De-anonymization of VPN and Proxy Users through Third-Party Websites
We find ourselves once again in the role of agents, catching a hacker whose only information we have is an IP address. Finding the exit point to the internet by IP address is a trivial matter, but we are up against a very skilled opponent. He is not just using a VPN, but a chain of 4 VPN servers, some of which are located in offshore countries with abuse-resistant hosting providers. It is well known that they ignore requests.
He set up the VPN himself, so there is no intermediary in the form of a VPN service, which can often be negotiated with. Even if a VPN service offers servers around the world, the company is usually located in the USA or Europe and must comply with the laws. But even if the owner registered the company in Costa Rica, he usually sits somewhere in Russia, Europe, or the USA.
In general, these guys need money and a quiet life, not problems. For most of them, anonymity costs nothing; it is just a commodity, and offended representatives of special services, especially from China, Russia, and the USA, can create a lot of problems for the business.
A personal VPN is a reasonable choice, but our hacker did not limit himself to a personal VPN, setting up first-class browser security. In particular, he enabled Canvas Fingerprint substitution, blocked tracking technologies, and strictly limited script execution. He used this browser only for "work"; for personal matters, he used another browser. It goes without saying that he did not visit social networks or any other accounts related to his real data from the work browser.
How do we track down such a skilled and advanced hacker? We take the IP address of his VPN and check if it has been used to visit social networks and other popular services in the last month. Representatives of social networks are very cooperative and quickly provide information.
In our case, it turned out that the hacker once logged into his social media page from his work VPN. It was a different browser, but the IP address was the same. This slip-up happened only once and lasted just a couple of seconds; then he noticed that he had not turned off the work VPN and had not changed the IP, but those seconds were enough. Job done.
Some of my colleagues believe that a public VPN saves one from identification in such cases because it is used by many users. I think this reasoning is incorrect.