International Operation Takes Down 'First VPN' Service
A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. Authorities have seized dozens of First VPN servers located in 27 countries, arrested the administrator, and conducted a house search in Ukraine.
The VPN service was advertised on various cybercrime forums as a privacy-focused VPN that does not log user data and ignores law enforcement requests for user information. VPN tools encrypt users’ traffic and hide their real IP addresses. While they are used legitimately to protect privacy on public WiFi, bypass censorship, reduce tracking, and enable secure remote work, threat actors also rely on them to hide their location and infrastructure.
Investigation and Takedown
The investigation into the service started in December 2021 and was led by the French and Dutch authorities, who formed a joint investigation team in November 2023. At some point, the investigators infiltrated the VPN infrastructure before it went offline and collected the user database and identified the VPN connections cybercriminals used in attacks.
According to Europol, the name of the service came up in almost every major cybercrime investigation the agency supported. Europol says that First VPN names have been shut down. A coordinated international operation conducted between May 19 and 20 targeted the “First VPN” service and resulted in the following actions:
- Seizure of 33 servers linked to “First VPN”
- Seizure of the 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains
- Disruption of key infrastructure supporting the service
- Identification and questioning of a Ukrainian suspect
- Notifications issued to identified users of the platform
The press release from the Dutch police confirms that all users of First VPN have been identified and directly notified, though no specific numbers were mentioned, and it’s unclear whether there are plans for subsequent legal action against them.
Impact and Next Steps
Europol’s announcement mentions that information about 506 users was shared internationally, as well as 83 'intelligence packages' that will aid ongoing or upcoming investigations. The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide.
An Operational Taskforce was set up at Europol, which brought together investigators from 16 countries to analyze the seized data and coordinate intelligence sharing with international partners. The takedown of the First VPN service is a significant blow to cybercrime operations and demonstrates the effectiveness of international cooperation in combating online threats.
Even if threat actors promise to remove the data, oftentimes the information is still present on the servers.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate. Download Now and learn more about the importance of validating your security controls.
Source: BleepingComputer