Skip to main content
Emerging ThreatsMalware & Ransomware

Law Enforcement Disrupts First VPN Service Tied to Ransomware Attacks

Law enforcement officials stand in front of seized servers in a briefing room.

Investigators seized 33 servers linked to a criminal VPN and took its public and onion domains offline during a coordinated operation on May 19–20, 2026, disrupting infrastructure that Europol says figured in “almost every major cybercrime investigation the agency supported.”

Scope of the takedown and why First VPN mattered

The VPN service known as “First VPN” — advertised on cybercrime forums as a privacy-focused, no‑logs provider that ignored law enforcement requests — was used by threat actors in ransomware and data‑theft campaigns, law enforcement agencies say. Authorities in a joint international effort seized servers in 27 countries, removed 1vpns.com, 1vpns.net, 1vpns.org and related onion domains, and disrupted other key infrastructure supporting the service.

The public account of the operation emphasizes the dual nature of VPN tools: while they can legitimately protect privacy, bypass censorship, and enable secure remote work, they also allow malicious actors to hide location and infrastructure. The source material notes that, depending on where a provider operates, it may be legally obliged to comply with law enforcement requests and hand over retained data for criminal investigations.

Investigation timeline and multinational coordination

The probe began in December 2021 and evolved into a formal joint investigation team in November 2023, led by French and Dutch authorities. Europol and Eurojust coordinated a wider effort: Eurojust reported that “an Operational Taskforce was set up at Europol, which brought together investigators from 16 countries to analyze the seized data and coordinate intelligence sharing with international partners.”

That international structure underpinned the swift, synchronized actions taken on May 19–20 and framed how the collected material would be analyzed and distributed to support follow‑on inquiries worldwide.

How investigators identified users and disrupted the service

According to the public account, at some point investigators infiltrated First VPN’s infrastructure before it was taken offline and collected traffic data that enabled them to identify users of the service. The coordinated operation produced several concrete results:

  • Seizure of 33 servers linked to “First VPN”
  • Seizure of the 1vpns.com, 1vpns.net, 1vpns.org domains and related onion domains
  • Disruption of key infrastructure supporting the service
  • Identification and questioning of a Ukrainian suspect, including a house search in Ukraine
  • Arrest of the administrator
  • Notifications issued to identified users of the platform

The Dutch police specifically confirmed that all users of First VPN have been identified and directly notified, though they did not publish a user count and said it was unclear whether subsequent legal action would follow.

Intelligence sharing: what agencies have handed out so far

Europol reported that investigators shared information about 506 users internationally and produced 83 “intelligence packages” designed to aid ongoing or upcoming investigations. In its announcement, Europol wrote: “The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide.”

Those figures indicate two things: first, that law enforcement believes the takedown produced actionable leads across multiple cases; second, that the material will be parceled out to partner authorities to follow through on allegations tied to ransomware, fraud and other offences.

What this means for technologists, affected enterprises, and end users

Technologists and security teams: expect incoming intelligence. The 83 intelligence packages and the 506 user records shared by Europol will likely surface in investigations and incident response cases; security teams should be prepared to receive and action formal notifications from law enforcement and to correlate any leads with ongoing incident data.

Affected enterprises and procurement leaders: the event underscores that services advertised as “no‑logs” and resistant to law enforcement may still be instrumented or infiltrated; enterprises that relied on or investigated First VPN in connection with incidents will need to watch for official notifications and potential intelligence feeds tied to ransomware and data‑theft probes.

End users: Dutch police say all First VPN users have been identified and directly notified. For individuals who used the service intending to conceal activity, that notification is the concrete touchpoint reported by authorities; the public record does not say whether those notifications will lead to charges.

The multinational sweep removed a widely referenced tool from the cybercrime ecosystem and produced volumes of traffic data and intelligence now being shared across borders. What remains open in the public record is whether the identified users will face coordinated prosecutions; Dutch police explicitly noted that legal follow‑up is “unclear,” while Europol’s packet of leads and user data promises further investigative activity worldwide.

Original story