For years, ExpressVPN has been one of the most popular and widely used privacy products of its kind on the market. It’s often ranked highest on top 10 VPN lists; a recent Tom’s Guide review called it the “hands-down best” VPN available. In the past, if you wanted to stay anonymous on the web, Express would’ve likely been the way to go.
However, all of this has been called into question following the revelation that ExpressVPN Chief Information Officer Daniel Gericke previously worked as a hacker-for-hire at DarkMatter—a cybersecurity firm based in the United Arab Emirates. Between 2016 and 2019, Gericke helped to hack systems and devices all over the world as part of “Project Raven,” a secretive operation designed to help the UAE monarchy track and surveil critics of its regime, including activists, journalists, and some individuals based in the U.S.
Gericke and two other former U.S. intelligence operatives recently faced federal charges for their involvement in “Raven” but managed to reach deferred prosecution agreements with the government, allowing them to pay fines to avoid jail-time, while also agreeing to certain terms.
However, in their remarks, the company ultimately stuck by Gericke. The company explained it like this:
Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.
To do that job effectively—to do it, as we believe, better than anyone else in our industry—requires harnessing all the firepower of our adversaries. The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds.
Whether you buy this argument or not, it could be argued that once that seasoned veteran winds up in federal court, things might have to be reassessed a little. Reuters reports that he is still employed with the company.
Ultimately, these calming words do not seem to have soothed everybody. Not only are the company’s customers riled up, but so are its employees. At a recent virtual meeting, ExpressVPN employees apparently aired their grievances about the recent turn of events, not pausing to mince words.
“This episode has eroded consumer’s trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?” said one.
“To find out such news of the people we work closely with everyday through an online article was absolutely distasteful. Why weren’t we given a heads up? Isn’t transparency and respect our core values?” another person reportedly asked.
Other recent events have caused some to question ExpressVPN’s direction. The company was recently purchased by Kape Technologies, an Israeli technology firm with a controversial past. Formerly known as CrossRider, the company was renamed in 2018 after it got a little too much publicity for, as CNET recently put it, being the “notorious creator of some pernicious data-huffing ad-ware.” Since then, it has been on an apparent rebranding effort accompanied by a privacy product buying spree. In recent years, the firm has procured the VPNs CyberGhost, Zenmate, and Private Internet Access, and purchased ExpressVPN for $936 million earlier this month.
Some of the key figures associated with Kape have also raised eyebrows. A majority share of the company is owned by Teddy Sagi, an Israeli billionaire who, in the 1990s, pled guilty to charges related to bribery and market manipulation and subsequently spent a short stint behind bars. Businesses connected to Sagi were also unearthed in the Panama Papers, the multi-terabyte leak which showed the intricate network of shell companies and tax havens used by world leaders and businesses. The company’s previous CEO and co-founder, Koby Menachemi, is also an Israeli ex-intelligence officer who served in Unit 8200, the notorious cyber (read: hacking) wing of the Israel Defense Forces. Menachemi left the company in 2016.
At the very least, ExpressVPN owes its users a more extensive transparency report on why it hired Gericke. However, given everything that’s come out, it’s probably not out of the question for some customers to up and quit the company’s services altogether.
When you consider the prominence of ExpressVPN, the episode also raises questions about just how secure the VPN industry is overall: How common is it for those on the furthest, flintiest edges of the surveillance industry to turn around and work for companies dedicated to protecting privacy? While you would like to hope the answer is “not very common,” the largely unregulated, walled-off nature of the privacy industry makes it impossible to tell. We reached out to ExpressVPN for comment and will update this story if they get back to us.
UPDATE: A previous version of this story incorrectly stated that Koby Menachemi was the current CEO of Kape Technologies. Menachemi left the company in 2016. We regret the error.