“No logs” EarthVPN user arrested after police finds logs

It appears that somebody in the Netherlands had the brilliant idea of using EarthVPN trumpeted offhore no logs VPN service to email bomb threats to his school.

Dutch police stunned the VPN account holder with a quick arrest after tracking down the real computer IP behind the VPN, using as evidence VPN connection logs. Although this young man is claiming that somebody stole his VPN account to send the threats he still has been expelled from school for life and charged by police with sending bomb threats.

All of this happened 6 months ago and I am publicising it now because nobody else has reported about it,  going under the radar for too long and fooling VPN users with a false sense of security.

On EarthVPN defence, a representative claimed in the lowendtalk forums that although they do not keep logs, Dutch police had seized one of their servers with a court order and they suspected that the datacenter was keeping IP transfer logs to protect against Distributed Denial Of Service attacks which is how they managed to track down this person.

No logs EarthVPN user arrested
No logs EarthVPN user arrested (Click image to read)

Click screenshot above to read discussion at LowendTalk forum about the incident (requires registration).

Various lessons must be learned here, the first one is that if you live in the Netherlands, using a VPN server also in the Netherlands to send a bomb threat it is not very smart, in fact, sending a bomb threat at all it is never smart wherever you are.

The second lesson to learn is that you have absolutely no way to know for sure how safe a “No logs” claim really is. Trusting your life to a no logs VPN service it is like gambling with your life in the Russian roulette.

The conclusion is that it appears there is not much a VPN company can do if the data center where they host the server with decides to start logging VPN users as it is being claimed happened here.

EarthVPN also claims to have now cancelled the contract with the Dutch datacentre, however this young man has already been suspended for life from school and gotten into problems with his parents. As much as he deserves anything that happens to him if he is guilty, the main issue here is about VPN trust.

Update: In response to a couple of redditors expressing doubts about this incident, let me be clear that this post is only based on facts and zero assumptions.

I will lay out the facts even clearer:

1) Someone in the Netherlands claims to be an EarthVPN customer who has been arrested.

2) Long standing lowendtalk member with dozens of posts “EarthVPN” acknowledges that a server in the Netherlands was seized. The same “EarthVPN” account (never reported stolen) clearly states that identification of this customer might have been possible using datacenter logs.

I have also considered a way to stop a rogue datacenter from logging your VPN usage it came up to my mind that a multihop VPN service will make it much more difficult for a case like this to happen.

I am adding a link (with a referral code) to iVPN double VPN.

5 thoughts on ““No logs” EarthVPN user arrested after police finds logs”

  1. It will take only a tiny bit of sleuthing to determine what colo earthvpn was using in Holland about six months ago; this is trivially easy to verify. There’s only a few larger datacentres in the city (& surrounding areas, such as Den Haag). Indeed, I can likely guess the one they’re using as it’s used by many low-end, newcomer “VPN services” looking for cheap capacity.

    Why could I hazard such a guess off the top of my head on such a specific topic? Well actually, I was part of the team that first put a “VPN server” in Amsterdam (Den Haag, more specifically :-) for use by customers… in 2007. So I am somewhat familiar with the landscape there, and also with the cancerous growth of technically inept “VPN services” bilking money from unsuspecting customers.

    Finally, while I’m tempted to do a more formal write-up elsewhere, let me be crystal clear about something: a claim that “datacentre logs” could be used to “identify a customer” of a legitimate network security service (aka, “VPN service”) is complete, total horseshit. Making such a claim either means that “earthvpn” is so ignorant of the fundamentals of network security that they can say this and actually think it’s true (which seems unlikely… I mean, that’s astonishing ignorance) or that they think they can lie their ass off and nobody will notice because most folks trust other folks to tell the truth, more or less… particularly when they are speaking in a professional capacity on a technical subject.

    Whichever the case, it’s disgusting.

    (yes, I am familiar with theoretical traffic-analysis-based attacks on network anonymity and, no, it is not in the least bit likely that this was deployed in current context – indeed, it’s an attack that has yet to be documented in the wild and has not even proved successful in the NSA’s extensive & well-funded campaign to subvert Tor’s security model… so to imagine that local Dutch cops have perfected such a technique is laughable. Simply put, they placed a call to the morons running “earthvpn” who promptly caved – just like HideMyAss, vtunnel, and others in the past who have been publicly exposed for doing this… and there’s a hell of alot more who have done it but not yet been outed in public, this I know firsthand – when faced with a little bit of pressure… then, they lied about it to try to blame someone else)

    What the lesson learned here says is this: don’t “trust” some me-too, technically inept, inexperienced, profit-driven, marketing-heavy “VPN service” to protect you from a damned thing. These newbie cash-grab schemes are all the rage nowadays… but their security is statistically indistinguishable from zero. We’ve been documenting this drift towards hypeware/scamware, for years… hell, I’ve been writing detailed technical forensic posts on specific examples myself, for years. One after another. Earlier this week, I worked with Baneki Privacy Labs to expose a “VPN service” that’s circulating identical ‘private keys’ for RSA session validation to every single fucking customer, and posting the keys publicly online… and, at least one other “VPN service” is using identical ‘private keys’ in their own crypto configuration. No, I am not making this up. It’s posted and documented.

    You know what? Nobody cares.

    No journalists or bloggers follow these debacles. Nobody asks hard questions of these “VPN services” that betray their customers, screw up their tech so badly that it’s utterly useless as a “security” tool… or both. The entire model of “scammy me-too ‘VPN service’ runs ads on scammy ‘VPN review’ website and gets great reviews from said website, leading to SEO nirvana and tons of sign-ups” has grown roots so deep it seems like nobody’s willing to note the emperor’s lack of clothes.

    Well, the emperor is indeed stark naked.

    This is good to know if you’re someone who is investing in “VPN service” because they actually need network security and not merely because they want to engage in a charity campaign to support incompetent technologists too lazy or clueless to get a real job doing real tech work that really provides value.

    Hats off to schoolofprivacy for publicizing this, and for Wipe Your Data for noting it in the first place. Now, let’s see if TorrentFreak’s boys jump all over it (like their “report” on the “alien technology” proof crypto snake oil of PIA)- and Ars writes up an expose. Or not. You can guess what my prediction is, for whatever it’s worth…

    ~ pj

  2. No, the datacentre does NOT keep any transfer logs of L2 (IP) traffic – This is illegal in NL unless you are a home ISP and forced to data retention.

    The EarthVPN server MUST have been logging as the IP MUST be matched by Int/Ext IP ON the server – The datacentre IP log would ONLY show an encrypted VPN session on one side and an independent Mail/HTTP Stream on the other, it is impossible to match 2 of these together without logs of the VPN daemon itself.

    Source: I work for a datacentre in Europe which also has servers in NL (besides 17 other countries).

Comments are closed.