European law enforcement agencies have dismantled a long-running VPN service allegedly used by ransomware gangs and cybercriminals to conceal attacks, steal data, and evade investigators.
The operation, coordinated by France and the Netherlands with support from Europol and Eurojust, resulted in the seizure of dozens of servers tied to the service known as “First VPN” and the identification of thousands of suspected criminal users.
The takedown took place between May 19 and 20 as authorities in multiple countries targeted the infrastructure behind what Europol described as one of the most widely used VPN services in the cybercrime underground. Investigators also searched a suspect’s residence and interviewed the alleged administrator of the service in Ukraine.
According to Europol, First VPN had become deeply embedded in the cybercrime ecosystem and appeared in “almost every major cybercrime investigation” supported by the agency in recent years. The VPN service was openly promoted on Russian-speaking cybercrime forums as a secure platform for criminals, promising anonymous payments, hidden infrastructure, and a strict refusal to cooperate with law enforcement.
A virtual private network (VPN) is normally used to encrypt internet traffic and protect a user’s privacy online. However, investigators say First VPN marketed itself specifically to cybercriminals seeking to obscure their locations and infrastructure while carrying out ransomware attacks, fraud campaigns, credential theft, and other illegal activity.
Europol’s European Cybercrime Centre (EC3) worked alongside investigators after the probe was launched in December 2021. Authorities reportedly managed to infiltrate the service and obtain access to its user database, allowing investigators to analyze VPN connections and identify individuals linked to cybercrime operations worldwide.
Law enforcement agencies dismantled more than 33 servers associated with the service and seized several domains used by the operation, including:
- 1vpns.com
- 1vpns.net
- 1vpns.org
- Associated onion domains
Users attempting to access the service are shown seizure notices informing them that authorities have taken control of the platform.
Eurojust said the investigation began after French authorities discovered the VPN service being advertised on known cybercrime forums in 2022. A Joint Investigation Team (JIT) involving French and Dutch authorities was later established in November 2023 to facilitate evidence sharing and coordinate prosecution strategies across jurisdictions.
As additional countries became involved, investigators issued multiple European Investigation Orders and Mutual Legal Assistance requests to obtain access to traffic data and backend systems before the service was shut down. According to Eurojust, authorities were able to collect intelligence from users who believed they were operating in a secure and anonymous environment.
Europol said the operation has already generated substantial investigative leads, including:
- 83 intelligence packages distributed to partner agencies
- Information connected to 506 users shared internationally
- 21 Europol-supported investigations advanced using intelligence gathered during the operation
Authorities believe the intelligence collected from the seized systems will support ongoing investigations into ransomware attacks, fraud operations, and other cybercrime cases across multiple countries.
Leave a Reply