Authorities across Europe and North America have successfully dismantled “First VPN,” a criminal virtual private network (VPN) service that facilitated illegal activities such as ransomware attacks, data theft, and denial-of-service attacks by hiding the identities of its users. This significant crackdown was primarily spearheaded by law enforcement from France and the Netherlands, with a coalition of several other countries including Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal joining forces to combat this sophisticated cybercrime network. The operation, having started in December 2021, culminated in an international effort to disrupt and dismantle this criminal service.
According to Europol, First VPN was designed specifically to cater to criminals, providing services that allowed for anonymous payments and a concealed infrastructure. These features enabled customers to execute various forms of cybercrime, from ransomware attacks to large-scale fraud and data breaches, all with a level of anonymity that made detection by law enforcement incredibly challenging. The service was notably promoted on Russian-language cybercrime forums like Exploit[.]in and XSS[.]is, where it was marketed as a means to evade law enforcement authorities.
The international operation targeting First VPN occurred on May 19 and 20 and involved multiple coordinated actions. Law enforcement officials conducted interviews with the VPN’s administrator, executed a search warrant at a residence in Ukraine, and successfully eliminated 33 servers associated with the service while seizing considerable infrastructure that supported global cybercriminal activity. The domains associated with the First VPN service that were confiscated include 1vpns[.]com, 1vpns[.]net, 1vpns[.]org, along with related onion domains operating on the Tor network.
Eurojust, the European Union agency responsible for promoting cooperation among justice departments, indicated that First VPN advertised itself with a promise of anonymity. The service claimed it would not cooperate with any judicial authorities, would refrain from storing user data, and would not be subject to jurisdictional oversight. Such assurances appealed to criminal elements looking to operate without the fear of detection.
The U.S. Federal Bureau of Investigation (FBI) shared an ominous insight into the VPN’s history, revealing that it had been in operation since roughly 2014 and had provided 32 exit node servers located in 27 different countries. Among these were three exit nodes based in the United States, specifically at IP addresses 2.223.66[.]103, 5.181.234[.]59, and 92.38.148[.]58. This extensive network further illustrated the global reach and operational capacity of the service.
Numerous notorious ransomware groups are said to have utilized the infrastructure of First VPN to conduct reconnaissance and launch intrusions. Notably, no fewer than 25 ransomware groups, including the Avaddon Ransomware group, were linked to the malicious activities executed through this VPN’s architecture. Subscription plans for the service were structured to cater to a range of criminal activities, with durations spanning from a single day to a year, and fees ranging from $2 to $483. Payment methods included Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass, showcasing a versatile payment ecosystem that further facilitated illicit transactions.
The FBI emphasized the technical sophistication of First VPN, detailing that it offered various connection protocols—among them OpenConnect, WireGuard, Outline, and VLess TCP Reality—alongside numerous encryption options such as OpenVPN ECC, L2TP/IPSec, and PPTP. Furthermore, users benefited from technical support through a self-hosted Jabber server and the encrypted messaging platform Telegram, revealing a high level of organization and resources dedicated to supporting its illicit user base.
First VPN’s marketing boasted claims of “Anonymity, Stability, Security,” and included assertions that the service did not log any information that could associate a user’s activities with their IP address at any defined point in time. The FAQ section of their website indicated a stringent prohibition against illegal activities, which they argued was to facilitate the receipt of complaints and subsequently disable any servers involved in illicit activities. This careful framing sought to distance the VPN service from accountability, while simultaneously attracting users engaged in wrongdoing who were keen to exploit the anonymity offered by First VPN.
Overall, the dismantling of First VPN highlights the significant collaborative efforts by international law enforcement agencies to combat the pervasive issue of cybercrime, demonstrating their ability to coordinate complex operations across multiple jurisdictions in an effort to enhance cybersecurity and bring criminals to justice.