Authorities across Europe and North America have successfully dismantled a notorious criminal virtual private network (VPN) service that cybercriminals used to conceal ransomware attacks, data theft, network scanning, and distributed denial-of-service (DDoS) operations.
The operation targeted First VPN Service, a platform allegedly built specifically for cybercriminal activity. The coordinated crackdown was led by France and the Netherlands, with support from multiple international agencies involved in the investigation since December 2021.
Countries assisting in the operation included Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
First VPN Marketed Itself to Cybercriminals
According to Europol, First VPN promoted anonymous infrastructure and payment methods designed to help cybercriminals hide their identities while conducting malicious operations.
The service was heavily advertised on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is, where it was promoted as a reliable way to evade law enforcement investigations.
Investigators revealed that the VPN service enabled threat actors to launch ransomware campaigns, large-scale fraud schemes, and data theft attacks while masking their real locations and identities.
Servers Seized During International Operation
The law enforcement operation took place between May 19 and May 20. Authorities carried out simultaneous actions that included:
- Interviewing the VPN service administrator
- Conducting a house search in Ukraine
- Seizing 33 servers
- Disrupting infrastructure supporting global cybercriminal activity
The following domains associated with First VPN were confiscated:
- 1vpns[.]com
- 1vpns[.]net
- 1vpns[.]org
- Multiple related Tor onion domains
Eurojust stated that First VPN openly promoted itself as an anonymity-focused service that refused cooperation with judicial authorities and claimed not to store user data.
FBI: Service Operated Since 2014
In a coordinated alert, the FBI disclosed that First VPN had been active since approximately 2014 and operated 32 exit node servers spread across 27 countries.
Three servers were reportedly located in the United States:
- 2.223.66[.]103
- 5.181.234[.]59
- 92.38.148[.]58
Additional infrastructure was hosted in countries including Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the United Kingdom.
Linked to More Than 25 Ransomware Groups
Authorities believe at least 25 ransomware groups used First VPN’s infrastructure for reconnaissance and network intrusions. One of the identified groups was the infamous Avaddon Ransomware operation.
The VPN subscriptions ranged from one day to one year, with pricing reportedly starting at $2 per day and reaching up to $483 annually.
The platform accepted several payment methods, including:
- Bitcoin
- Perfect Money
- WebMoney
- EgoPay
- InterKass
Advanced VPN and Traffic Obfuscation Features
The FBI noted that First VPN supported multiple connection protocols, including:
- OpenConnect
- WireGuard
- Outline
- VLess TCP Reality
The service also offered encryption technologies such as:
- OpenVPN ECC
- L2TP/IPSec
- PPTP
Cybercriminal customers reportedly received technical support through a self-hosted Jabber server and Telegram.
One notable feature was support for “VLESS” and “Reality” protocols, which allowed VPN traffic to mimic normal HTTPS traffic, making detection significantly more difficult.
Archived Website Promised “Anonymity, Stability, Security”
Archived snapshots from the Internet Archive show that First VPN advertised itself with the slogan:
“Anonymity, Stability, Security”
The service claimed it did not keep activity logs capable of linking users to internet activity.
According to its archived statements:
“The only data we store is e-mail and username, but it’s impossible to connect the user’s activity on the Internet with a specific user of our service.”
Interestingly, the platform also attempted to distance itself from criminal misuse by claiming in its FAQ section that illegal activities were “strictly prohibited.” It warned users that servers involved in abuse complaints could be disabled.
Growing Global Crackdown on Cybercrime Infrastructure
The takedown of First VPN highlights the growing international collaboration between law enforcement agencies targeting cybercrime infrastructure providers.
Authorities are increasingly focusing not only on ransomware gangs themselves but also on the services that enable anonymous operations, including VPN providers, bulletproof hosting platforms, and encrypted communication networks.
As ransomware attacks continue to evolve, disrupting the infrastructure supporting these groups remains a critical strategy in global cybersecurity enforcement efforts.
