ExpressVPN said it plans to stand by its CIO after Daniel Gericke was named by the US Department of Justice as one of three people fined for allegedly providing “hacking-related services” to the UAE government became.
In an announcement earlier this week, the DOJ announced that Gericke, 40, Marc Baier, 49, and Ryan Adams, 34, are paying fines of up to $ 1.68 million in a delayed prosecutor’s agreement (DPA) who work the charges related to theirs for an unnamed company that has signed a contract with the United Arab Emirates government to provide government sponsored hacking services.
According to the DOJ’s complaint, the trio and their company entered into a contract with the United Arab Emirates government between 2015 and 2019 to break into accounts owned by targeted individuals and companies under the brand name DarkMatter.
According to the complaint, the accounts came from an unnamed smartphone and operating system provider. Some of the targeted individuals were US citizens or US based companies
“These services included providing support, guidance and supervision in the development of sophisticated ‘zero-click’ computer hacking and information gathering systems – that is, a system that could compromise a device without any harm to the target,” the DOJ said.
“[DarkMatter] Employees whose activities were supervised by the Defendants and were known to the Defendants used these zero-click exploits to illegally obtain and use credentials for online accounts issued by US companies and to prevent unauthorized access to computers such as cell phones on the all over the world, including the United States. “
As part of the deal, the three did not have to admit wrongdoing, but pay the fines (Gericke’s stake was $ 335,000) and accept restrictions on “future activities and employment”.
In Gericke’s case, these restrictions do not prevent him from continuing his role as the CIO of a top VPN provider, and ExpressVPN intends to keep that too. The company, which has more than 3 million users and mostly serves consumers as well as SMBs, said it has no plans to change Gericke’s position or status and fully stands by its leadership.
Additionally, ExpressVPN said it has a long history of Gericke’s work with the UAE and believes that his previous employment does not pose a privacy risk to its customers, but actually is an asset.
“We have known the key facts about Daniel’s career since we were hired because he was proactive and transparent about sharing them with us from the start. In fact, it was his history and expertise that made him invaluable to our mission.” to protect user privacy and security, “ExpressVPN said in a statement.
“Daniel has a deep understanding of the tools and techniques used by the adversaries we seek to protect users from and, as such, is a uniquely qualified professional to provide advice on how to counter such threats.”
When asked if it was concerned that its CIO’s story of targeting U.S. citizens could deter potential customers from its services, ExpressVPN referred to its official statement.
“We were confident then and still trust Daniel’s desire and ability to contribute to our mission to enable users to better protect their privacy and security,” the statement said. “He has shown nothing but professionalism and dedication to improving our ability to keep user data secure and private. Our trust in Daniel remains strong.”
ExpressVPN was acquired this week for $ 936 million by Kape Technologies, a UK software company, the day before the DOJ was announced. Kape Technologies also owns rival VPN companies CyberGhost VPN and ZenMate VPN.
SearchSecurity contacted Kape to comment on the allegations and DPA against an ExpressVPN manager, but the company didn’t respond.
The reveal has alarmed many in the Infosec and privacy community. John Scott-Railton, lead researcher at the University of Toronto’s Citizen Lab, said on twitter that ExpressVPN’s decision to hire and keep Gericke showed that “the VPN industry is a toxic, dangerous mess”.
David Maynor, an independent security researcher and former researcher at Barracuda Networks, said on twitter, “For security reasons, you might skip ExpressVPN and Kape.”
Liam Pomfret, privacy researcher and board member of the Australian Privacy Foundation, tweeted“When you’re using VPNs to do more than just view streaming services abroad, you really want to get away from ExpressVPN.”
Rob Wright, director of security news, contributed to this report.