Law enforcement agencies from the US, Germany, Netherlands, Switzerland, France, along with Europol’s European Cybercrime Centre (EC3), announced today the coordinated takedown of Safe-Inet, a popular virtual private network (VPN) service that was used to facilitate criminal activity.
The three domains in question — insorg[.]org, safe-inet[.]com, and safe-inet[.]net — were shut down, and their infrastructure seized as part of a joint investigation called “Operation Nova.”
Europol called Safe-Inet a cybercriminals’ “favorite.”
A crucial reason for the domains’ seizure has been their central role in facilitating ransomware, carrying out web-skimming, spear-phishing, and account takeover attacks.
The service, which comes with support for Russian and English languages and has been active for over a decade, offered “bulletproof hosting services” to website visitors, often at a steep price to the criminal underworld.
As of December 1, the cost of a Pro subscription ranged anywhere between $1.3/day to $190/year for full access to its entire roster of servers.
Bulletproof hosting (BPH), also known as abuse-resistant services, is different from regular web hosting in that it allows a content provider more leniency in the kind of data that can be hosted on those servers, thus making it easier to evade law enforcement.
According to an analysis by cybersecurity firm Trend Micro in October, a bulletproof host employs various ways to sustain crimes operating under its wing and can strategically allocate resources globally, keeping in mind the regional legalities and geographical characteristics. They are known to minimize the number of useful log files and access the system only from anonymous sources like Tor networks.
“A bulletproof hoster’s activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer’s victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement),” the US Department of Justice (DoJ) said in a statement.
In doing so, the BPH services intentionally support the criminal activities of their customers and become co-conspirators in the criminal schemes, the DoJ added.
Europol also said it identified about 250 companies worldwide that were being spied on by the criminals to launch potential ransomware attacks using the Safe-Inet infrastructure.
“Criminals can run but they cannot hide from law enforcement, and we will continue working tirelessly together with our partners to outsmart them,” Head of EC3, Edvardas Šileris, said.