An international coalition of law enforcement agencies said on Thursday it had dismantled First VPN, a virtual private network service used by cybercriminals to hide their activity, and arrested its administrator. Investigators said the service was deeply embedded in the cybercrime ecosystem and had become a tool for ransomware gangs, fraudsters and data thieves.
The FBI said at least 25 ransomware gangs used First VPN to conceal malicious activity, while other users relied on it to scan the internet, run botnets, launch distributed denial-of-service attacks and carry out scams. Europol said the service was marketed specifically to criminal hackers, offering anonymous payments, hidden infrastructure and other services designed to keep operators out of sight.
First VPN operated servers across 27 countries and advertised on known cybercrime forums, including at least two Russian-speaking marketplaces. In one post, the service said it did not keep logs that would allow it or third parties to link an IP address at a specific time to a user. It also said the only data it stored was an email address and username, while insisting that online activity could not be tied back to a specific user.
The operation began in December 2021 and ended this week with the arrest of the administrator, the dismantling of dozens of servers and the disruption of the service’s infrastructure. Europol said users were notified of the shutdown and told they had been identified, after investigators obtained the service’s user database and used VPN connection records to expose thousands of users linked to the cybercrime ecosystem.
The takedown underlines how central commercial VPN services have become to organized crime online, especially when marketed as privacy tools but used to shelter ransomware crews and other offenders. Europol said First VPN had appeared in major cybercrime investigations supported in recent years, which makes the seizure of its records and infrastructure likely to feed more cases before this one is finished.
