The virtual private network (VPN) Safe-Inet used by the world’s foremost cybercriminals has been taken down yesterday in a coordinated law enforcement action led by the German Reutlingen Police Headquarters together with Europol and law enforcement agencies from around the world.
The Safe-Inet service was shut down and its infrastructure seized in Germany, the Netherlands, Switzerland, France and the United States. The servers were taken down, and a splash page prepared by Europol was put up online after the domain seizures. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Turning the table on the criminals
Active for over a decade, Safe-Inet was being used by some of the world’s biggest cybercriminals, such as the ransomware operators responsible for ransomware, E-skimming breaches and other forms of serious cybercrime.
This VPN service was sold at a high price to the criminal underworld as one of the best tools available to avoid law enforcement interception, offering up to 5 layers of anonymous VPN connections.
Law enforcement were able to identify some 250 companies worldwide which were being spied on by the criminals using this VPN. These companies were subsequently warned of an imminent ransomware attack against their systems, allowing them to take measures to protect themselves against such an attack.
The service has now been rendered inaccessible.
Investigations are ongoing in a number of countries to identify and take action against some of Safe-Inet’s users.
International cyber sweep
International police cooperation was central to the success of this investigation as the critical infrastructure was scattered across the world.
Europol’s European Cybercrime Centre (EC3) supported the investigation from the onset, bringing together all the involved countries to establish a joint strategy and to organise the intensive exchange of information and evidence needed to prepare for the final phase of the takedown.
The Police President of the Reutlingen Police Headquarters, Udo Vogel, said:
The investigation carried out by our cybercrime specialists has resulted in such a success thanks to the excellent international cooperation with partners worldwide. The results show that law enforcement authorities are equally as well connected as criminals.
The Head of Europol’s European Cybercrime Centre, Edvardas Šileris, said:
The strong working relationship fostered by Europol between the investigators involved in this case on either side of the world was central in bringing down this service. Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them.
- Germany: Reutlingen Police Headquarters (Polizeipräsidium Reutlingen)
- The Netherlands: National Police (Politie)
- Switzerland: Cantonal Police of Argovia (Kantonspolizei Aargau)
- United States: Federal Bureau of Investigation
- France: Judicial Police (Direction Centrale de la Police Judiciaire)
- Europol: European Cybercrime Centre (EC3)
The U.S. Attorney’s Office for the Eastern District of Michigan issued the following press release:
DETROIT – United States Attorney Matthew Schneider announced today that law enforcement in the United States has worked jointly in support of an international takedown of a virtual private network (VPN), dubbed “Operation Nova.” Domain names offered by an organization engaged in “bulletproof hosting” that provided assistance to cyber-criminals were seized, and related servers were shut down. U.S.-based servers used in the scheme were taken offline by U.S. authorities, while International partners did the same.
Schneider was joined in the announcement by Special Agent in Charge Timothy Waters of the Federal Bureau of Investigation (FBI) in Detroit.
The coordinated effort was led by the German Reutlingen Police Headquarters together with Europol, the FBI and other law enforcement agencies from around the world. Today, law enforcement from around the world conducted a coordinated takedown of servers in at least five different countries, in addition to the domain seizures.
The investigation revealed that three domains— INSORG.ORG; SAFE-INET.COM; SAFE-INET.NET.—offered “bulletproof hosting services” to website visitors. A “bulletproof hosting service” is an online service provided by an individual or an organization that is intentionally designed to provide web hosting or VPN services for criminal activity. These services are designed to facilitate uninterrupted online criminal activities and to allow customers to operate while evading detections by law enforcement. Many of these services are advertised on online forums dedicated to discussing criminal activity. A bulletproof hoster’s activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer’s victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement). By providing these services, the bulletproof hosts knowingly support the criminal activities of their clients and become coconspirators in criminal schemes.
Much of the criminal activity occurring on the network involved cyber actors responsible for ransomware, E-skimming breaches, spearphishing, and account takeovers. The service’s website offered support in Russian and English languages, at a high price to the criminal underworld. This infrastructure preferred by cybercriminals was used to compromise networks all around the world.
The seized domains are in the custody of the federal government. Visitors to the sites will now find a seizure banner that notifies them that the domain name has been seized by federal authorities facilitating computer intrusions is a federal crime.
The Justice Department’s Office of International Affairs provided investigative assistance. The Justice Department thanks Germany’s Reutlingen Police Headquarters (Polizeipräsidium Reutlingen), The Netherlands’ National Police (Politie), Switzerland’s Cantonal Police of Argovia (Kantonspolizei Aargau), France’s Judicial Police (Direction Centrale de la Police Judiciaire) and Europol’s European Cybercrime Centre (EC3) for their assistance and collaboration in this matter.