Hacker VPN Logs Expose Massive Fraud

How It All Started

UFO VPN in Hong Kong claimed to be a ‘zero log’ provider of virtual private networks. White hat hacker Bob Diachenko, the head of Comparitech’s security research division, examined these claims firsthand as part of an independent probe.

To Bob’s horror, he found UFO’s claims to not only be false, but he found their security to be almost nonexistent. An entire array of user logs, access records, and authentication attempts were available on a web page that required no password. All you needed to do was browse to the right URL, and the logs were freely available for the taking.

Comparitech reported the breach to UFO immediately, giving them all the details they would need to plug the hole and correct any accidental logging that might be taking place. But instead of implementing a fix, they tore open an even larger hole. The cache of user information exposed on July 20 was simply hosted on a different IP address, and the contents were even more expansive than the earlier leak. With no other choice, Diachenko and his team informed the world that users could not trust UFO VPN to provide secure, private networking services.

The Escalation

That same month, Noam Rotem's team at VPNmentor was doing their own investigation of Hong Kong-based free VPN services. They discovered that a total of seven of these VPN providers were not only lying about their logs but had them available for open examination. Usernames, IP addresses, passwords, Paypal account information, Bitcoin payments… all just sitting there in plain text, unencrypted files.

In total, 1.2TB of logs were exposed to the public. But to be much more specific: 1.2TB of logs were exposed to the Chinese government.

Whether these free VPN services had been set up as a trap by government forces, or whether it was sheer incompetence, these lying ‘no log’ VPN companies put hundreds of thousands of lives in danger. People who just wanted privacy from the Chinese government were now put under the microscope, their activities laid bare. And tens of millions of others from around the world had their personal and financial information put on public display.

Ultimately, the responsibility falls on the shoulders of Dreamfii HK Limited, the holding company that controls these and many other free VPN services in the area. Whether they’re complicit, incompetent, or simply don’t care is still unknown.

It started with just one white hat hacker, VPN logs that couldn’t be explained, and a quiet word to the company in question so that they could fix their issues. But it ended up being a multi-company screw-up of epic proportions. A cabal of lying VPN corporations - all under common ownership - that either accidentally or purposefully sold out their users to the Chinese government.

Can’t Prove A Negative

The biggest problem with VPNs that claim they keep ‘absolutely no logs’ is that you can’t prove a negative. If logging isn’t taking place, there’s nothing to find. But if they do exist, they could be kept onsite, offsite, in the Cloud, or on backup media… there are simply too many possibilities to check comprehensively. It’s only when a serious screw-up, a government seizure of their server, or a hack takes place that we find out the truth.

Even auditing isn’t a guarantee. A VPN service could easily call an auditor, turn off their logging capabilities for a few days, and then turn them back on after the consultants have left the building.

Because you can’t prove a negative, you simply have to take the VPN provider at their word. So the question becomes: Who do you trust?

Even When They Work, VPNs Are Poor Privacy Shields

VPNs are, and always have been, designed as a security measure. Not privacy… security.

Their origins are in the ability to connect to a corporate network remotely. They open an encrypted tunnel between point A and point B, and the remote user can access the internal business network.

In order to be an effective privacy measure, a VPN would need to do three things: Disguise your IP address, block harmful tracking cookies, and obfuscate your hardware and browser fingerprint.

VPNs only do one of those three things. And as we saw in the story above, if they secretly keep logs, then even IP address masking is a useless measure. Without a doubt, browser fingerprinting is the number one privacy threat of the 2020s. Third-party cookies might be dying a slow death, but the rise of identifying people through their unique combination of hardware and software has just begun.

It’s high time that people looked at VPNs strictly as security and utility services. Privacy software needs to cover many layers of the modern networking model that a VPN simply can’t handle. Let’s treat these functions separately and stop relying on the wrong tool for the job.