The chief information officer for ExpressVPN once helped the United Arab of Emirates orchestrate a massive cyberspying campaign on computers across the globe.
According to the Justice Department, ExpressVPN CIO Daniel Gericke and two others worked as hackers for hire for the UAE to develop “zero-click” attacks capable of breaking into internet accounts and devices, including those in the US.
All three formerly worked for the US intelligence community. However, by offering their hacking expertise to a foreign country from 2016 to 2019, the trio broke US export controls, which required them to obtain a license from the State Department to provide such services. Reuters originally reported on the hire-for-hacking scheme with the UAE, and said the spying ensnared iPhones and internet accounts belonging to activists, political rivals, and even Americans.
The cyberspying naturally raises questions about the security around ExpressVPN. However, the VPN service is sticking with Gericke, who ceased his work with the UAE once he joined ExpressVPN in December 2019.
“We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start,” ExpressVPN wrote in a blog post on Wednesday. “In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security.”
Despite breaking US laws with the hacking, the Justice Department is refraining from charging Gericke with a crime. Instead, he’s entered into an agreement that forbids him from ever conducting “computer network exploitation” operations on behalf of an employer ever again. He also agreed to pay a $335,000 fine.
ExpressVPN adds that it constantly vets its VPN service for security. “Of course, we do not rely on trust in our employees alone to protect our users,” it wrote in Wednesday’s blog post. “We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and…