Apophis Squad member responsible for attacks against ProtonMail has been arrested

Earlier this week, the British National Crime Agency announced the arrest of George Duke-Cohan, also known by his aliases“7R1D3N7,”“DoubleParallax,” and, more recently, “optcz1.” At ProtonMail, we unfortunately have to face off against cyberattacks on a daily basis. Over the course of this summer, no fewer than five separate groups have been conducting attacks against ProtonMail. Duke-Cohan was a key member of Apophis Squad, a criminal group which was involved in cyberattacks against ProtonMail.

Fortunately, due to the efforts of Radware, F5 Networks, and our infrastructure team, we were able to keep service disruptions to a minimum. However, the security, reliability, and reputation of Proton services are our highest priority, and we take all attacks against us extremely seriously. As part of our commitment to security, we will actively pursue all those who try to harm ProtonMail and bring them to justice. To fulfill this commitment, we are willing to commit all necessary financial, legal, and technical resources.

Our security team began to investigate Apophis Squad almost immediately after the first attacks were launched. In this endeavor, we were assisted by a number of cybersecurity professionals who are also ProtonMail users. It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online.

By sifting through the clues, we soon discovered that some members of Apophis Squad were in fact ProtonMail users. This was soon confirmed by a number of law enforcement agencies that reached out to us. It seemed that in addition to attacking ProtonMail, Duke-Cohan and his accomplices were engaged in attacking government agencies in a number of countries. Predictably, this triggered law enforcement agencies to make MLAT requests asking us to render assistance to the extent that is possible given ProtonMail’s encryption.

What we found, combined with intelligence provided by renowned cyber security journalist Brian Krebs, allowed us to conclusively identify Duke-Cohan as a member of Apophis Squad in the first week of August, and we promptly informed law enforcement. British police did not move to immediately arrest Duke-Cohan however, and we believe there were good reasons for that. Unfortunately, this meant that through much of August, ProtonMail remained under attack, but due to the efforts of Radware, ProtonMail users saw no impact.

It, however, also led to a very unfortunate incident involving United Airlines Flight 949. On Aug. 9, Duke-Cohan posed as the father of a distressed airline passenger, claiming that a London to San Francisco flight had been hijacked and that there was a bomb on the plane. Upon arrival in San Francisco, the plane was quarantined and extensively searched. This, combined with the fact that Apophis Squad had threatened to send bomb threats to UK schools when school started again in September, made it necessary for British police to take action.

On Aug. 31, officers from the British National Crime Agency (NCA) arrested Duke-Cohan outside of London. On Monday, he pleaded guilty in a UK court to three counts of making bomb threats to schools and airlines. We believe further charges are pending, along with possible extradition to the US.

Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities. That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law.

In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice. We believe this work is absolutely essential to make the world safer for the rest of us.

Thank you for your continued support as we fight for what is right.

Best Regards,
The ProtonMail Team

About the Author

Andy Yen

Andy is the Founder and CEO of ProtonMail. Originally from Taiwan, he is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and received his PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about ProtonMail's mission.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

21 comments on “Apophis Squad member responsible for attacks against ProtonMail has been arrested

  • What could the motive of this person possibly be?

    You read the article and he’s waiving a gun on an airplane, so you think “this is a really bad guy”.

    But then we read governments wanted ProtonMail cooperation to catch this person. Be very very careful in giving governments information about the ProtonMail systems.

    Reply
    • We will never breach our privacy policy as it would be against Swiss law. In this case, we did not go against our privacy policy, but our security team assisted by sharing a lot of the intelligence that we gathered from other sources. 

      Reply
  • Hey Andy at aleast you got the guy but as well as now you know there’s more work to be done to proton services to keep them more secure the guy basically helped you in a way tho Andy

    Reply
  • Just lost my interest in protonmail.
    No i’m not a criminal nor a hacker, i’m just a normal person who seeks privacy.
    When the CEO himself states in an indirect way that protonmail could track or pin point users’ activities in order to identify some threat, it definitely means that they can access our data anytime, anywhere, with or without law enforcement requests or orders.

    been a good experience until that been said and acted upon.
    no more trust in such services.

    Future prediction: protonmail was able to identify some criminal through his protonVPN logs =) good job.

    Reply
    • This is not correct, there is no way to bypass ProtonMail’s encryption nor was ProtonMail data necessary to catch this criminal. They left clues all over the internet which we were able to track. 

      Reply
  • Interesting. However, I find it a bit odd that he pled out to the charges so quickly. A month? What screws did they put to him?

    Reply
  • How about normal political activity cases and using protonmail to protect privacy?
    Sometimes secret services can explain this doing in many countries as a crime. They give you prepare all documents what you need to think that protonmail user is a victim but in true he is not victim.

    Some times Services can lay and prepare profs to attack political oponents or volontiers who are against them in the political or investigation resistence. So can you un-anonimize each user who is using protonmail???
    Who tell you that user activity is illegal or crime? who verificate this? who decide belive or not belive?
    Many Countries have something like secret court of justice..who gives law act to cath someone by interpol for political order.
    Many times secretservices works and generate it for politcal order to fight witch human rights and oposist.
    Do you ask protonmail users? about hide and secret question about tthem?? about investigation against them??..
    What about right to defend fagainst fakes generate by Secret Services. Sometimes they truly do this to catch political oposist or citizen who are interested in public cases.

    Please tell me all true but not your Company slogans.
    Thank you Protonmail that you are. Despide all.
    Regards

    P.s I dont give you feedback email please answer below coments in FQ

    Reply
    • Hi Rob, Please find below answers to your questions:
      1.How about normal political activity cases and using protonmail to protect privacy?
      – If there are grounds to believe the prosecution of a person is politically motivated, we will fight the order on the basis of art. 2 let. b IMAC, as we have already done in the past.
      2. Some times Services can lay and prepare profs to attack political oponents or volontiers who are against them in the political or investigation resistence. So can you un-anonimize each user who is using protonmail??

      – Switzerland is not known to collaborate with every country in these matters and countries resorting to such procedures are likely to get assistance from Switzerland denied.
      3. Who tell you that user activity is illegal or crime? who verificate this? who decide belive or not belive?
      – The Swiss authorities will enforce the order if they believe it is reasonably likely that the targeted user has committed a crime or a felony, that the order is proportionate, and that other investigative means have failed and are likely to fail again (art. 269 CrimPC). They must be validated by the court of compulsory measures which will judge the fulfillment of these conditions (art. 272 I CrimPC).
      4. Do you ask protonmail users? about hide and secret question about tthem?? about investigation against them??..
      – When not restrained by a duty of confidentiality, we do inform users. Otherwise, we cannot. Under Swiss law, the target of an order must be eventually informed by the prosecution at the latest at the closing of preliminary proceedings (art. 279 CrimPC).

      Reply
  • “Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities”
    Does that only mean Swiss law? since in certain countries you can be considered a criminal for speaking up against religion of the state. Does protonmail protect the individual in such a case even if it’s against the law in the users country but not in Switzerland?

    Reply