Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.