The Future Is Here
We may earn a commission from links on this page

You Should Probably Stop Using ExpressVPN

The popular privacy product's integrity has been called into question after it was revealed that an employee had worked as a cyber-mercenary for the UAE.

Image for article titled You Should Probably Stop Using ExpressVPN
Photo: NICOLAS ASFOURI / AFP (Getty Images)

For years, ExpressVPN has been one of the most popular and widely used privacy products of its kind on the market. It’s often ranked highest on top 10 VPN lists; a recent Tom’s Guide review called it the “hands-down best” VPN available. In the past, if you wanted to stay anonymous on the web, Express would’ve likely been the way to go.

However, all of this has been called into question following the revelation that ExpressVPN Chief Information Officer Daniel Gericke previously worked as a hacker-for-hire at DarkMatter—a cybersecurity firm based in the United Arab Emirates. Between 2016 and 2019, Gericke helped to hack systems and devices all over the world as part of “Project Raven,” a secretive operation designed to help the UAE monarchy track and surveil critics of its regime, including activists, journalists, and some individuals based in the U.S.

Advertisement

Gericke and two other former U.S. intelligence operatives recently faced federal charges for their involvement in “Raven” but managed to reach deferred prosecution agreements with the government, allowing them to pay fines to avoid jail-time, while also agreeing to certain terms.

Advertisement

If the idea of an ex-spy helping a Middle Eastern government hack U.S. computers is disturbing to you, don’t worry—you’re not alone. The news of Gericke’s employment with the company has rightfully startled customers of ExpressVPN and led to a torrent of online criticism. Express initially tried to quell concerns about their executive’s ties to “Raven” by weirdly admitting that they knew “key facts” about his prior employment when they hired him and were pretty much fine with it. This strategy didn’t really pan out for them. They subsequently published a more extensive statement, noting that they did “not condone” Project Raven” as the “surveillance it represents is completely antithetical to our mission.” They also promised to increase third-party audits as a method to sustain compliance with their own privacy policy.

Advertisement

However, in their remarks, the company ultimately stuck by Gericke. The company explained it like this:

Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.

To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.

Advertisement

Whether you buy this argument or not, it could be argued that once that seasoned veteran winds up in federal court, things might have to be reassessed a little. Reuters reports that he is still employed with the company.

Ultimately, these calming words do not seem to have soothed everybody. Not only are the company’s customers riled up, but so are its employees. At a recent virtual meeting, ExpressVPN employees apparently aired their grievances about the recent turn of events, not pausing to mince words.

Advertisement

“This episode has eroded consumer’s trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?” said one.

“To find out such news of the people we work closely with everyday through an online article was absolutely distasteful. Why weren’t we given a heads up? Isn’t transparency and respect our core values?” another person reportedly asked.

Advertisement

Other recent events have caused some to question ExpressVPN’s direction. The company was recently purchased by Kape Technologies, an Israeli technology firm with a controversial past. Formerly known as CrossRider, the company was renamed in 2018 after it got a little too much publicity for, as CNET recently put it, being the “notorious creator of some pernicious data-huffing ad-ware.” Since then, it has been on an apparent rebranding effort accompanied by a privacy product buying spree. In recent years, the firm has procured the VPNs CyberGhost, Zenmate, and Private Internet Access, and purchased ExpressVPN for $936 million earlier this month.

Some of the key figures associated with Kape have also raised eyebrows. A majority share of the company is owned by Teddy Sagi, an Israeli billionaire who, in the 1990s, pled guilty to charges related to bribery and market manipulation and subsequently spent a short stint behind bars. Businesses connected to Sagi were also unearthed in the Panama Papers, the multi-terabyte leak which showed the intricate network of shell companies and tax havens used by world leaders and businesses. The company’s previous CEO and co-founder, Koby Menachemi, is also an Israeli ex-intelligence officer who served in Unit 8200, the notorious cyber (read: hacking) wing of the Israel Defense Forces. Menachemi left the company in 2016.

Advertisement

At the very least, ExpressVPN owes its users a more extensive transparency report on why it hired Gericke. However, given everything that’s come out, it’s probably not out of the question for some customers to up and quit the company’s services altogether.

When you consider the prominence of ExpressVPN, the episode also raises questions about just how secure the VPN industry is overall: How common is it for those on the furthest, flintiest edges of the surveillance industry to turn around and work for companies dedicated to protecting privacy? While you would like to hope the answer is “not very common,” the largely unregulated, walled-off nature of the privacy industry makes it impossible to tell. We reached out to ExpressVPN for comment and will update this story if they get back to us.

Advertisement

UPDATE: A previous version of this story incorrectly stated that Koby Menachemi was the current CEO of Kape Technologies. Menachemi left the company in 2016. We regret the error.