
Ask HN: My Suspicion Regarding “M247 Ltd” - Pablo946
Around a year or two ago I noticed almost every single self-proclaimed No-logs VPN had started opening new servers with a provider called M247, which is based in Manchester, UK. At first it was nothing suspicious and maybe 20% of the VPN servers I used were operated by M247, and these were all servers in Europe, and there were no red flags or anything suspicious to me at the time.<p>However fast forward to the present day and I notice that M247 Ltd is operating an estimated 65-85% of these VPN servers, and 90% of the USA servers are operated by them. Now they have VPN exits everywhere. All over USA, all over Europe, they have some in Asia, even Australia. The fact that so many VPN servers are using their network concerns me for a number of reasons, the first being that with all the VPN traffic flowing through their network, there is now a target on their back by government organizations, etc, what&#x27;s stopping them from putting DPI boxes on their upstream ISP, or forcing them to log all traffic?<p>The second is more concerning: What if M247 is just a front, not really a network provider at all but really an intelligence operation, created specifically so that VPN provider owners would rent servers with them so the traffic could be analyzed? I heard from some other sources that M247 has been known to conduct shady deals, etc. What if the government is offering up these servers for dirt cheap to VPN providers purposefully, and that is why they are all using them?<p>Another fishy thing that concerns me is the number of false names that M247 VPN IP addresses are registered with, previously I noticed they were all registered under the name &quot;M247 Ltd&quot; , &quot;M247 Europe SRL&quot; , &quot;M247 Miami&#x2F;Phoenix&#x2F;etc Infrastructure&quot; , but recently I notice they are registering their IP addresses under completely false names that don&#x27;t turn up any results on google, such as &quot;Ppman Services SRL&quot; , &quot;Secure Data Systems SRL&quot; , &quot;Venus Business Communications Limited&quot; , &quot;UK Web Solutions Limited&quot; , &quot;FirstClassIT Solutions&quot; , and a few others that I can&#x27;t remember at the time. These IPs all use the M247&#x27;s ASN (AS9009) , and under &quot;Organization&quot; it does say &quot;M247 Ltd&quot; , but &quot;ISP&quot; says those false names.<p>Another strange thing I noticed was that they even used &quot;Cogent Communications&quot; as one of the false names attatched to some of their IP addresses (however just like usual Organization was M247 and AS was 9009). If they are a regular legal company, how can they possibly be making up ISP names out of thin air and using them, as well as using the name of an already existing network provier, Cogent.<p>All these signs point to M247 conducting some less than kosher business, whatever that may be. I&#x27;m now very suspicious of connecting to VPN servers where the ISP is M247, for fear that they are some kind of government front&#x2F;data collection firm&#x2F;etc. Has anyone other than myself felt suspicious of M247 and thinks they are up to something? Or better yet, is there anyone who knows more about them than I do who is willing to shed some light on them?
======
samworm
I was an M247 colo customer in Manchester for approx 5 years. I went to their
primary DC many times, interacted with their staff. They're a hosting company.
The colo racks are full of servers with lots of little labels with different
company names. The managed (and hence vps) racks are numerous and anonymous,
which is what you'd expect. I'm not sure what you think is going on. They're
cheap. They have excess capacity. So bottom-feeding race-to-the-bottom
operators like VPN providers are buying from them. It doesn't seem too
surprising.

------
serf
VPN organizations have a few characteristics i've noticed:

1) they're fairly cheap to run, so groups spin up from nowhere fast.

2) due to being cheap to run, they seem to gather industry newcomers with
little experience who are seeking a low-hanging-fruit first project.

3) they have a quick business 'period'. They come fast and they go fast.
Probably due to the low-experience and extreme competition in that sector.

4) they consolidate quickly into large groups, and those large groups are
fairly fast to buy up smaller competition in an effort to control commodity
price.

>What if the government is offering up these servers for dirt cheap to VPN
providers purposefully, and that is why they are all using them?

I guess that's just dependent on the threat model you're abiding by. Most
casual vpn-as-a-business isn't going to do much to protect from state level
adversaries, anyway.

The same phenomenon has happened in the US on the vpn market a few times now.
I haven't checked recently, but a good chunk of exit structure was owned by
London Trust Media last time I checked, a group that's affiliated with PIA and
KAPE.

I can appreciate the suspicion. I think that it's warranted; but personally
i'm of the opinion that the market consolidation is more due to the nature of
the product and the market that it exists within. Whether or not a state group
is gaming that consolidation.. I would suspect yes, but hold no proof.

------
nik736
I am a long-term customer (Colocation and dedicated servers) of M247.ro (I am
from Germany) and I am more than happy with their service. They are super
reliable, reputable, flexible and their support is fast, friendly and gets the
job done.

I can vouch for them and don't think they have anything to do with what you
accuse them of. They are just a big company with a lot of locations, which
makes it fairly easy for VPN companies to get started.

Regarding the IP addresses... They announce IPs for free, which is a very nice
service (some providers charge absurd amounts for it). They also do it for my
company, so my IPs show up under their ASN, but this is nothing shady and just
regular business.

------
badrabbit
For the false names thing, are you by chance doing whois lookups on IP
addresses? If so then that's just the messy nature of the beast. One issue is
that WHOIS records don't get updated sometimes, but what you're seeing is most
likely the legitimate owner of the IP. So, someone else (coge t in your
example) may own the IP, but if they purchase transit from that IP owner, the
IP will be delegated to them but still owned by Cogent.

As for the rest of your concerns. First, I would like to see some empirical
data on your research. Second,what is your security model? VPNs are not that
great at anonymity.

You're not trying to hide from a global adversary (like nsa,gru,gchq,etc..)
Using VPNs right...because even slapping Tor on that won't help you there.

My theory is that they're cheap enough as a resellerand they target VPN
providers as customers because there is a lot less support cost with them.

The thing about suspicions and conspiracies is that they mean little without
independently corroborating evidence. Try to collect facts that prove your
suspicion.

~~~
wolco
Do you think the nsa, gru, gchq have broken tor?

~~~
cjbprime
The Snowden leaks suggested that they had not broken Tor, at the time of the
leaks. There are "global passive adversary" timing correlation attacks which
have had papers written about them and could conceivably be performed by some
large intelligence agencies, especially if they cooperated with each other to
do so, by using their power to observe country-scale network traffic.

~~~
badrabbit
Too lazy to look up the source but part of the leaks (and a separate leak too
I believe?) Was how they have been working on what you said along with
basically running a lot of the relay's and combinig that with their existing
internet traffic visibility. I don't so much think they've broken it,more like
they can de-anonymize who is visiting hidden sites or going out of exits with
good enough accuracy.

Oh,and after the raid in so many dark web markets,people now pretty much
presume this is the case, they deanonymize and inform law enforcement so they
can back track the evidence trail (parallel reconstruction). A lot of dark web
trading has just moved to places like telegram

~~~
cjbprime
That doesn't sound right. I don't think they had much success. The
presentation seemed largely resigned.

Every dark web arrest I've seen has been caused by terrible operational
security (e.g. having a Gmail account traceable to the admin of the dark web
site) rather than a break of Tor.

~~~
badrabbit
The snowden slides are from 2008 mostly right? I think the article I read was
describing how around this time gchq started collaborating with the NSA and
CIA because the Tor problem was growing bigger and bigger. Their current
capabilities are unknown, but their last known public plan was to control more
Tor nodes and retroactively deanonymize Tor flows iirc.

For the dark web stuff, the opsec failure is supposedly parallel
reconstruction.

------
frereubu
For what it's worth you can find out a bit of background about UK companies -
directors, submitted accounts etc - by using the website of Companies House.
You can generally just search for "Company Name Companies House" and it'll
bring up the company you're looking for.

Here's M247:
[https://beta.companieshouse.gov.uk/company/04968341](https://beta.companieshouse.gov.uk/company/04968341)

There's a reasonable amount of information about the company in their full
accounts from March 2018 (PDF, 650K):
[https://beta.companieshouse.gov.uk/company/04968341/filing-h...](https://beta.companieshouse.gov.uk/company/04968341/filing-
history/MzIyNTYyODczN2FkaXF6a2N4/document?format=pdf&download=0)

~~~
smkellat
They're late on filing their current reports with Companies House.

~~~
toyg
That’s absolutely normal for companies of all sizes, although it’s often
correlated with financial struggles.

Edit: they are not actually late, the deadline is the end of this month.

------
sneak
Absolutely nothing about the trustworthiness of a provider or of their
upstreams prevents a national government from tapping the lines in and out.

Assume your VPN traffic is monitored, because it is, regardless of how much
you trust or don’t trust your provider or their network.

------
iSloth
M247 are a large UK DC/Network operator, grown through a number of
acquisitions. All your seeing here is their large number of data center and
connectivity customers, I don’t see anything suspicious.

------
rshnotsecure
Excellent observation and you are very correct, at least as much as I can
tell.

If you look at my previous posts on HN I've written extensively about this
topic.

Ignore some (but not all) of the dissenters on here. I don't mean to be rude,
but these fake hosting companies are backed by quite the army of pr crisis
tech support people, and they will dogpile on a thread like this quickly.
You'll sometimes see them leave Yelp and Google Local reviews of their beloved
friendly neighborhood data center too (which is preposterous no one does this
in real life).

Anyway the clusters you are seeing do not appear to be about observation as
much as destruction. From the analysis that I and others have done, our best
guess is that someone is buying out hosting provider after hosting provider,
and then peering at the 1 Gbs and 10 Gbs level as much as possible.

The purpose of this is two fold. First you are denying your enemy freedom of
movement in that area. So think "squatting" or just taking up the board in
monopoly.

The second more disturbing piece is that someone is building a kind of DDOS
death star that will be unlike anything seen so far. From all the papers I've
read, such an attack is likely to come through some novel IOT exploit and
perhaps using one of the newer protocols like MQTT or COAP. But owning this
much hosting space would be a terrific backup / serve as good defense for the
expected counter attack.

This does not bode well at all for Europe. Even if the internet was off for
months in the US the country could recover and rearm. All of Europe on the
other hand, if stripped of the internet, could be overtaken in weeks if not
days if Russia or China were so motivated.

The enormous capital expenditures that these IaaS providers have been
sustaining points to China most certainly. Check out also Choopa, Tucows,
Enom, Psychz, Shaw, Sharktech, Joe's Data Center, Hetzner, UnityMedia,
Incapsula, and Mimecast.

This report is also very helpful :
[https://transparencyreport.google.com/safe-
browsing/malware](https://transparencyreport.google.com/safe-browsing/malware)

------
toyg
I might be biased and paranoid because of where I live, but... to me, this
post reads like trying to harm M247’s reputation. I mean, the address stuff is
pretty ridiculous for anyone who works in the business, and the market-
strategy considerations are akin to me saying AWS targets the news market so
that the US government can shut down all those sites when they feel like, just
because a lot of news sites are hosted on AWS.

------
CodeWriter23
Do you believe an intelligence agency that wants visibility into VPN traffic
lacks the ability to cover their tracks?

------
Nextgrid
I am a customer of M247; I'm happy with their service and haven't noticed
anything shady going on. "Venus Business Communications" seems to be their old
company name (they've been through several acquisitions) and is still the
billing name when paying them by bank transfer.

------
mike_d
I am a customer of M247. The reason I use them, and I imagine a lot of VPN
provider use them, is because you can get a dozen points of presence all over
Europe while only having to deal with one provider/invoice. I think you are
just seeing market effects at work.

~~~
weare138
But when it comes to VPN providers, this is something to be concerned about.
Data privacy laws in GB are questionable at best. After GB leaves the EU, even
more so. I don't know enough about M247 to say this a conspiracy, but I
wouldn't personally use any data privacy service based in GB.

------
MaupitiBlue
Are you trying to hide from the NSA, FBI, China, or Disney?

If you’re a pirate, I wouldn’t worry. Likewise if you’re a Chinese dissident
or tax cheat. The NSA isn’t going to blow its cover over Frozen 2 or your $3
million bitcoin wallet. Recent news accounts also suggest that the Feds are
dismissing child porn cases rather than disclosing methods.

That leaves espionage and terrorism. If you’re involved in those, maybe going
cheap on a vpn isn’t best practices to begin with.

~~~
na85
> The NSA isn’t going to blow its cover over Frozen 2 or your $3 million
> bitcoin wallet.

Parallel construction means they don't have to.

[https://en.m.wikipedia.org/wiki/Parallel_construction](https://en.m.wikipedia.org/wiki/Parallel_construction)

~~~
toyg
Nobody is going to parallel-construct for a few movies, unless you make a
business out of streaming pirate movies (in which case you kinda deserve it).

