The CIO of ExpressVPN was found developing spyware

ExpressVPN is located in the United States and mainly provides virtual private networks to users around the world. The virtual private network encrypts information flow so it can protect user privacy.

This network provider has about 7 million users worldwide, and it mainly advertises its own security such as data transfer only through memory and will not be stored on the hard disk.

However, the news released by the U.S. Department of Justice yesterday was surprising. The U.S. Department of Justice discovered that a former employee of the U.S. intelligence community had developed spyware for the UAE.

Public information shows that one of the former employees is also ExpressVPN’s chief information officer, whose main job is to help ExpressVPN strengthen its network security.

Qakbot banking trojan

“Malware” by Infosec Images is licensed under CC BY 2.0

The investigation revealed that from 2016 to 2019, three employees of the US intelligence community or the US military provided services to a company, which in turn provided services to the UAE government.

This company mainly provides highly sophisticated hacking operations for the UAE government, the most important of which is to use zero-click flaws to launch attacks on target devices or users.

The so-called zero-click refers to the fact that no user interaction is required, such as direct infection and continuous monitoring without the user clicking on a link or file.

Public documents from the U.S. Department of Justice show that these three former employees of the U.S. intelligence community joined the UAE company as executives responsible for coordinating various complex hacking attacks.

At the same time, they created hacker and spyware platforms called KARMA to help the UAE government attack iPhones that are of interest to the country.

The U.S. prosecutors sued the three people on the grounds that they violated U.S. international arms trade regulations. Such hacking must be approved by the U.S. government.

Because they did not coordinate or initiate hacking operations for the UAE without the permission of the United States, they have violated the U.S. international arms trade regulations.

As a punitive measure, they need to pay a fine of $1.68 million within three years. Except for the fine, the three people are prohibited from engaging in any work related to hacking.

In addition, ExpressVPN admitted that it had previously known that its CIO was a spyware developer, but the company still felt that he had extensive experience to improve product security.

Via: Reuters