A cyberstalker in the United States was arrested by the FBI after a popular VPN provider with a no-logs policy PureVPN allowed the government agency skim through its user logs to find and track the culprit’s IP address. While the FBI truly did a great job, this case apparently exposed the company’s lies about its no logs policy.

According to the Department of Justice, 24-year-old Ryan Lin, of Newton (Massachusetts)  allegedly waged “an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest, against a 24-year-old female victim, her family, friends and institutions associated with her.”

He “allegedly hacked into the victim’s online accounts and devices, stealing private photographs, personally identifiable information, and private diary entries that contained highly sensitive details about her medical, psychological and sexual history”.

Further, Lin “allegedly created and posted fraudulent online profiles in the victim’s name (with her photographs and home address) and solicited rape fantasies, including “gang bang” and other sexual activities, which in turn caused men to show up at her home”.

William D. Weinreb, Acting United States Attorney, added:

“Mr. Lin allegedly carried out a relentless cyber stalking campaign against a young woman in a chilling effort to violate her privacy and threaten those around her. While using anonymizing services and other online tools to avoid attribution, Mr. Lin harassed the victim, her family, friends, co-workers and roommates, and then targeted local schools and institutions in her community. Mr. Lin will now face the consequences of his crimes.”

Apparently, Lin used various privacy services like ProtonMail, VPN clients, and Tor, anonymised international text messaging services and offshore private e-mail providers to hide his real IP address.

Lin managed to evade detection for over a year. But he made a mistake by using a work computer for sending online threats. After a year of cyberstalking, the feds uncovered overlapping service providers and managed to obtain logs from PureVPN. Lin was arrested on October 5, and sentenced to 5 years in prison and 3 years of “supervised release”.

Harold H. Shaw, one of the FBI agents involved in the investigation, noted:

This kind of behaviour is not a prank, and it isn’t harmless.  He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in a similar criminal conduct.

While the FBI truly did a great job, PureVPN, whose first line of the privacy policy is — “We Do Not monitor user activity nor do we keep any logs” — has literally betrayed its users who trusted  PureVPN to protect their activities online.