presence.  Any 
tips on getting VPN user data (or best practices in this type of 
situation) would be greatly appreciated.

Best,

Andrew Watters

--
Andrew G. Watters
Rællic Systems
andrew () raellic com
+1 (415) 261-8527
https://www.raellic.com