The Chief Information Officer for ExpressVPN, Daniel Gericke, has entered into a plea deal with the US government for his role in facilitating the United Arab Emirates in hacking and surveilling state dissidents. Gericke, who was formerly employed by the US military, is accused of violating US hacking laws and facilitating the UAE in a covert cyber espionage operation called Project Raven, which transpired before Gericke was employed by ExpressVPN.
Update: We have added more information and made corrections concerning the Deferred Prosecution Agreement, while also explaining the business case for hiring a former hacker (a practice we see with many other cybersecurity firms).
Earlier this week, we wrote an article about how ExpressVPN agreed to be purchased by Kape Technologies, a company with a growing presence in the VPN space. Today, we're going to be covering another hot issue that just surfaced involving a high-level ExpressVPN executive, criminal charges, and international espionage.
According to Reuters, Daniel Gericke, the current Chief Information Officer at ExpressVPN, was one of three people who entered into a plea deal with the Department of Justice. These three individuals, all of whom are former military or intelligence officials, were ordered to pay a combined total of $1.69 million, cooperate with the U.S. government, and never seek a U.S. security clearance again.
What exactly did Daniel Gericke do?
Before joining ExpressVPN in December 2019, Gericke was part of a team that helped the UAE government hack and spy on its enemies. This was all revealed in court documents that were recently made public. Reuters further reports,
At the behest of the UAE’s monarchy, the Project Raven team hacked into the accounts of human rights activists, journalists and rival governments, Reuters reported.
The Reuters investigation found that Project Raven spied on numerous human rights activists, some of whom were later tortured by UAE security forces.
Baier, Adams and Gericke admitted to deploying a sophisticated cyberweapon called “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on malicious links, according to court papers.Karma allowed users to access tens of millions of devices and qualified as an intelligence gathering system under federal export control rules. But the operatives did not obtain the required U.S. government permission to sell the tool to the UAE, authorities said.
It's important to note that Gericke, Baier, and Adams entered into a deferred prosecution agreement, or DPA for short. Within the DPA framework, there is no admission of guilt and the parties to the DPA will not be convicted of a crime.
Cooperation and Deferred Prosecution Agreement
The Department of Justice has released the deferred prosecution agreement for this specific case that provides us with more details. It contends that Gericke was notified on “several occasions” that his work with the UAE government was in violation of International Traffic in Arms Regulations (ITAR) and US law.
As part of the plea agreement, Gericke was fined $335,000. Additionally, he must fully cooperate with the FBI, as detailed in court documents:
The defendants shall cooperate fully with the Offices and meet with and provide full, complete, and truthful information to the FBI or any other U.S. government organization, upon request of the Federal Bureau of Investigation (FBI), including any follow-on meetings requested (the first meeting to occur within 90 days of signature of the agreement unless otherwise agreed to by the parties) at places and times to be determined by the FBI. This includes providing any documents, material, data, or information requested by the FBI that are in the possession or control of the defendants as of the time of the acceptance of this agreement.
Now let's examine ExpressVPN's response, as well as their reasoning for hiring Gericke in the first place.
ExpressVPN defends their CIO
ExpressVPN has chosen to stand by Gericke and continue his employment despite the controversy. They penned a blog post (as well as a follow-up post here) responding to the situation and explaining how Gericke has helped the VPN bolster security.
Since Daniel joined us, he has performed exactly the function that we hired him to do: He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people.
Since the scandal erupted, it seems that Gericke's social media accounts are all but gone. However, we did find this account that details some of his previous work history.
The case for hiring a former hacker and defense expert
While many outlets have been quick to condemn ExpressVPN for defending and continuing to employ Gericke, there is certainly an argument to be made for this course of action. You can see in this ExpressVPN post how they list numerous ways and real-world examples where Gericke has helped to bolster the VPN's security.
Looking beyond this specific case, we also find many examples of former hackers who have joined forces to use their talents for beneficial security endeavors. For example, HP's Security Advisory Board consists of former criminal hackers, including Michael Calce (a.k.a. “Mafiaboy”) and Robert Masse. Both Calce and Masse pulled off major hacking exploits earlier in their lives, were eventually arrested, and then decided to use their talents for non-criminal endeavors.
There are also numerous cases where former defense and intelligence experts transition to the private sector to use their skills in a new venue. A few examples of this include:
- Kevin Manda, the CEO of Mandiant, who was a former Air Force officer.
- John Fokker, a former U.S. Marine, who is now Head of Cyber Investigations at McAfee.
- Eric Hipkins, a US military veteran and former intelligence analyst, who is now the CEO of R9B
There is clearly a case to be made for hiring a real-world hacking expert to improve security for a VPN service.
Gericke's controversial activities transpired before he worked for ExpressVPN
It's also important to note that all of this transpired before Gericke began working at ExpressVPN. ExpressVPN further clarified that they did not know about any of these activities involving Project Raven.
When we hired Daniel in December 2019, we knew his background: 20 years in cybersecurity, first with the U.S. military and various government contractors, then with a U.S. company providing counter-terrorism intelligence services to the U.S. and its ally, the U.A.E., and finally with a U.A.E. company doing the same work. We did not know the details of any classified activities, nor of any investigation prior to its resolution this month. But we did know what we had built here at ExpressVPN: a company where every system and process is hardened and designed to minimize risks of all kinds, both external and internal.
Note: The UAE is a very restrictive place where the internet is heavily restricted. If you plan to be there, you may want to consider using a VPN for UAE for more internet freedom and accessing websites.
Can you trust ExpressVPN? Is it still safe?
While some may be alarmed with the news about Gericke, a close examination of the facts raises less cause for concern. For one, there is a clear precedent and business case to be made for hiring real-world hacking experts, especially those who may have experience in the defense industry.
Furthermore, we see numerous cases of former criminal hackers who now hold high-ranking security positions at major companies such as HP. Gericke is just one of many examples of this, and in our opinion, this is not cause for alarm.
Nonetheless, in an attempt to mitigate concerns and bolster trust, ExpressVPN has promised to undergo more third-party audits to verify privacy and security measures:
While we are confident that our commitment to this mission is unwavering, we understand that actions speak louder than words. To begin with, we’ll be increasing the cadence of our existing third-party audits to annually recertify our full compliance with our Privacy Policy, including our policy of not storing any activity or connection logs.
Ultimately, the question of trust is very subjective and there are many things to consider. From my own standpoint, the Gericke DPA situation does not raise any alarm bells after researching the case and the industry hiring practices with former hackers. Additionally, ExpressVPN's announcement to conduct further third-party audits leaves me feeling even better.
While we do not consider this case to be overly alarming, there are still many other good VPN services to consider for those wanting to look at other options.
As always, we will continue to keep a close eye on the situation, including the upcoming audits, and update our recommendations based on all of the latest information and test results.
Kape Technologies (Formerly Crossrider) Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites
Ditto that. Had I known I wouldn’t have engaged this vpn service.
I’m more concerned that the “security” of this vpn company can be Leveraged by the gov. through the CIO from whatever plea agreement or charges that may have been “held back”.
Agree.
News. I found a hiring advert for ExpressVPN. “Talent Acquisition Lead – Full Time”.
Location? Dang, I smashed the top of my head on the sloping top floor wall when standing up. LOCATION Chinese controlled HONG KONG. So what is this all about British Virgin Islands then? It is a shell office, like most registered offices there (most addresses in TAX havens are in fact PostOffice addresses not offices). The company that owns them now in the above takeover also owns vpn review websites … that guess what REVIEW ExpressVPN. Anybody wish to refute me … TON OF EVIDENCE ON THE WEB YA!
I see the point on valuable skills. I’m concerned that his arrival coincided neatly with the Kape aka Crossrider deal. That’s two ethical strikes. I’m wondering if Apple has completely shut down the Karma attack he is so expert in? And will the new audit include full verification of No Data Access to Kape Technologies? It has also been several months now…so has the audit been done as promised?