I don’t use anything called ExpressVPN? Is anyone familiar with this?
Do you use iCloud private relay? I believe UI thinks that’s Express VPN
Lol, a few of the commenters missed that this is RICARDO’s MBP, not the whole of network.
a. Stats could just be broken and this just doesn’t exist.
b. It’s not express VPN, but something else or several other things if it’s a mistake in IP ranges on the filter.
Do you have any anti-virus on that MacBookPro? Maybe it has a built-in VPN that UBNT is detecting as ExpressVPN? Some Anti virus apps now have built-in VPN that they turn on by default. Bitdefender is big for that as an example
Metrics on my UDM have been messed up since I got it. It used to be full of hundred-terabyte transfers from services I’ve never heard of, or even petabyte transfers from random services like Alexa. Now it’s a little better, while largely showing correct metrics with only a couple massive unknown transfers.
Yeah I’m more concerned about the fact that it’s all upstream traffic. Do you have any video cameras or automated backups that regularly send large amounts of data to the cloud? If you can find out which hosts on your internal net are responsible for that traffic, that would help narrow down your search.
Edit: just realized this was all from one system and that it happened over a 4-hour span. By my math, for that to have actually happened, your internet upstream speed would need to be 3.77 Gbps sustained. So yeah, likely a glitch.
That UI dashboard is useless, it’s never correct.
These stats are more often incorrect than correct.
It’s a fairly popular VPN. If I had to guess, someone on your network has been running all their streaming and media through it
Well. It’s also possible someone has remotely accessed your system and is exfiltrating all the data on your laptop. 
I’d love to have your upload speeds.
I wouldn’t trust the UI dashboard. It’s largely inaccurate. To get those upload speeds, you’d be paying A LOT of money for Internet (at least in the US).
Get yourself PFSense or Sophos Home. You’d get much more accurate metrics, with proper web/app filtering, QoS, etc…
Were you using it during the four hour period? Seems fishy. Fishy enough that I would back up files and hard reset the laptop
I don’t know if wireshark or another such utility works on Mac but verify at the source, that’s a weird amount of upload
Do you have any other VPNs installed like HolaVPN or Urban VPN? Security team at my uni figured out that certain VPNs are using your computer’s resources to send out massive amounts of spam emails. This could be that.
ExpressVPN comes as one of those “Try My” apps with HP laptops. Does someone in your home have an HP Laptop?
Why is so much of your traffic upstream? Is that normal? If you’re not constantly seeding torrents or something you might want to look into why that is.
My guess is cloud backup.
Someone on the network or something is using a vpn and it could be express vpn cause they want to block what you see and your provider
It is very hard to make a decoder to continuously and accurately identify a particular application. Also UniFi stat accuracy leaves A LOT to be desired imho. My traffic stats are continuously wrong. When you have lots of small sessions it never manages bandwidth correctly per device