Response to Checkpoint Research’s allegation about our company

In a recent article written by Checkpoint Research, BreakingSecurity has been accused to support illicit abuse of our software via a third party retailer who has been selling some external products alongside Remcos.
We have also been accused to be the same company of the retailer, forging a double identity in order to provide encryption service to our software and facilitating abuse.

However, as we will demonstrate in this answer, these accusations are wrong.

First of all, our company has never been interested in supporting the abuse of our cybersecurity programs (proofs below).
As is clearly highlighted on our site, and also on the article itself, we never provided in our website a tool that could be used to make Remcos undetected to security software.
Also, we never provided any support on our official website and telegram channel about abusing our software in any way.
We do not sell our products on any blackhat or hacking forum.

Any customer manifesting any illegal intention of using our software has had his license banned (proofs posted below).
Any report sent to us regarding any illegal usage of our software has been investigated and the responsible user had his license banned (proofs posted below).

We also have developed CyberGuard, an Anti-Malware application, which we sell on our own site.

The article focuses on one of our software, Remcos.
Remcos is a versatile surveillance and cybersecurity tool, and as such is used in many different scenarios.
We have many customers and companies that use our products and services in various cybersecurity fields.
For example, Remcos is widely used as a tool for red teaming, pen testing, legitimate surveillance, but also for administering many machines from a single control point, for creating a proxy, and much more.

We are aware that Remcos, like most cybersecurity and pentesting tools, has risks.
Many other cybersecurity tools such as Cobalt Strike, Metasploit, Flipper Zero, many VPNs, and many other software or services have been abused to the detriment of the developers’ intentions, even though their company, like ours, has never sold their products with the purpose of being abused.
We do not provide any products on our site that allow users to bypass the protection of antivirus software: so users can only use Remcos on computers on which they have explicit consent and access to install it.

We have in place various measures to contain abuse, and every single report sent to us regarding the abuse of one of our products was immediately investigated and the relevant license immediately blocked (proofs below); not allowing the use of our product to customers who did not comply to our terms of use that they accepted before purchasing the software.

On our website, we also publicly provide a free standalone Remcos Uninstaller tool to detect and remove Remcos installations on a system.
The tool can also generate a report for us to identify the associated license and block it in case of abuse.
 
Published on our website, we also have a dedicated email inbox to immediately monitor any abuse report of our software: abuse@breakingsecurity.net
We never received a single report or sample from Checkpoint or any communication regarding any abuse.
Otherwise we would have taken immediate action.
 

Various proofs of support tickets, showing that we enforce legal usage both in public and in private, and we ban any suspicious license and user: 

 

 

 

 

 

 









 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

As we can see from the ticket dates, we always enforced legal usage of our software, long before any article about us was posted.
Now let’s show some examples from our Telegram Group.

Telegram Group:

 
There is a comprehensive list of our posts in our telegram group which clearly shows we blocked any suspicious activity and question from users from the start.
Note that some of the related users messages was deleted by us, as we moderate any message who could manifest suspicious intentions.

Some of the related posts:
https://t.me/BreakingSecurity_Group/7793
https://t.me/BreakingSecurity_Group/154
https://t.me/BreakingSecurity_Group/98
https://t.me/BreakingSecurity_Group/1977
https://t.me/BreakingSecurity_Group/8029
https://t.me/BreakingSecurity_Group/8440
https://t.me/BreakingSecurity_Group/7464
https://t.me/BreakingSecurity_Group/6363
https://t.me/BreakingSecurity_Group/5855
https://t.me/BreakingSecurity_Group/5858
https://t.me/BreakingSecurity_Group/5492
https://t.me/BreakingSecurity_Group/5369
https://t.me/BreakingSecurity_Group/3071
https://t.me/BreakingSecurity_Group/2281
https://t.me/BreakingSecurity_Group/2182
 
The article focuses on the actions of an employee of ours along with an external retailer. This employee was hired to help us with customer support, helping customers with software installation in their own systems, analyzing new malware variants found in the wild, and marketing our products by helping us manage some sales and support channels, such as the Telegram group mentioned in your article.
Along with other marketing strategies, it was proposed by our employee to allow a third-party company (VGOstore) to resell our products, as long as they followed our same conditions of use. To verify the reliability of the retailer, we requested a company registration certificate from VgoStore, which was provided to us.
The document sent to us certifies that our reseller has a business in Jordan based on the sale of products online.
We have received other similar requests in the past, but they were always rejected by BreakingSecurity because the reseller had not passed our verification.
 
The relation between BreakingSecurity and VgoStore was just a one between a developer and an external retailer.
We couldn’t investigate in depth the internals of his business, or which other tools he was providing, such as the encryption service, which we are not related to:
This is because the software and services offered on his platform were periodically changing and being updated.
We however verified that our reseller had a registered company in the trade of online software.
 
And, despite the title of the article, we aren’t related to “Guloader” neither “CloudEye” nor we developed these software in any way.
We are not sure where the alliance mentioned in the title of the article is. 
This external reseller was providing our software along with software unrelated to us on the same platform, for their own income unrelated to us.
We doubt VgoStore is the developer of any software sold on their platform.
 
We were aware that our employee also helped this company (VgoStore) with some of their work, hence the reason why he had access to the dashboard of this retailer’s site.
However, BreakingSecurity is not aware of the details of the job tasks conducted by our employee in his side job for an external business. 
The work conducted by our employee with VgoStore was conducted by him personally on his own behalf, without any relationship to the rest of BreakingSecurity.
Our employee worked for VgoStore by helping him with WordPress development, recording some videos, and helping him with his telegram channel.
As we can see in the article, our employee was using his own personal Youtube channel, not the one of BreakingSecurity.
BreakingSecurity was not aware of the internal details of VgoStore or their earnings, as they are a company external to ours.
BreakingSecurity’s only profits derived from VgoStore were licenses of our products sold to it as a reseller.
The other income shown in your article is in no way related to BreakingSecurity, but only to VgoStore, of which we are not a part.
 

Regarding the claim that our company and VgoStore are the same one, or that our employee and Vgo are the same person using different accounts:
We asked our retailer VgoStore to provide clear proof to show that

  1. We are not the same company
  2. Our companies are managed by different people
  3. Our businesses do not share income.
    BreakingSecurity did not receive any income from the sale or support of any encryption tool or any other service provided on the VgoStore platform.
  4. The relationship between BreakingSecurity and VgoStore was just the one between a developer and a retailer;
    BreakingSecurity didn’t manage which other software or services were provided in this external platform.
    Before allowing resale of our software, we however verified that our reseller had a registered company in the trade of online software.
  5. The work conducted by our ex-employee with VgoStore was done on his behalf and outside of BreakingSecurity.

In this video recorded by VgoStore and provided upon our request, showing old chats by him and our employee, all the above points are clearly proved:

 
Then, we also asked our retailer to provide evidence that he was not selling our software to suspicious users.
Proof of this in private chat conversations:

 
Our employee as well was enforcing legal usage in private chats with customers who manifested suspicious intentions.
He provided us with evidence regarding old conversations with customers:

 

Regarding data and samples displayed in the article in one of the servers used by our employee:
Our employee routinely used virtual servers to analyze and test new malware variants, as well as samples found in the wild.
This does not mean that the same malware was used for malicious purposes by us.
As cybersecurity researchers, we collect many different pieces of code, but this does not mean we are going to use them nefariously, but only for the purpose of study and subsequently updating our own solutions.
BreakingSecurity does not provide or sell any server, crypter or any other software except the ones found on the official BreakingSecurity.net platform.
Servers used by our employee were not purchased, monitored nor used by BreakingSecurity, but were just provided by clients for testing, while other servers were used internally for testing and analysis or sold by VgoStore to clients that presented themselves as cybersecurity customers.
It is worth noting that our employee was tasked, during his external job for VgoStore, into helping customers with software installation in their own servers, via remote support sessions. So he didn’t own some of the servers displayed in the article, and could not know what other tools were installed on these servers or how these servers were going to be used by customers.

Our employee provided us a record of an old conversation with the customer which sent him a sample (formbook). The same customer was the owner of the Formbook panels.
The conversation proves that there is no relation between our employee and the malware campaigns mentioned in the article, neither that our employee was the owner of this server and Formbook.
 

 
Following our internal investigation, we have taken the following actions:
 
1) We have terminated all relationships with the VgoStore company, as they provided external tools which could lead to abuse if used in combination with Remcos.
They no longer have the ability to present or resell any of our products, and all of our products have been removed from their sales platform.
 
2) Our employee who collaborated with VgoStore has been removed from our company.
This decision has been taken in mutual accordance among both parties (BreakingSecurity and our ex-employee), after a discussion about the situation.
 
We are available to analyze any sample and report regarding incorrect use of our products.
We invite you to contact us should there be any evidence of abuse of our software or need any clarification.
Remcos is a multi-purpose tool for surveillance, red teaming and cybersecurity, and is used by many customers for entirely legitimate purposes, and we will not allow the abuse of our products by few to tarnish the reputation of us and our products.
 
Best Regards
The BreakingSecurity.net Administration

1 Comment. Leave new

  • the fact that you have never been contacted for an abuse report by these guys says a lot about their real intentions.
    Like most journalists, they are only interested in making news and views with a big scoop.
    That’s what they get paid for after all.
    The truth takes a back seat.

You must be logged in to post a comment.