I don’t use anything called ExpressVPN? Is anyone familiar with this?
Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Do you use iCloud private relay? I believe UI thinks that’s Express VPN
Lol, a few of the commenters missed that this is RICARDO’s MBP, not the whole of network.
a. Stats could just be broken and this just doesn’t exist.
b. It’s not express VPN, but something else or several other things if it’s a mistake in IP ranges on the filter.
Do you have any anti-virus on that MacBookPro? Maybe it has a built-in VPN that UBNT is detecting as ExpressVPN? Some Anti virus apps now have built-in VPN that they turn on by default. Bitdefender is big for that as an example
Metrics on my UDM have been messed up since I got it. It used to be full of hundred-terabyte transfers from services I’ve never heard of, or even petabyte transfers from random services like Alexa. Now it’s a little better, while largely showing correct metrics with only a couple massive unknown transfers.
Yeah I’m more concerned about the fact that it’s all upstream traffic. Do you have any video cameras or automated backups that regularly send large amounts of data to the cloud? If you can find out which hosts on your internal net are responsible for that traffic, that would help narrow down your search.
Edit: just realized this was all from one system and that it happened over a 4-hour span. By my math, for that to have actually happened, your internet upstream speed would need to be 3.77 Gbps sustained. So yeah, likely a glitch.
That UI dashboard is useless, it’s never correct.
These stats are more often incorrect than correct.
It’s a fairly popular VPN. If I had to guess, someone on your network has been running all their streaming and media through it
Well. It’s also possible someone has remotely accessed your system and is exfiltrating all the data on your laptop. 
I’d love to have your upload speeds.
I wouldn’t trust the UI dashboard. It’s largely inaccurate. To get those upload speeds, you’d be paying A LOT of money for Internet (at least in the US).
Get yourself PFSense or Sophos Home. You’d get much more accurate metrics, with proper web/app filtering, QoS, etc…
Were you using it during the four hour period? Seems fishy. Fishy enough that I would back up files and hard reset the laptop
I don’t know if wireshark or another such utility works on Mac but verify at the source, that’s a weird amount of upload
Do you have any other VPNs installed like HolaVPN or Urban VPN? Security team at my uni figured out that certain VPNs are using your computer’s resources to send out massive amounts of spam emails. This could be that.
ExpressVPN comes as one of those “Try My” apps with HP laptops. Does someone in your home have an HP Laptop?
Why is so much of your traffic upstream? Is that normal? If you’re not constantly seeding torrents or something you might want to look into why that is.
My guess is cloud backup.
Someone on the network or something is using a vpn and it could be express vpn cause they want to block what you see and your provider
It is very hard to make a decoder to continuously and accurately identify a particular application. Also UniFi stat accuracy leaves A LOT to be desired imho. My traffic stats are continuously wrong. When you have lots of small sessions it never manages bandwidth correctly per device