Law enforcement agencies around the world in a coordinated effort took down and seized the infrastructure supporting Safe-Inet and Insorg VPN and proxy services known for catering cybercriminal activity.
Codenamed “Operation Nova,“ the law enforcement action was led by the German Reutlingen Police Headquarters and Europol and seized Safe-Inet servers in Germany, the Netherlands, Switzerland, France, and the United States.
Three domains seized
The domains associated with the services (insorg,org, safe-inet.net, safe-inet.com) are showing the splash page from Europol for domain seizures.
In announcements made today, Europol and the U.S. Department of Justice say that these VPN services were “used by some of the world’s biggest cybercriminals.”
The list of customers includes ransomware operators, individuals involved in web skimming (MageCart), spearphishing, and account hijacking activities.
Cybercriminals using Safe-Inet and Insorg services have compromised networks all over the world, using the VPN connections to hide the location of their operational infrastructure.
Safe-Inet and Insorg VPN
Safe-Inet services have been running for 11 years, advertised to cybercriminals needing multiple layers of anonymity and stable connections.
BleepingComputer has seen ads for Safe-Inet services on several forums for black hat activities. The one below, posted as recently as December 4 and supplied by cybersecurity intelligence firm, KELA, is from a carder forum hidden in Tor network:
Its operator provided 24/7 support and 3-day money back guarantee if services were not to the customers’ satisfaction. Anonymity was a key element for growing the business so the operator highlighted their no-logs policy on the website:
Prices varied between $1.3 per day to $190 per year for 39 servers and up to five layers of anonymous VPN connections.
Insorg had similar offers and provided 4096-bit encryption with OpenVPN. Unlike Safe-Inet, though, the service offered up to three layers of VPN connections. According to some reviews, this service had 27 servers in 21 countries, at least at one point.
Insorg VPN services were also advertised on cybercriminal forums. One ad from 2019 was published for Russian-speaking audience on a forum frequently used by network intruders offering access to large organizations, often for ransomware attacks.
The primary language for both VPN services was Russian, although customer support also took questions in English, showing an expanding business.