European Law Enforcement Dismantles First VPN, a Cybercriminal Anonymity Service
An international operation led by France and the Netherlands has dismantled First VPN, a service marketed on Russian-speaking cybercrime forums to help ransomware groups and other criminals hide their attacks.
European law enforcement agencies have dismantled a VPN service long favored by cybercriminals to conceal ransomware attacks, fraud schemes and other illicit activities. The international operation, led by France and the Netherlands and carried out May 19-20, targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.
Authorities in Ukraine questioned the service’s administrator at the request of French investigators and conducted a house search as part of the coordinated operation. Law enforcement agencies also dismantled 33 servers linked to the platform. According to a Europol statement Thursday, First VPN had appeared in “almost every major cybercrime investigation” the agency had supported in recent years.
The service allowed users to make anonymous payments and promised hidden infrastructure designed to shield criminal activity. Cybercriminals reportedly used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud and data theft operations.
“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong,” said Edvardas Sileris, head of Europol's European Cybercrime Centre. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement,” he added.
Europol said investigators gained access to the service and obtained its user database, allowing authorities to identify VPN connections allegedly used by cybercriminals to conceal their activities. The data exposed thousands of users linked to the cybercrime world and gave investigators new leads tied to ransomware attacks, fraud operations and other crimes around the world, the agency said.
Dutch authorities said First VPN specifically targeted criminal users and openly promoted itself on cybercrime forums. Investigators said the service claimed it would refuse cooperation with law enforcement, operate outside any jurisdiction and avoid storing user data. “The service gave the impression that it was reliable and that its users were safe, which was not the case in reality,” Dutch authorities said.
Authorities notified users of the shutdown and informed them they had been identified. An investigation is ongoing. This takedown represents a significant blow to the cybercriminal ecosystem, removing a critical anonymity tool that facilitated numerous ransomware attacks and other cybercrimes.
The operation, conducted on May 19-20, 2026, involved French and Dutch authorities with support from Europol and Eurojust, who dismantled 33 servers and interviewed the VPN operator in Ukraine. Seized domains included 1vpns.com, and the service was marketed on Russian-speaking cybercrime forums to help ransomware groups anonymize their activities.