ExpressVPN, a popular VPN company, said it was aware of the "key facts" of its chief information officer Daniel Gericke's previous employment before hiring him. On Wednesday, the Department of Justice disclosed in court records that Gericke worked on Project Raven, a surveillance operation for the United Arab Emirates government that involved hacking of Americans, activists, and heads of state.
"We’ve known the key facts relating to Daniel’s employment history since before we hired him, as he disclosed them proactively and transparently with us from the start. In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users’ privacy and security," ExpressVPN told Motherboard in a statement.
"Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats. Our product and infrastructure have already benefited from that understanding in better securing user data," the statement continued.
Do you know anything else about the U.S. companies that sold exploits to be used in Karma or this case? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
On Tuesday, unsealed court filings described how Gericke as well as Marc Baier and Ryan Adams faced charges for their part in working on Project Raven. The court records say that the three violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses.
The court records say that the three took a zero-click exploit, which allows takeover of a device without any user interaction, and implemented that into Karma, the hacking system used by the UAE's Project Raven. Project Raven involved the hiring of former U.S. intelligence hackers who then worked on behalf of the UAE government, Reuters reported in 2019.
The court records also describe other uses and purchases of exploits by the group.
The court filings detailed that prosecutors will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment
"We were confident at the time and continue to be confident now in Daniel’s desire and ability to contribute to our mission of enabling users to better protect their privacy and security. He has demonstrated nothing but professionalism and commitment to advancing our ability to keep user data safe and private. Our trust in Daniel remains strong," ExpressVPN's statement continued.
"Of course, we do not rely on trust in our employees alone to protect our users. We have robust systems and security controls in place in all our systems or products. We also engage and provide significant access to many independent third parties to conduct audits, security assessments, and penetration tests on our systems and products," it added.
Subscribe to our cybersecurity podcast, CYBER.