First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
The Hacker NewsArchived May 22, 2026✓ Full text saved
Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December
Full text archived locally
✦ AI Summary· Claude Sonnet
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
Ravie LakshmananMay 22, 2026Cybercrime / Infrastructure
Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks.
The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
First VPN, per Europol, offered services designed specifically for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identities when carrying out ransomware attacks, large-scale fraud, and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is as a tool to evade law enforcement.
The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.
The names of confiscated domains are listed below -
1vpns[.]com
1vpns[.]net
1vpns[.]org
Related onion domains operating on the Tor network
"First VPN's website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction," Eurojust said.
In a coordinated flash alert, the U.S. Federal Bureau of Investigation (FBI) said the service has been active since about 2014, providing 32 exit node servers in 27 countries. Three of the exit nodes were located in the U.S. -
2.223.66[.]103
5.181.234[.]59
92.38.148[.]58
Other exit nodes were located in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K.
No less than 25 ransomware groups, such as Avaddon Ransomware, are said to have used First VPN infrastructure to perform network reconnaissance and intrusions. The subscription duration ranged anywhere from one day to one year. Based on the subscription plan, they cost between $2 for a single day and $483 for a whole year. It accepted payments through Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass.
"First VPN Service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP," the FBI said.
"Technical support was also offered to users via a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Service offered 'VLESS' and 'Reality' which provides the ability to disguise VPN Internet traffic as HTTPS traffic over ports which are commonly used to connect to websites."
According to snapshots captured on the Internet Archive, First VPN offered "Anonymity, Stability, Security," stating "We do not store any logs that would allow us or third parties to associate an IP address in a specific period of time with the user of our service."
"The only data we store is e-mail and username, but it's impossible to connect the user's activity on the Internet with a specific user of our service," it added.
As a way to escape liability, First VPN also noted in its FAQ that it "strictly" prohibited the use of its servers for illicit activities. "This facilitates the receipt of complaints about our servers, and as a result, they will be disabled," read the FAQ.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Cybercrime, cybersecurity, data theft, ddos, Europol, FBI, Infrastructure, ransomware, VPN
⚡ Top Stories This Week
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Load More ▼
⭐ Featured Resources
[Webinar] Learn How to Handle Critical SOC Alerts With AI Support
[eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
Identify Internal Attack Surfaces More Efficiently With a Free Assessment
[Guide] Stop Email Fraud Before It Turns Into Ransomware Damage