Last week, newly unsealed court records showed that Daniel Gericke, an executive at VPN company ExpressVPN, worked on a United Arab Emirates (UAE) spying and hacking operation called Project Raven. Gericke and two other defendants reached a Deferred Prosecution Agreement (DPA) with the U.S. Department of Justice, meaning prosecutors would drop charges against them, but the group would have to pay a financial sum, agree to a list of restrictions on their employment, and cooperate with U.S. authorities.
In the wake of that news, ExpressVPN employees asked management a wave of questions about Gericke, what ExpressVPN knew about his employment, and how this will affect the company's perception in the cybersecurity industry, according to a copy of the messages submitted through an online form and obtained by Motherboard.
"To find out such news of the people we work closely with everyday through an online article was absolutely distasteful. Why weren't we given a headsup? Isn't transparency and respect our core values?" one question asked.
Do you have information on VPN companies misleading their customers, or anything else? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
The questions were submitted as part of an ExpressVPN meeting last week.
"ExpressVPN offered all employees an opportunity to openly ask questions about any subject of interest, including last week’s DPA announcement. These were answered by the leadership team at an all-staff meeting on Friday afternoon," ExpressVPN told Motherboard in a statement. "Every month, we hold an open Q&A where the team can ask any question about our business, performance, or leadership decisions. Last Friday’s event was an in-depth instance of an existing channel for staff to question top leadership. As a company, we value openness, dialogue, and transparency—which includes robust debate and incisive questioning."
With Project Raven, UAE-linked companies hired Americans, including former U.S. intelligence hackers, to work on behalf of the UAE government. The project involved building a hacking system called Karma that contained zero-click exploits which could take over target phones with no user interaction. The scale and scope of Project Raven was first reported in 2019 by Reuters. Targets included activists, heads of state, and Americans.
In a statement to Motherboard last week, ExpressVPN said Gericke "has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats."
Some employees still seemed to sense a potential conflict there, at least from that of an outsider looking in to the company.
"How would you convince a prospective candidate that we're still an ethical company who believes in internet privacy [sic] when there are stories on top news sites saying 'ExpressVPN CIO Helped United Arab Emirates Hack into Phones, Computers'?" one person added.
"What impact do we think this will have on recruiting/candidates perception of joining us?" another question read.
ExpressVPN previously told Motherboard it was aware of the "key facts" of his previous employment. In an email on Thursday, ExpressVPN added that that when the company hired Gericke in December 2019, it was aware Gericke had worked for Cyberpoint and DarkMatter, two companies involved in the Project Raven episode. "However, as with all classified work, ExpressVPN could not be made privy to the details of what role Gericke may or may not have played in Project Raven," ExpressVPN told Motherboard. The company added it learned of the existence of the DPA when the Department of Justice finalized the DPA with Gericke and the other two defendants.
"However we handle this episode with DanG, people will still ask 'Why didn't you explain this before (e.g., when Dan was hired) and not until after you've been 'exposed'?' Are there any other employees whose histories should now be proactively clarified?" another of the questions from employees said. In its new statement, ExpressVPN said "Due to outside legal restrictions related to the timing of the announcement, many team members heard the news about the DPA from an external source, rather than directly from the company. This was regrettable and in a perfect world, would have been handled differently."
Other questions more directly addressed the business side of ExpressVPN's operations, or related to issues around cybersecurity firm Kape acquiring ExpressVPN this month.
"Can you provide us with information of the total number of canceled xv [ExpressVPN] subscriptions/products uninstallation since the announcement of the acquisition and DPA?" one added, referring to the Deferred Prosecution Agreement which Gericke received.
One of the questions submitted was supportive of Gericke.
"DanG! We stand behind you!" it read.
Subscribe to our cybersecurity podcast, CYBER.