Authorities in North America and Europe have participated in a law enforcement operation to disrupt First VPN, a popular cybercrime service used for ransomware and other attacks. The takedown, involving multiple agencies across the globe, marks a significant blow to cybercriminal infrastructure that has operated with impunity for nearly a decade.
The Rise of First VPN
According to the FBI, First VPN has been active since 2014, providing 32 exit nodes across 27 countries at the time of its disruption. The service was advertised on Russian-language dark web cybercrime forums, targeting a clientele that included ransomware groups, botnet operators, and data thieves. Over the years, First VPN gained a reputation as a reliable anonymization layer that could mask the true origin of malicious traffic, enabling attackers to conduct reconnaissance, deploy ransomware, and exfiltrate data without fear of detection.
The infrastructure of First VPN consisted of a network of servers that acted as exit nodes, routing traffic from cybercriminals through multiple jurisdictions. This made it difficult for law enforcement to trace activities back to the perpetrators. The service was particularly popular among ransomware affiliates who needed to obscure their IP addresses while scanning for vulnerable systems. At its peak, First VPN boasted hundreds of active users and processed a high volume of malicious traffic daily.
How First VPN Facilitated Cybercrime
Cybercrime-as-a-service (CaaS) has become a thriving underground economy, and First VPN was a key component of that ecosystem. By providing a VPN service that promised anonymity and uptime, it lowered the technical barrier for aspiring cybercriminals. Instead of setting up their own obfuscation infrastructure, they could pay for First VPN on a subscription basis. IP addresses associated with First VPN have been involved in scanning, botnets, DoS attacks, and hacking. The FBI noted that the service was used by at least 25 ransomware groups for network reconnaissance and intrusions.
Among the most notorious ransomware groups that relied on First VPN were variants of LockBit, Conti, and REvil. These groups used the VPN to launch attacks against critical infrastructure, healthcare, and education sectors worldwide. By routing their traffic through First VPN's nodes, they could evade geo-blocking and IP blacklists. The service also offered dedicated exit nodes in countries with weak cybercrime enforcement, further complicating investigations.
The Takedown Operation
The disruption of First VPN was the result of a coordinated effort between the FBI, Europol, and law enforcement agencies in Ukraine, the United States, Canada, and several European nations. According to Europol, law enforcement partners dismantled 33 servers linked to First VPN and disrupted the infrastructure that supported cybercriminal activity. The takedown targeted the domains 1vpns.com, 1vpns.net, 1vpns.org, and their corresponding onion addresses on the dark web.
The alleged administrator of the cybercrime service has been arrested in Ukraine. While the individual's identity has not been publicly released, Ukrainian authorities confirmed the arrest as part of the operation. The administrator is expected to face charges related to computer fraud, money laundering, and facilitation of organized cybercrime. This arrest sends a strong message to other operators of criminal anonymization services that they are not beyond the reach of international justice.
Impact on Users and the Cybercrime Ecosystem
“Users of the criminal service have been notified of the shutdown and informed that they have been identified,” Europol said, noting that information on 506 users was shared internationally. This notification is not merely a courtesy; it serves as a warning that law enforcement has their data and may pursue individual prosecutions. The list of users includes individuals and groups linked to ransomware, fraud, and other malicious activities.
Bitdefender, the cybersecurity firm that participated in the takedown, provided further insight into the significance of the operation. “Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed,” Bitdefender said. The firm emphasized that the 506 users are only a subset of First VPN’s customer base, and investigators will now work to determine which of them can be linked to criminal operations.
The operation also yielded a wealth of intelligence on how criminal VPN services operate. The FBI has published an alert with technical details, Indicators of Compromise (IoCs), MITRE ATT&CK mappings, and recommendations for defenders. This information will help organizations detect and block traffic associated with former First VPN users, even as they attempt to migrate to alternative services.
Historical Context and Previous Takedowns
The takedown of First VPN is part of a broader trend of law enforcement targeting the infrastructure that enables cybercrime. In recent months, Microsoft and law enforcement disrupted a malware-signing service run by a group known as Fox Tempest. This service had been used to digitally sign malicious drivers and certificates, allowing malware to bypass security controls. Similarly, the RedVDS cybercrime service, which provided virtual private servers to criminals, was disrupted in a joint operation. In an international operation, the Aisuru and Kimwolf DDoS botnets were also dismantled, demonstrating the ongoing commitment of authorities to attack the root of cybercriminal operations.
These operations share a common strategy: instead of merely hunting individual attackers, law enforcement is systematically dismantling the services that make cybercrime scalable. Anonymization services like First VPN are particularly critical because they allow criminals to operate from anywhere in the world. By targeting these services, authorities force cybercriminals to constantly seek new infrastructure, increasing their operational costs and chances of detection.
The Future of Anonymization Services
Despite the success of the takedown, experts caution that new anonymization services will quickly emerge to fill the void. “New anonymization services will appear. The economic demand hasn’t changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions,” Bitdefender said. The cybersecurity firm added that “First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists.”
The cybercrime-as-a-service ecosystem is resilient, but the cumulative effect of these disruptions may eventually make it less viable for low-sophisticated attackers. As law enforcement and private-sector partners continue to collaborate, the intelligence gained from each takedown improves the ability to predict and preempt future services. The arrest of the First VPN administrator is a clear victory, but the battle against criminal anonymization is ongoing.
The detailed technical analysis provided by the FBI will be invaluable for cybersecurity professionals. The MITRE ATT&CK mappings help organizations understand the tactics, techniques, and procedures (TTPs) used by criminals who relied on First VPN. By incorporating these IoCs into their security stacks, defenders can proactively block traffic from ports and IPs known to be associated with the service. Europol has also encouraged private-sector companies to share any information about potential users or related infrastructure to build a more comprehensive picture of the cybercrime landscape.
Ultimately, the takedown of First VPN demonstrates that international cooperation remains a powerful tool against cybercrime. Law enforcement agencies across North America and Europe are increasingly willing to act in concert, sharing intelligence and resources to strike at the heart of criminal networks. For the ransomware groups and other malicious actors who used First VPN, the message is clear: the infrastructure you trust can be turned against you. Every service you rely on is under scrutiny, and the margin for error is shrinking.
Source: SecurityWeek News