A coordinated law enforcement operation across North America and Europe has successfully disrupted First VPN, a popular cybercrime service that for years provided anonymity to ransomware operators and other malicious actors. According to the FBI, First VPN had been active since 2014, offering 32 exit nodes spread across 27 countries at the time of its takedown. The service was advertised on Russian-language dark web forums and had been leveraged by at least 25 different ransomware groups for network reconnaissance and initial intrusions.
IP addresses associated with First VPN were frequently observed in scanning activities, botnet operations, distributed denial-of-service (DDoS) attacks, and various hacking campaigns. The FBI has published a detailed alert containing technical indicators of compromise (IoCs), MITRE ATT&CK mapping, and recommended detection measures. The operation, supported by Europol and several international partners, involved dismantling 33 servers linked to First VPN and disrupting the infrastructure that enabled cybercriminal activity. Specifically, the takedown targeted the domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion services on the Tor network.
The alleged administrator of First VPN has been arrested in Ukraine, though his identity has not been publicly disclosed at this time. Europol stated, "Users of the criminal service have been notified of the shutdown and informed that they have been identified," adding that information on 506 users was shared with international law enforcement agencies. Bitdefender, a cybersecurity firm that participated in the operation, noted that these 506 users represent only a subset of First VPN's customer base. Investigators will now work to determine which individuals can be directly linked to criminal operations, including known ransomware groups, fraud operations, and data theft campaigns.
Background on Cybercrime VPN Services
Virtual private networks (VPNs) are legitimate tools used by millions to protect online privacy, but a subset of VPN providers deliberately cater to cybercriminals. These "bulletproof" VPN services often operate from jurisdictions with lax cybercrime laws, accept cryptocurrency payments, and promise not to keep logs. First VPN was one such service, explicitly marketed on underground forums as a trusted anonymization layer for illegal activities. The takedown is part of a broader trend of international law enforcement targeting cybercrime-enabling infrastructure. Similar operations have previously disrupted services like RedVDS, which was taken down by Microsoft and law enforcement earlier this year, and the Kimwolf and Aisuru DDoS botnets.
The cybercrime-as-a-service economy relies heavily on such infrastructure. Ransomware groups, in particular, use anonymization services to obfuscate their command-and-control servers and to hide their identities when penetrating corporate networks. By removing these tools, law enforcement aims to increase the cost and risk for criminals. As Bitdefender noted in a statement, "Each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions." However, the cybersecurity industry recognizes that new anonymization services will likely emerge to fill the void. The economic demand for such services remains strong, driven by the profitability of ransomware and other cybercrimes.
Technical Details of the Operation
The FBI's alert provides extensive technical details. First VPN was operated using a network of compromised servers and dedicated exit nodes located across multiple countries. The service supported multiple protocols, including OpenVPN and WireGuard, and allowed users to route traffic through multiple hops to further complicate tracing. Investigators were able to map the infrastructure and identify IP addresses linked to ransomware attacks such as LockBit, BlackCat (ALPHV), and Clop. The operation began with the identification of the service's administrator through financial transactions linked to cryptocurrency wallets used to pay for server rentals. Cooperation between Ukrainian authorities and Europol led to the arrest.
Europol highlighted that the disruption also involved taking down the service's website and administrative panels, preventing criminals from creating new accounts or reconfiguring their infrastructure. Law enforcement agencies have also shared intelligence with Internet service providers to block traffic from known First VPN IP addresses, further hindering affected groups. The information on 506 users includes email addresses, payment information, and usage logs, which will be used to identify and prosecute individuals involved in cybercrime.
Impact on Ransomware Operations
Ransomware groups heavily rely on anonymization services to avoid detection by security tools and law enforcement. By cutting off access to a trusted VPN provider, authorities may force these groups to either develop custom anonymization techniques, use less reliable services, or pause operations. However, experts caution that sophisticated groups often have backup infrastructure. For example, the Conti group (now largely dismantled) maintained its own private VPN infrastructure. But smaller groups and affiliates typically depend on third-party services like First VPN. The disruption may disproportionately affect these lower-tier actors, reducing the overall volume of ransomware attacks in the short term.
Bitdefender added, "First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists." This psychological impact is significant: a service that was marketed as bulletproof has been compromised, damaging trust in the underground ecosystem.
Previous Related Operations
This takedown follows a series of successful international operations. In March 2023, Microsoft and law enforcement disrupted RedVDS, a similar cybercrime-friendly VPN service. That operation also led to arrests and the seizure of infrastructure. Another notable operation targeted the Aisuru and Kimwolf DDoS botnets, which had been used to launch massive attacks against gaming and financial websites. More recently, authorities arrested a Canadian man for operating the Kimwolf botnet. These actions demonstrate a sustained commitment to dismantling the cybercrime supply chain, from malware-as-a-service to anonymization tools.
In addition, earlier in 2024, the US Department of Justice announced charges against individuals involved in operating the Raccoon Stealer malware-as-a-service platform, which also used VPN services to hide its operations. The FBI's Cryptocurrency Task Force has been actively tracing payments to VPN providers and other enablers. International cooperation has been key: the Joint Cybercrime Action Taskforce (J-CAT) at Europol facilitates such multi-country operations, allowing for rapid sharing of intelligence and coordinated arrests.
The First VPN takedown also involved collaboration with private sector cybersecurity firms like Bitdefender, which provided threat intelligence and forensic capabilities. Such public-private partnerships have become essential in modern cybercrime investigations, as threat intelligence companies often have visibility into criminal infrastructure that law enforcement alone may lack.
Looking ahead, while the disruption of First VPN is a significant victory, the underlying economic drivers of cybercrime remain. The demand for anonymization services will persist, and new providers will likely emerge, perhaps with different business models, such as using decentralized peer-to-peer networks or blockchain-based solutions to resist takedowns. Law enforcement must continue to adapt, investing in advanced monitoring tools, international agreements, and offensive capabilities to preemptively identify and dismantle such services before they can cause widespread harm. The arrest of the administrator sends a clear message that operating cybercrime services carries significant personal legal risk, which may deter some individuals from entering this line of business.
Source: SecurityWeek News