Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: My Suspicion Regarding “M247 Ltd”
78 points by Pablo946 on Jan 19, 2020 | hide | past | favorite | 24 comments
Around a year or two ago I noticed almost every single self-proclaimed No-logs VPN had started opening new servers with a provider called M247, which is based in Manchester, UK. At first it was nothing suspicious and maybe 20% of the VPN servers I used were operated by M247, and these were all servers in Europe, and there were no red flags or anything suspicious to me at the time.

However fast forward to the present day and I notice that M247 Ltd is operating an estimated 65-85% of these VPN servers, and 90% of the USA servers are operated by them. Now they have VPN exits everywhere. All over USA, all over Europe, they have some in Asia, even Australia. The fact that so many VPN servers are using their network concerns me for a number of reasons, the first being that with all the VPN traffic flowing through their network, there is now a target on their back by government organizations, etc, what's stopping them from putting DPI boxes on their upstream ISP, or forcing them to log all traffic?

The second is more concerning: What if M247 is just a front, not really a network provider at all but really an intelligence operation, created specifically so that VPN provider owners would rent servers with them so the traffic could be analyzed? I heard from some other sources that M247 has been known to conduct shady deals, etc. What if the government is offering up these servers for dirt cheap to VPN providers purposefully, and that is why they are all using them?

Another fishy thing that concerns me is the number of false names that M247 VPN IP addresses are registered with, previously I noticed they were all registered under the name "M247 Ltd" , "M247 Europe SRL" , "M247 Miami/Phoenix/etc Infrastructure" , but recently I notice they are registering their IP addresses under completely false names that don't turn up any results on google, such as "Ppman Services SRL" , "Secure Data Systems SRL" , "Venus Business Communications Limited" , "UK Web Solutions Limited" , "FirstClassIT Solutions" , and a few others that I can't remember at the time. These IPs all use the M247's ASN (AS9009) , and under "Organization" it does say "M247 Ltd" , but "ISP" says those false names.

Another strange thing I noticed was that they even used "Cogent Communications" as one of the false names attatched to some of their IP addresses (however just like usual Organization was M247 and AS was 9009). If they are a regular legal company, how can they possibly be making up ISP names out of thin air and using them, as well as using the name of an already existing network provier, Cogent.

All these signs point to M247 conducting some less than kosher business, whatever that may be. I'm now very suspicious of connecting to VPN servers where the ISP is M247, for fear that they are some kind of government front/data collection firm/etc. Has anyone other than myself felt suspicious of M247 and thinks they are up to something? Or better yet, is there anyone who knows more about them than I do who is willing to shed some light on them?




I was an M247 colo customer in Manchester for approx 5 years. I went to their primary DC many times, interacted with their staff. They're a hosting company. The colo racks are full of servers with lots of little labels with different company names. The managed (and hence vps) racks are numerous and anonymous, which is what you'd expect. I'm not sure what you think is going on. They're cheap. They have excess capacity. So bottom-feeding race-to-the-bottom operators like VPN providers are buying from them. It doesn't seem too surprising.


VPN organizations have a few characteristics i've noticed:

1) they're fairly cheap to run, so groups spin up from nowhere fast.

2) due to being cheap to run, they seem to gather industry newcomers with little experience who are seeking a low-hanging-fruit first project.

3) they have a quick business 'period'. They come fast and they go fast. Probably due to the low-experience and extreme competition in that sector.

4) they consolidate quickly into large groups, and those large groups are fairly fast to buy up smaller competition in an effort to control commodity price.

>What if the government is offering up these servers for dirt cheap to VPN providers purposefully, and that is why they are all using them?

I guess that's just dependent on the threat model you're abiding by. Most casual vpn-as-a-business isn't going to do much to protect from state level adversaries, anyway.

The same phenomenon has happened in the US on the vpn market a few times now. I haven't checked recently, but a good chunk of exit structure was owned by London Trust Media last time I checked, a group that's affiliated with PIA and KAPE.

I can appreciate the suspicion. I think that it's warranted; but personally i'm of the opinion that the market consolidation is more due to the nature of the product and the market that it exists within. Whether or not a state group is gaming that consolidation.. I would suspect yes, but hold no proof.


I am a long-term customer (Colocation and dedicated servers) of M247.ro (I am from Germany) and I am more than happy with their service. They are super reliable, reputable, flexible and their support is fast, friendly and gets the job done.

I can vouch for them and don't think they have anything to do with what you accuse them of. They are just a big company with a lot of locations, which makes it fairly easy for VPN companies to get started.

Regarding the IP addresses... They announce IPs for free, which is a very nice service (some providers charge absurd amounts for it). They also do it for my company, so my IPs show up under their ASN, but this is nothing shady and just regular business.


For the false names thing, are you by chance doing whois lookups on IP addresses? If so then that's just the messy nature of the beast. One issue is that WHOIS records don't get updated sometimes, but what you're seeing is most likely the legitimate owner of the IP. So, someone else (coge t in your example) may own the IP, but if they purchase transit from that IP owner, the IP will be delegated to them but still owned by Cogent.

As for the rest of your concerns. First, I would like to see some empirical data on your research. Second,what is your security model? VPNs are not that great at anonymity.

You're not trying to hide from a global adversary (like nsa,gru,gchq,etc..) Using VPNs right...because even slapping Tor on that won't help you there.

My theory is that they're cheap enough as a resellerand they target VPN providers as customers because there is a lot less support cost with them.

The thing about suspicions and conspiracies is that they mean little without independently corroborating evidence. Try to collect facts that prove your suspicion.


Do you think the nsa, gru, gchq have broken tor?


The Snowden leaks suggested that they had not broken Tor, at the time of the leaks. There are "global passive adversary" timing correlation attacks which have had papers written about them and could conceivably be performed by some large intelligence agencies, especially if they cooperated with each other to do so, by using their power to observe country-scale network traffic.


Too lazy to look up the source but part of the leaks (and a separate leak too I believe?) Was how they have been working on what you said along with basically running a lot of the relay's and combinig that with their existing internet traffic visibility. I don't so much think they've broken it,more like they can de-anonymize who is visiting hidden sites or going out of exits with good enough accuracy.

Oh,and after the raid in so many dark web markets,people now pretty much presume this is the case, they deanonymize and inform law enforcement so they can back track the evidence trail (parallel reconstruction). A lot of dark web trading has just moved to places like telegram


That doesn't sound right. I don't think they had much success. The presentation seemed largely resigned.

Every dark web arrest I've seen has been caused by terrible operational security (e.g. having a Gmail account traceable to the admin of the dark web site) rather than a break of Tor.


The snowden slides are from 2008 mostly right? I think the article I read was describing how around this time gchq started collaborating with the NSA and CIA because the Tor problem was growing bigger and bigger. Their current capabilities are unknown, but their last known public plan was to control more Tor nodes and retroactively deanonymize Tor flows iirc.

For the dark web stuff, the opsec failure is supposedly parallel reconstruction.


Yes, they have (before the snowden leaks),but that isn't what I meant. The Tor project's faqs clearly state Tor can't protect against a global adversary, it is out of the scope of their threat model. If someone can see almost all internet traffic, Tor is useless against them.


For what it's worth you can find out a bit of background about UK companies - directors, submitted accounts etc - by using the website of Companies House. You can generally just search for "Company Name Companies House" and it'll bring up the company you're looking for.

Here's M247: https://beta.companieshouse.gov.uk/company/04968341

There's a reasonable amount of information about the company in their full accounts from March 2018 (PDF, 650K): https://beta.companieshouse.gov.uk/company/04968341/filing-h...


They're late on filing their current reports with Companies House.


That’s absolutely normal for companies of all sizes, although it’s often correlated with financial struggles.

Edit: they are not actually late, the deadline is the end of this month.


Absolutely nothing about the trustworthiness of a provider or of their upstreams prevents a national government from tapping the lines in and out.

Assume your VPN traffic is monitored, because it is, regardless of how much you trust or don’t trust your provider or their network.


M247 are a large UK DC/Network operator, grown through a number of acquisitions. All your seeing here is their large number of data center and connectivity customers, I don’t see anything suspicious.


Excellent observation and you are very correct, at least as much as I can tell.

If you look at my previous posts on HN I've written extensively about this topic.

Ignore some (but not all) of the dissenters on here. I don't mean to be rude, but these fake hosting companies are backed by quite the army of pr crisis tech support people, and they will dogpile on a thread like this quickly. You'll sometimes see them leave Yelp and Google Local reviews of their beloved friendly neighborhood data center too (which is preposterous no one does this in real life).

Anyway the clusters you are seeing do not appear to be about observation as much as destruction. From the analysis that I and others have done, our best guess is that someone is buying out hosting provider after hosting provider, and then peering at the 1 Gbs and 10 Gbs level as much as possible.

The purpose of this is two fold. First you are denying your enemy freedom of movement in that area. So think "squatting" or just taking up the board in monopoly.

The second more disturbing piece is that someone is building a kind of DDOS death star that will be unlike anything seen so far. From all the papers I've read, such an attack is likely to come through some novel IOT exploit and perhaps using one of the newer protocols like MQTT or COAP. But owning this much hosting space would be a terrific backup / serve as good defense for the expected counter attack.

This does not bode well at all for Europe. Even if the internet was off for months in the US the country could recover and rearm. All of Europe on the other hand, if stripped of the internet, could be overtaken in weeks if not days if Russia or China were so motivated.

The enormous capital expenditures that these IaaS providers have been sustaining points to China most certainly. Check out also Choopa, Tucows, Enom, Psychz, Shaw, Sharktech, Joe's Data Center, Hetzner, UnityMedia, Incapsula, and Mimecast.

This report is also very helpful : https://transparencyreport.google.com/safe-browsing/malware


I might be biased and paranoid because of where I live, but... to me, this post reads like trying to harm M247’s reputation. I mean, the address stuff is pretty ridiculous for anyone who works in the business, and the market-strategy considerations are akin to me saying AWS targets the news market so that the US government can shut down all those sites when they feel like, just because a lot of news sites are hosted on AWS.


Do you believe an intelligence agency that wants visibility into VPN traffic lacks the ability to cover their tracks?


I am a customer of M247; I'm happy with their service and haven't noticed anything shady going on. "Venus Business Communications" seems to be their old company name (they've been through several acquisitions) and is still the billing name when paying them by bank transfer.


I am a customer of M247. The reason I use them, and I imagine a lot of VPN provider use them, is because you can get a dozen points of presence all over Europe while only having to deal with one provider/invoice. I think you are just seeing market effects at work.


But when it comes to VPN providers, this is something to be concerned about. Data privacy laws in GB are questionable at best. After GB leaves the EU, even more so. I don't know enough about M247 to say this a conspiracy, but I wouldn't personally use any data privacy service based in GB.


Are you trying to hide from the NSA, FBI, China, or Disney?

If you’re a pirate, I wouldn’t worry. Likewise if you’re a Chinese dissident or tax cheat. The NSA isn’t going to blow its cover over Frozen 2 or your $3 million bitcoin wallet. Recent news accounts also suggest that the Feds are dismissing child porn cases rather than disclosing methods.

That leaves espionage and terrorism. If you’re involved in those, maybe going cheap on a vpn isn’t best practices to begin with.


> The NSA isn’t going to blow its cover over Frozen 2 or your $3 million bitcoin wallet.

Parallel construction means they don't have to.

https://en.m.wikipedia.org/wiki/Parallel_construction


Nobody is going to parallel-construct for a few movies, unless you make a business out of streaming pirate movies (in which case you kinda deserve it).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: