VPN-enabled advance fee fraud

Nutshell version: a group of criminals who appear to be in Mexico have created an entire fake law firm and deal flow in the U.S., with Photoshopped notary seals and wire instructions. They reportedly use ExpressVPN-- the owner of the IP block used by the suspects states that it leased the IP block to ExpressVPN under a Letter of Authorization.

The suspects make money by causing victims to wire advance fees to Mexico as part of selling their timeshares, and possibly other transactions. My client has lost $70k or so thus far. He has received legit-looking documents, but upon even a cursory electronic inspection they are obvious forgeries. So this gang is savvy enough to steal money, but really reckless as well, which may explain why they are risking clicking on my links as well. I spoke with the lawyer who they are impersonating, and it was news to him that he is in New York City running a law firm considering that he retired in another state many years ago.

So the suspects are offshore and I'm not sure what I can do. But I would still rather have their IP addresses than nothing. Can I have a recommendation on the best way to pursue user data from VPN providers such as ExpressVPN? I already sent in a notice to preserve logs for the involved ASN, and I'm headed to Federal court in the next few days to see if I have a chance to get even some of the victim's money back-- or at least an injunction shutting down the suspects' online presence. Any tips on getting VPN user data (or best practices in this type of situation) would be greatly appreciated.


Andrew Watters

At $70K losses I'd recommend getting law enforcement involved rather than trying to solve this DIY. There are likely other victims.

ExpressVPN does NOT and WILL NEVER log:
IP addresses (source or VPN)

Browsing history

Traffic destination or metadata

DNS queries

We have carefully engineered our apps and VPN servers to categorically eliminate sensitive information. As a result, ExpressVPN can never be compelled to provide customer data that does not exist.

What if they’re actively connected and you get a subpoena?

…until the NSL arrives.

Matthew Kaufman

I understand and appreciate your architecture.

However, there seems to be one piece of information that you neglected / elided.

What will ExpressVPN do regarding /established/ connections? I would expect that network flows / netstat / etc. could provide some information for current, established, and ongoing.


What will ExpressVPN do regarding /established/ connections? I would expect that network flows / netstat / etc. could provide some information for current, established, and ongoing.

If their intent is not to have data available for analysis, and it sure sounds like it is, they aren't going to log flows or netstat. Data will be in RAM during the TCP session, then poof.

I largely agree regarding persistent storage.

However, that doesn't preclude netstat / ss / tcpdump and the likes.

There has to be /something/ correlating incoming and outgoing /active/ / /ongoing/ connections.

I don't see anything speaking to that real-time data in their comments about architecture.

of course, jay is right (in the US, anyway).

vpn providers often keep the (verified) email address and ip addresses used for service establishment.
expressVPN takes bitcoin and what look to me like several other anonymous payment schemes, and there
are always prepaid debit cards.

following the money sometimes helps.

the more general problem is that, absent a govt regulator insisting that EVERYBODY do this (as in China)
few service providers will want to do this voluntarily because it represents a cost to them which many of their
competitors don’t have. (registrars are another example of a service provider with this conundrum.)