nanog mailing list archives

Re: VPN-enabled advance fee fraud

From: Josh Luthman <josh () imaginenetworksllc com>
Date: Mon, 21 Mar 2022 13:56:35 -0400

What if they're actively connected and you get a subpoena?

On Mon, Mar 21, 2022 at 1:30 PM TJ Trout <tj () pcguys us> wrote:

ExpressVPN does NOT and WILL NEVER log:
IP addresses (source or VPN)

Browsing history

Traffic destination or metadata

DNS queries

We have carefully engineered our apps and VPN servers to categorically
eliminate sensitive information. As a result, ExpressVPN can never be
compelled to provide customer data that does not exist.

On Mon, Mar 21, 2022, 7:11 AM Andrew G. Watters <andrew () raellic com>
wrote:

Nutshell version: a group of criminals who appear to be in Mexico have
created an entire fake law firm and deal flow in the U.S., with
Photoshopped notary seals and wire instructions.  They reportedly use
ExpressVPN-- the owner of the IP block used by the suspects states that
it leased the IP block to ExpressVPN under a Letter of Authorization.

The suspects make money by causing victims to wire advance fees to
Mexico as part of selling their timeshares, and possibly other
transactions.  My client has lost $70k or so thus far.  He has received
legit-looking documents, but upon even a cursory electronic inspection
they are obvious forgeries.  So this gang is savvy enough to steal
money, but really reckless as well, which may explain why they are
risking clicking on my links as well.  I spoke with the lawyer who they
are impersonating, and it was news to him that he is in New York City
running a law firm considering that he retired in another state many
years ago.

So the suspects are offshore and I'm not sure what I can do.  But I
would still rather have their IP addresses than nothing.  Can I have a
recommendation on the best way to pursue user data from VPN providers
such as ExpressVPN?  I already sent in a notice to preserve logs for the
involved ASN, and I'm headed to Federal court in the next few days to
see if I have a chance to get even some of the victim's money back-- or
at least an injunction shutting down the suspects' online presence.  Any
tips on getting VPN user data (or best practices in this type of
situation) would be greatly appreciated.

Best,

Andrew Watters

--
Andrew G. Watters
Rællic Systems
andrew () raellic com
+1 (415) 261-8527
https://www.raellic.com

Current thread:

VPN-enabled advance fee fraud Andrew G. Watters (Mar 21)
- Re: VPN-enabled advance fee fraud Jay Hennigan (Mar 21)
- Re: VPN-enabled advance fee fraud TJ Trout (Mar 21)
  - Re: VPN-enabled advance fee fraud Josh Luthman (Mar 21)
  - Re: VPN-enabled advance fee fraud Matthew Kaufman (Mar 21)
  - Re: VPN-enabled advance fee fraud Grant Taylor via NANOG (Mar 21)
    - Re: VPN-enabled advance fee fraud Jay Hennigan (Mar 21)
    - Re: VPN-enabled advance fee fraud Grant Taylor via NANOG (Mar 21)
    - Re: VPN-enabled advance fee fraud Mark Seiden (Mar 21)