Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency

The company behind the Proton Mail email service, Proton, describes itself as a “neutral and safe haven for your personal data, committed to defending your freedom.” However, in July last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency.

After a public outcry, and multiple weeks, the journalists’ accounts were eventually reinstated – but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place. Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton’s services as alternatives to something like Gmail “specifically to avoid situations like this,” pointing out that “While it’s good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most.”

Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions. Shelton noted that perhaps Proton should “prioritize responding to journalists about account suspensions privately, rather than when they go viral.”

A Sophisticated Hacking Operation Exposed in South Korea

The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation — what’s known in cybersecurity parlance as an APT, or advanced persistent threat — had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC.

The hackers, believed to be from Kimsuky, a notorious North Korean state-backed APT sanctioned by the U.S. Treasury Department in 2023, had created a complex system that was difficult to detect. The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky.

As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what’s known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident. Saber and cyb0rg created a dedicated Proton Mail account to coordinate the responsible disclosures, then proceeded to notify the impacted parties.

The Suspicious Suspension of Journalist Accounts

Saber and cyb0rg discovered that the Proton account they had set up for the responsible disclosure notifications had been suspended just a week after the print issue of Phrack came out. A day later, Saber found that his personal Proton Mail account had also been suspended.

The suspension notice instructed the authors to fill out Proton’s abuse appeals form if they believed the suspension was in error. Saber did so, and received a reply from a member of Proton Mail’s Abuse Team who went by the name Dante.

Contradictory Statements from Proton

In an email viewed by The Intercept, Dante told Saber that their account “has been disabled as a result of a direct connection to an account that was taken down due to violations of our terms and conditions while being used in a malicious manner.” However, after receiving no response from Phrack editors asking the incident could be deescalated, Proton once again did not reply to the email.

On September 9, the official Phrack X account made a post asking Proton’s official account asking why Proton was “cancelling journalists and ghosting us,” adding: “need help calibrating your moral compass?” The post quickly went viral, garnering over 150,000 views. Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service.”

Concerns Over Journalist Safety and Accountability

The incident has raised concerns among journalists about their safety and accountability when using email services. Phrack pointed out that the account suspensions created a “real impact to the author. The author was unable to answer media requests about the article.” The co-authors, Phrack noted, were also in the midst of the responsible disclosure process and working together with the various affected South Korean organizations to help fix their systems.

The community needs assurance that Proton does not disable accounts unless Proton has a court order or the crime (or ToS violation) is apparent. “All this was denied and ruined by Proton,” Phrack stated.