ExpressVPN said it plans to stand by its CIO after Daniel Gericke was named by the U.S. Department of Justice as one of three people who were fined for allegedly providing "hacking-related services" to the government of the United Arab Emirates.
In an announcement earlier this week, the DOJ said that Gericke, 40, Marc Baier, 49, and Ryan Adams, 34, would be paying out fines adding up to $1.68 million in a deferred prosecution agreement (DPA) that settles charges related to their work for an unnamed company that contracted with the UAE government to provide state-sponsored hacking services.
According to the DOJ's complaint, the trio and their company had contracted with the UAE government between 2015 and 2019 to break into accounts owned by targeted individuals and companies under the brand name "DarkMatter."
According to the complaint, the accounts were from an unnamed vendor of smartphones and operating systems. Some of those targeted were U.S. citizens or companies based in the U.S.
"These services included the provision of support, direction and supervision in the creation of sophisticated 'zero-click' computer hacking and intelligence gathering systems -- i.e., one that could compromise a device without any action by the target," the DOJ said.
"[DarkMatter] employees whose activities were supervised by and known to the defendants thereafter leveraged these zero-click exploits to illegally obtain and use access credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to computers, like mobile phones, around the world, including in the United States."
As part of the deal, the three did not have to admit to any wrongdoing, but will have to pay the fines (Gericke's share was $335,000) and agree to restrictions on "future activities and employment."
In Gericke's case, those restrictions do not prevent him from continuing in his role as CIO of a top VPN vendor, and ExpressVPN intends to keep it that way. The company, which has more than 3 million users and primarily serves consumers as well as SMBs, said that it has no plans to change Gericke's position or status and fully stands behind its executive.
What's more, ExpressVPN said it has long known about Gericke's work with the UAE and believes that, rather than posing a privacy risk to its customers, his past employment is in fact a benefit.
"We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security," ExpressVPN said in a statement.
"Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats."
When asked if it was concerned that its CIO's history of targeting U.S. citizens might deter potential customers from its services, ExpressVPN referred back to its official statement.
"We were confident at the time and continue to be confident now in Daniel's desire and ability to contribute to our mission of enabling users to better protect their privacy and security," the statement reads. "He has demonstrated nothing but professionalism and commitment to advancing our ability to keep user data safe and private. Our trust in Daniel remains strong."
ExpressVPN was acquired this week for $936 million by Kape Technologies, a U.K.-based software company, the day before the DOJ announcement. Kape Technologies also owns rival VPN companies CyberGhost VPN and ZenMate VPN.
SearchSecurity contacted Kape for comment about the accusations and DPA against an ExpressVPN executive, but the company did not respond.
The revelation has alarmed many in the infosec and privacy communities. John Scott-Railton, senior researcher at the University of Toronto's Citizen Lab, said on Twitter that the ExpressVPN decision to hire and retain Gericke showed that "the VPN industry is a toxic, dangerous mess."
David Maynor, independent security researcher and former research scientist at Barracuda Networks, said on Twitter, "For safety reasons maybe skip ExpressVPN and Kape."
Liam Pomfret, privacy researcher and board member of the Australian Privacy Foundation, tweeted, "If you're using VPNs to do more than just view overseas streaming services, you really want to move away from ExpressVPN."
Security news director Rob Wright contributed to this report.