VYPR
breachPublished May 20, 2026· Updated May 22, 2026· 6 sources

European Law Enforcement Dismantles First VPN, a Cybercriminal Anonymity Service

An international operation led by France and the Netherlands has dismantled First VPN, a service marketed on Russian-speaking cybercrime forums to help ransomware groups and other criminals hide their attacks.

European law enforcement agencies have dismantled a VPN service long favored by cybercriminals to conceal ransomware attacks, fraud schemes and other illicit activities. The international operation, led by France and the Netherlands and carried out May 19-20, targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.

Authorities in Ukraine questioned the service’s administrator at the request of French investigators and conducted a house search as part of the coordinated operation. Law enforcement agencies also dismantled 33 servers linked to the platform. According to a Europol statement Thursday, First VPN had appeared in “almost every major cybercrime investigation” the agency had supported in recent years.

The service allowed users to make anonymous payments and promised hidden infrastructure designed to shield criminal activity. Cybercriminals reportedly used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud and data theft operations.

“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong,” said Edvardas Sileris, head of Europol's European Cybercrime Centre. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement,” he added.

Europol said investigators gained access to the service and obtained its user database, allowing authorities to identify VPN connections allegedly used by cybercriminals to conceal their activities. The data exposed thousands of users linked to the cybercrime world and gave investigators new leads tied to ransomware attacks, fraud operations and other crimes around the world, the agency said.

Dutch authorities said First VPN specifically targeted criminal users and openly promoted itself on cybercrime forums. Investigators said the service claimed it would refuse cooperation with law enforcement, operate outside any jurisdiction and avoid storing user data. “The service gave the impression that it was reliable and that its users were safe, which was not the case in reality,” Dutch authorities said.

Authorities notified users of the shutdown and informed them they had been identified. An investigation is ongoing. This takedown represents a significant blow to the cybercriminal ecosystem, removing a critical anonymity tool that facilitated numerous ransomware attacks and other cybercrimes.

The operation, conducted on May 19-20, 2026, involved French and Dutch authorities with support from Europol and Eurojust, who dismantled 33 servers and interviewed the VPN operator in Ukraine. Seized domains included 1vpns.com, and the service was marketed on Russian-speaking cybercrime forums to help ransomware groups anonymize their activities.

Europol confirmed the takedown targeted First VPN, a service that had been actively marketed on Russian-language cybercrime forums to ransomware groups and fraudsters for anonymizing criminal traffic. The operation, coordinated by French and Dutch authorities, seized infrastructure used to mask attackers' identities, marking the first law enforcement action specifically against a VPN provider enabling cybercrime. No arrests have been announced, but the disruption is expected to hinder ongoing ransomware and fraud campaigns that relied on the service.

The operation, conducted over two days earlier this week, resulted in the arrest of the alleged administrator at their residence in Ukraine, though authorities have not released the individual's name. Investigators seized 33 servers and multiple domains, including 1vpns.com, 1vpns.net, and 1vpns.org, and obtained First VPN's user database, which has already identified thousands of users linked to cybercrime. The intelligence gathered is now supporting 21 additional ongoing investigations across multiple jurisdictions, and Europol has publicly warned users that their identities are now known to law enforcement.

The FBI has now confirmed its role in the takedown, stating that First VPN was used by dozens of ransomware groups for network reconnaissance and intrusions. The service's administrator was arrested as part of the operation, which targeted critical criminal infrastructure that provided anonymized access to threat actors. This action follows the earlier European-led disruption and underscores the ongoing international effort to dismantle services enabling ransomware campaigns.

The takedown, led by French and Dutch authorities with support from multiple nations, marks the first global law enforcement action specifically targeting a VPN provider for enabling ransomware infrastructure. Investigators have been probing First VPN Service since December 2025, and the operation dismantled a service that at least 25 ransomware groups relied on to anonymize their attacks, data theft, and DDoS campaigns.

Synthesized by Vypr AI