Europol-led operation dismantles First VPN cybercrime service

An international law enforcement operation coordinated by Europol has dismantled First VPN, also known as 1VPNS, a VPN service widely used by cybercriminals to hide malicious activity and shield operations from investigators.

Authorities between May 19 and 20 arrested a suspected administrator in Ukraine, seized 33 servers supporting the service, and shut down primary domains including 1vpns.com, 1vpns.net, and 1vpns.org, along with associated onion domains used on the dark web.

Investigators conducted a house search in Ukraine and interviewed the alleged administrator as part of the operation.

Europol said the takedown exposed thousands of users tied to criminal activity and generated investigative leads connected to ransomware operations, fraud schemes, data theft, and other cyber offenses. Information related to 506 users was shared with international law enforcement partners for further investigation.

The operation involved authorities from 27 countries and followed a multi-year investigation launched in 2021. France and the Netherlands led the effort with support from Europol, Eurojust, the European Union agency for judicial cooperation, and cybersecurity company Bitdefender.

Officials said investigators secretly gained access to the VPN infrastructure before the service was taken offline, allowing authorities to collect traffic data and intelligence tied to users who believed their activities were protected by anonymity tools.

Eurojust said investigators executed multiple European Investigation Orders and Mutual Legal Assistance requests during the operation, enabling law enforcement agencies to gather operational intelligence from the platform before dismantling it.

Edvardas Šileris, head of Europol’s European Cybercrime Centre, said the operation demonstrated that services marketed to cybercriminals as secure and untouchable remain vulnerable to coordinated law enforcement action.

Over time, First VPN became one of the most prominent anonymization services used in the cybercrime underground and appeared in numerous investigations supported by Europol. Authorities said cybercriminals relied on the service to conceal infrastructure and identities while conducting ransomware attacks, large-scale fraud campaigns, distributed denial-of-service attacks, network intrusions, and data theft operations.

The FBI said First VPN had operated since 2014 and maintained 32 exit nodes across 27 countries before the disruption. U.S. investigators linked the service to at least 25 ransomware groups that used the platform for reconnaissance and unauthorized access to targeted networks.

Federal authorities also said IP addresses associated with the VPN service had been tied to botnet activity, denial-of-service attacks, internet scanning, and hacking operations.

The FBI released a public advisory containing technical indicators of compromise, MITRE ATT&CK mappings, and defensive recommendations intended to assist organizations in identifying related malicious activity.

Bitdefender said the 506 identified users represented only a portion of the platform’s overall customer base and that investigators are working to determine which users can be directly connected to criminal operations.

The cybersecurity company said intelligence gathered during the operation could expose previously unidentified cybercrime infrastructure, fraud campaigns, and ransomware affiliates operating through anonymization services.

Authorities said the collected evidence is expected to support ongoing cybercrime investigations worldwide as agencies continue efforts to disrupt services used to facilitate ransomware and other online criminal activity.