Europol dismantles First VPN network used by ransomware syndicates
A joint action led by French and Dutch authorities, with support from Europol and the FBI, has shut down a VPN service that facilitated cybercrime for over a decade, identifying thousands of users and generating 83 intelligence packages.
A coordinated international law enforcement operation has dismantled First VPN, a virtual private network service that provided infrastructure for ransomware attacks and data theft. Led by the French and Dutch national police, with support from Europol and Eurojust, the operation resulted in the seizure of the service’s domains, the arrest of its administrator in Ukraine, and the identification of thousands of users.
The investigation, which commenced in December 2021, targeted a service that had been active since 2014. First VPN promoted itself on Russian-speaking cybercrime forums as a tool for anonymity, promising no logs and immunity from judicial cooperation. Authorities stated that the service specifically targeted cybercriminals, offering hidden infrastructure and anonymous payments to facilitate serious offences including ransomware and fraud.
During the operation, executed on May 19 and 20, 2026, investigators seized 33 servers located across 27 countries. Europol confirmed that law enforcement gained access to the service, obtaining its user database and identifying VPN connections used to conceal criminal activities. The domains 1vpns.com, 1vpns.net, and 1vpns.org were taken offline, and users were notified that they had been identified by investigators.
The FBI highlighted the operational impact of the shutdown, noting that at least 25 ransomware groups, including Avaddon Ransomware, utilised First VPN infrastructure for network reconnaissance and intrusions. The agency reported that the service’s IP addresses were used for scanning activity consistent with identifying open ports and services, as well as for botnet and denial of service attacks.
Europol announced that the operation produced 83 intelligence packages and facilitated the sharing of information on 506 users internationally. The agency stated that the gathered intelligence has advanced 21 Europol-supported investigations. Security vendor Bitdefender assisted law enforcement in conducting the technical aspects of the operation, while Eurojust hosted 16 coordination meetings to align prosecutorial strategies across jurisdictions.
The joint action involved direct participation from authorities in France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the UK. Additional support was provided by Canada, Germany, the US, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Europol established a dedicated task force to analyse seized data and coordinate intelligence sharing with international partners.
The dismantling of First VPN underscores the complexities of international judicial cooperation in cyberspace. Eurojust noted that the service’s claims of non-jurisdiction and data non-retention were designed to appear reliable to users, despite the reality of law enforcement infiltration. The operation marks a significant disruption to a long-standing criminal network that facilitated global cybercrime.
