Skip to main content
Emerging ThreatsMalware & Ransomware

Authorities Disrupt First VPN Service Used by 25 Ransomware Groups

Law enforcement officials gather at a modern facility with a large glass wall, symbolizing a coordinated international…

"First VPN Service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP," the FBI said.

International coalition led by France and the Netherlands

Authorities in Europe and North America announced a coordinated disruption of a criminal virtual private network marketed as First VPN Service. The operation was led by France and the Netherlands with support from a list of partners that, according to public statements, included Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Europol and Eurojust were cited as part of the multi-national effort.

Actions taken May 19–20: seizures, interviews, and server takedowns

The cross‑border operation unfolded between May 19 and 20. Authorities said they interviewed the service's administrator, conducted a house search in Ukraine, took down 33 servers, and seized infrastructure used to support cybercriminal activity around the world. Confiscated domains include:

  • 1vpns[.]com
  • 1vpns[.]net
  • 1vpns[.]org
  • Related onion domains operating on the Tor network

Technical footprint: exit nodes, protocols, and advertised anonymity

The FBI said First VPN had been active since about 2014 and provided 32 exit node servers in 27 countries. Three of those exit nodes were listed in the U.S.: 2.223.66[.]103, 5.181.234[.]59, and 92.38.148[.]58. Other exit nodes were located in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K.

On its public pages, First VPN promoted anonymity and a lack of cooperation with authorities. Eurojust summarized the site's pitch: "First VPN's website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction." Internet Archive snapshots quoted by investigators show the service offering "Anonymity, Stability, Security," adding "We do not store any logs that would allow us or third parties to associate an IP address in a specific period of time with the user of our service." The site's FAQ also said it "strictly" prohibited illicit activity while noting complaints would lead to the disabling of servers.

Criminal ecosystem: payments, forums, and ransomware customers

Investigators said First VPN explicitly catered to criminal customers by offering anonymous payments and a hidden infrastructure to conceal user identities. It appeared on Russian‑language cybercrime forums such as Exploit[.]in and XSS[.]is as a tool to evade law enforcement, according to Europol.

Payment options accepted included Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass. Subscription plans ranged from one day up to one year, with advertised prices between $2 for a single day and $483 for a whole year. Europol and the FBI reported that no fewer than 25 ransomware groups, including Avaddon Ransomware, used First VPN infrastructure for activities such as network reconnaissance and intrusions.

How technologists, policymakers, and affected enterprises are likely to respond

  • Technologists and security teams will examine the seized server list and the exposed exit nodes to verify whether traffic previously routed through First VPN can be attributed to malicious operations; the FBI's list of 32 exit nodes and the three U.S. IPs provide starting points for retrospective network analysis.
  • Policymakers and regulators now have a publicly documented example of a service that advertised non‑cooperation with judicial authorities and claimed not to retain logs; Eurojust's and Europol's statements may inform discussions about cross‑border evidentiary access and regulation of anonymizing infrastructure.
  • Affected enterprises and procurement leaders will likely review vendor attestations after investigators found First VPN promoted features such as "We do not store any logs…" and simultaneously provided commercial support channels (self‑hosted Jabber and Telegram) and protocols (including VLESS and Reality) that can disguise traffic as HTTPS over commonly used ports.

The operation removed infrastructure and seized domains and servers, and investigators interviewed the administrator and conducted a search in Ukraine. That combination of technical disruption and legal action underscores the international reach of the case: a service active since about 2014, promoted on criminal forums, and used by at least 25 ransomware groups has been taken offline and its assets confiscated. Whether users and criminal customers shift to alternate services will be a concrete development to follow as authorities and defenders assess the operational impact of the takedown.

Original story