Global Law Enforcement Dismantles First VPN Used by 25 Ransomware Groups in Historic Takedown
- May 22
- 3 min read
Key Findings
First VPN Service, a criminal VPN operating since 2014, was dismantled in a coordinated international operation led by France and the Netherlands
At least 25 ransomware groups used the service to conduct attacks, including network reconnaissance, data theft, fraud, and denial-of-service operations
The takedown involved 16 countries and resulted in the seizure of 33 servers across 27 countries and the shutdown of associated domains
First VPN marketed itself specifically to cybercriminals on Russian-speaking forums, offering anonymous payments and claiming zero data retention and no cooperation with authorities
Background
First VPN Service operated as a criminal infrastructure designed from the ground up to facilitate illegal activity. The service had been running quietly since approximately 2014, operating across a distributed network of servers positioned globally. Unlike legitimate VPN providers, First VPN explicitly marketed itself to the darknet community and Russian-language cybercrime forums like Exploit[.]in and XSS[.]is, making no pretense of serving legitimate users. The service promised anonymity, no logs, and claimed immunity from legal jurisdiction—selling itself as the ideal tool for criminals looking to hide their digital footprints while conducting ransomware campaigns, stealing data, and executing fraud operations.
The Operational Scope
First VPN maintained 32 exit node servers strategically positioned in 27 countries across multiple continents. Three nodes operated within the United States, while others were distributed through Europe, Asia-Pacific, and other regions including Australia, Canada, Hong Kong, Singapore, and Panama. This global distribution allowed criminals to route their malicious traffic through various jurisdictions, making attribution and enforcement exponentially more difficult. The service offered flexible subscription models ranging from single-day access for two dollars to annual subscriptions costing up to 483 dollars, accepting payments through cryptocurrency and alternative payment systems like Perfect Money, WebMoney, and EgoPay—all designed to maintain anonymity in financial transactions.
Technical Architecture
The service provided multiple VPN protocols to appeal to different criminal needs and technical sophistication levels. First VPN offered OpenConnect, WireGuard, Outline, and VLESS TCP Reality protocols, along with various encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP. Notably, the service featured VLESS and Reality protocols that could disguise VPN traffic as standard HTTPS connections, allowing users to blend their malicious communications with legitimate web traffic on commonly-used ports. Technical support was provided through self-hosted Jabber servers and encrypted Telegram channels, creating secure communication channels between the service operators and their criminal subscribers.
The Criminal User Base
A minimum of 25 ransomware groups relied on First VPN infrastructure to launch attacks. These groups used the service during multiple stages of their operations—from initial network scanning and reconnaissance to full intrusions and lateral movement within compromised networks. The Avaddon Ransomware group was specifically named among the confirmed users. The flexible pricing and subscription model allowed these criminal groups to purchase access for specific operations, whether they needed the VPN for a single day's reconnaissance mission or year-round continuous operations.
The International Investigation and Takedown
The investigation began in December 2021 and culminated in coordinated action across May 19-20. Authorities from 16 countries participated in the operation, including France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. During the takedown, investigators interviewed the service administrator, conducted house searches in Ukraine, and seized the physical and digital infrastructure supporting the criminal operation. The three primary domains—1vpns[.]com, 1vpns[.]net, and 1vpns[.]org—along with related Tor onion addresses were taken offline, effectively shutting down the service's primary access points.
The Illusion of Legitimacy
First VPN attempted to maintain a veneer of legitimacy despite its obvious criminal purpose. The service's terms of service explicitly prohibited illegal activities, and its FAQ claimed that if servers received complaints, they would be disabled. This language served as legal cover while the company simultaneously operated exclusively in the criminal underground. First VPN's marketing materials promised users that the company stored no logs linking IP addresses to user activity, retained only email and username data that couldn't be connected to internet usage, and would never cooperate with any judicial authority. These guarantees were precisely what made the service attractive to ransomware operators and other criminal enterprises seeking to cover their digital tracks.
Sources
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
https://x.com/TheCyberSecHub/status/2057890050155983234
https://x.com/TheHackersNews/status/2057878436627329288
https://www.reddit.com/r/SecOpsDaily/comments/1tksnl0/first_vpn_dismantled_in_global_takedown_over_use

Comments