Cybercriminals use one of three VPN services to attack their victims. All three VPN service providers have been confiscated by US, Germany, France, Switzerland, and the Netherlands law enforcement agencies.

The three services were the following:

• insorg.org
• safeinet.com
• safe-inet.net

These services have been in business for more than 10 years, and they have been seen on Russian and English-speaking cybercrime forums. The services were offered at $1.3 for a day, or $190 for a whole year.

The companies’ servers were utilized to hide threat actors’ identities when performing ransomware attacks, account takeovers, phishing campaigns, etc. They were able to work behind a five-layer deep proxy network.

In all five countries, the VPN providers were taken down because they had hosted content there.

These threat actors had the ability to move a victim’s data from one IP address, server, or country to another to avoid revealing themselves. They don’t keep a record of logs that can be used against them.

There are about 250 companies globally that were being targeted.

As described by The United States Department of Justice, a “bulletproof hosting service” is an online service provided by an individual or an organization that is intentionally designed to provide web hosting or VPN services for criminal activity.”

The federal government has custody of these domains, and the domains now have a banner indicating that. This international take down operation was named “Operation Nova.”

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.