The Chief Information Officer for ExpressVPN, Daniel Gericke, has entered into a plea deal with the US government for his role in facilitating the United Arab Emirates in hacking and surveilling state dissidents. Gericke, who was formerly employed by the US military, has admitted to violating US hacking laws and facilitating the UAE in a covert cyber espionage operation called Project Raven. These activities transpired before Gericke was employed by ExpressVPN.
Earlier this week, we wrote an article about how ExpressVPN sold out to Kape Technologies, a former malware distributor operating out of Israel. Today, we’re going to be covering another hot issue that just surfaced involving a high-level ExpressVPN executive, criminal charges, and international espionage.
According to Reuters, Daniel Gericke, the current Chief Information Officer at ExpressVPN, was one of three people who entered into a a plea deal with the Department of Justice. These three individuals, all of whom are former military or intelligence officials, were ordered to pay a combined total of $1.69 million, cooperate with the U.S. government, and never seek a U.S. security clearance again.
What exactly did Daniel Gericke do?
Before joining ExpressVPN in December 2019, Gericke was part of a team that helped the UAE government hack and spy on its enemies. This was all revealed in court documents that were recently made public. Reuters further reports,
At the behest of the UAE’s monarchy, the Project Raven team hacked into the accounts of human rights activists, journalists and rival governments, Reuters reported.
The Reuters investigation found that Project Raven spied on numerous human rights activists, some of whom were later tortured by UAE security forces.
Baier, Adams and Gericke admitted to deploying a sophisticated cyberweapon called “Karma” that allowed the UAE to hack into Apple iPhones without requiring a target to click on malicious links, according to court papers.
Karma allowed users to access tens of millions of devices and qualified as an intelligence gathering system under federal export control rules. But the operatives did not obtain the required U.S. government permission to sell the tool to the UAE, authorities said.
Not only did Gericke break US laws, but he also facilitated the surveillance efforts of an oppressive regime that is known for human rights violations.
Cooperation and plea agreement
The Department of Justice has released a deferred prosecution agreement that details the case. It contends that Gericke was notified on “several occasions” that his work with the UAE government was in violation of International Traffic in Arms Regulations (ITAR) and US law.
As part of the plea agreement, Gericke was fined $335,000. Additionally, he must fully cooperate with the FBI, as detailed in court documents:
The defendants shall cooperate fully with the Offices and meet with and provide full, complete, and truthful information to the FBI or any other U.S. government organization, upon request of the Federal Bureau of Investigation (FBI), including any follow-on meetings requested (the first meeting to occur within 90 days of signature of the agreement unless otherwise agreed to by the parties) at places and times to be determined by the FBI. This includes providing any documents, material, data, or information requested by the FBI that are in the possession or control of the defendants as of the time of the acceptance of this agreement.
Based on these records, it appears that Gericke is under the thumb of the FBI “or any other U.S. government organization” that wants information from him. Given this fact, it would seem concerning to have such a person holding a high position in a VPN service that must resist government demands for user data.
Was it this cooperation that prevented Gericke from being prosecuted?
ExpressVPN defends their CIO
ExpressVPN has chosen to stand by Gericke and continue his employment despite the controversy. They penned a blog post responding to the situation and explaining how Gericke has helped the VPN bolster security.
Since Daniel joined us, he has performed exactly the function that we hired him to do: He has consistently and continuously strengthened and reinforced the systems that allow us to deliver privacy and security to millions of people.
Since the scandal erupted, it seems that Gericke’s social media accounts are all but gone. However, we did find this account that details some of his previous work history. Meanwhile, a reporter for Reuters also found that Gericke renounced his US citizenship back in 2017.
Gericke’s controversial activities transpired before he worked for ExpressVPN
It’s also important to note that all of this transpired before Gericke began working at ExpressVPN. ExpressVPN also explained that they did not know about any of these activities involving Project Raven.
When we hired Daniel in December 2019, we knew his background: 20 years in cybersecurity, first with the U.S. military and various government contractors, then with a U.S. company providing counter-terrorism intelligence services to the U.S. and its ally, the U.A.E., and finally with a U.A.E. company doing the same work. We did not know the details of any classified activities, nor of any investigation prior to its resolution this month. But we did know what we had built here at ExpressVPN: a company where every system and process is hardened and designed to minimize risks of all kinds, both external and internal.
Can you trust ExpressVPN? Is it still safe?
In just the past few days, ExpressVPN has taken two major blows to its reputation.
First, it was acquired by Kape Technologies, a company with a history of distributing malware. Additionally, as we noted here, Kape leadership also has ties to state surveillance operations. The latest news involving Gericke and the UAE, which emerged just one day later, adds fuel to the fire.
Taken together, these events will be challenging for ExpressVPN to recover from. Nonetheless, in an attempt to mitigate concerns and bolster trust, ExpressVPN has promised to undergo more third-party audits to verify privacy and security measures:
Ultimately, the question of trust is very subjective and there are many things to consider. While it’s reassuring to know these activities transpired before Gericke worked for ExpressVPN, the Kape acquisition is not a good fit for a VPN that was previously at the top of the pack.
From our perspective, all of the recent events have given us pause in our recommendation of ExpressVPN. While this is a service that we have used, trusted, and recommended for years, this week’s news stories have certainly raised some questions about ExpressVPN and its future.
As always, we will continue to keep a close eye on the situation, including the upcoming audits, and update our recommendations based on all of the latest information and our own test results.