ExpressVPN executive Daniel Gericke fined $335,000 for benefiting from cyber surveillance

  • Daniel Gericke was the chief information officer of ExpressVPN, one of the world's largest VPN providers, until leaving the company in July 2023
  • Gericke was reportedly part of Project Raven, a clandestine spy unit employed by the UAE
  • Despite the revelations, ExpressVPN stated that the company’s trust in Daniel Gericke “remains strong”

Tuesday’s Deferred Prosecution Agreement disclosure by the US Government named ExpressVPN ex-CIO Daniel Gericke as one of the members of Project Raven, a mercenary intelligence unit that helped the United Arab Emirates spy on its enemies. Gericke received a monetary penalty of $335,000 and had agreed to cooperate with the FBI.

On Tuesday, Reuters reported that Daniel Gericke, who joined ExpressVPN as CIO in December 2019 and left in July 2023, was among the three former US intelligence and military operatives who, under a deal to avoid prosecution, admitted to violating US hacking laws by working as "cyber spies" for the United Arab Emirates and were fined $1.6 million.

Gericke, along with two ex-US intelligence operatives Marc Baier and Ryan Adams, was reportedly part of Project Raven, a covert team tasked with building the UAE's Karma hacking system and hacking into the accounts of human rights activists, journalists, and rival governments “at the behest of the UAE’s monarchy,” according to a 2019 Reuters investigation.

The revelations of Daniel Gericke’s involvement in Project Raven surfaced a day after the $936-million acquisition of ExpressVPN by Kape Technologies, a company that already owns three other VPNs in Private Internet Access, ZenMate and CyberGhost.

What is Project Raven?

Project Raven, first exposed by Reuters in 2019, was a clandestine team of former US intelligence and military members involved in developing and deploying covert surveillance tools, including Karma, for the Emirati monarchy.

These “state-of-the-art cyber-espionage tools” were allegedly employed on behalf of the UAE intelligence service to spy on “human rights activists, journalists, and political rivals.”

Moreover, a review of “thousands of pages” of Project Raven documents and emails by Christopher Bing and Joel Schectman reveal that “surveillance techniques taught by the NSA were central to the UAE’s efforts to monitor opponents.”

In 2016, Project Raven was moved to DarkMatter, a UAE cybersecurity company allegedly involved in targeting US nationals for surveillance.

What was Daniel Gericke’s role on Project Raven?

According to the Deferred Prosecution Agreement published by the US Department of Justice, Daniel Gericke worked as a senior manager at a United Arab Emirates-based company that “supported and carried out computer network exploitation (CNE) (i.e., ‘hacking’) operations” on behalf of the monarchy “between 2016 and 2019.” Interestingly, Gericke also appears to have renounced his US citizenship in 2017 while working on Project Raven.

The document states that Gericke and the two other defendants were informed “on several occasions” that their work on the surveillance tools without acquiring a license from the US government was in violation of the International Traffic in Arms Regulations (ITAR).

This might indicate that the tools Project Raven was using to spy on UAE’s enemies were in fact US-designed military-grade spyware, capable of compromising devices “without any action by the target.

Moreover, according to the Deferred Prosecution Agreement, which allows a prosecution to be suspended provided the defendants meet certain specified conditions, the defendants, including Gericke, were using these military-grade tools to “illegally obtain and use access credentials for online accounts issued by US companies,” as well as to “obtain unauthorized access” to devices around the world, including in the US.

As an example, the DPA lists two “zero-click surveillance systems” worked on by Gericke, which were used to “obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices” that used an operating system (presumably either iOS or Android) made by a US-based company.

According to a recent report by MIT Technology Review, at least one of the exploits used by Project Raven, which allowed threat actors to “completely take over a victim's iPhone,” was allegedly developed and sold to the UAE in 2016 by an American security company named Accuvant, now part Optiv.

For his years-long work on Project Raven, Daniel Gericke agreed to pay $335,000 under the terms of the DPA. In addition to the financial penalties, Gericke and the other defendants agreed to:

  • Full cooperation with the US Justice Department and FBI components
  • The immediate relinquishment of any foreign or US security clearances
  • A lifetime ban on future US security clearances
  • Future employment restrictions, which include a prohibition on employment that involves computer network exploitation.

“This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company – there is risk, and there will be consequences.”

- Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

Express VPN defends Daniel Gericke following Project Raven hacking revelations

In a statement issued on Wednesday, ExpressVPN noted that Gericke’s ex-spy “history and expertise” were what “made him an invaluable hire” for the company, allowing the VPN provider to benefit from his understanding of “the tools and techniques used by the adversaries” ExpressVPN aims to protect their users against.

"We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start," reads ExpressVPN’s statement.

"We were confident at the time and continue to be confident now in Daniel's desire and ability to contribute to our mission of enabling users to better protect their privacy and security. He has demonstrated nothing but professionalism and commitment to advancing our ability to keep user data safe and private. Our trust in Daniel remains strong."

Following Tuesday’s revelations, it appears that Daniel Gericke's LinkedIn and Twitter accounts have been deleted.

While the reasons for their sudden removal remain unclear, it’s safe to assume that Gericke would be receiving overwhelming numbers of personal messages from disgruntled customers of ExpressVPN, as well as numerous requests for comment from the press.

The public outing of Daniel Gericke as an alleged former spy for the Emirati monarchy, along with ExpressVPN’s staunch defence of its beleaguered CIO, may have negative implications for the reputation of the VPN provider, a leader in an industry that is built on protecting user privacy and security.

Update 16/09: ExpressVPN's statement was later updated to include Daniel Gericke’s work history.

The VPN provider claims that Gericke’s involvement with Project Raven did not include target device selection for the UAE’s surveillance tools.

"Daniel’s work in the UAE with Cyberpoint was based on know-how gained via open source communities and technology conferences, not knowledge or exposure to military intelligence exploitation of computer systems,” reads the updated statement.

“[Daniel Gericke’s] job responsibilities never included target selection.”

- ExpressVPN

According to ExpressVPN, the selection of targeted devices was instead handled by the local UAE government staff.

“Daniel left his intelligence-related work in November 2018 and continued contracting through DarkMatter as an IT Expert managing servers and data centers. Daniel ceased contracting and left the UAE to join ExpressVPN in December 2019.”

ExpressVPN’ concludes the statement noting that Gericke, who agreed to pay $335,000 and cooperate with the FBI as part of the DPA, “has not admitted guilt, nor will he be convicted of any crime.”

Update 16/09: ExpressVPN issued a new statement, in which the company tried to address their customers' concerns about Daniel Gericke’s past.

In the face of mounting user backlash, ExpressVPN tripled down on defending their CIO, arguing that Gericke's expertise was instrumental in building their privacy features, listing ExpressVPN's TrustedServer technology and app build verification system as key examples of his work. Meanwhile, the company itself claims to have "extensively considered" the users' concerns about the Deferred Prosecution Agreement signed by Gericke but does not "share them."

Some may ask: How could we willingly invite someone with Daniel’s past into our midst? For us, the answer is clear: We are protecting our customers.

- ExpressVPN

"To do that job effectively - to do it, as we believe, better than anyone else in our industry - requires harnessing all the firepower of our adversaries," reads the statement.

"The best goalkeepers are the ones trained by the best strikers. Someone steeped and seasoned in offense, as Daniel is, can offer insights into defense that are difficult, if not impossible, to come by elsewhere. That’s why there is a well-established precedent of companies in cybersecurity hiring talent from military or intelligence backgrounds."

More from CyberNews:

Russia blocks NordVPN, ExpressVPN, and four other VPN providers

ProtonMail shared activist's IP with law enforcement, claims had no other choice

Infamous ransomware gangs are rebranding and preparing to strike

The rise of digital currency and a world of e-money

Hybrid work is here to stay, but security concerns are high

Here’s how scammers threaten "closeted" LGBTQ+ people

Subscribe to our newsletter