First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups

First VPN Service Dismantled in Coordinated International Takedown Targeting 25 Ransomware Groups

TL;DR European and North American authorities dismantled First VPN Service on 19–20 May following a four-year investigation that began in December 2021. The criminal VPN infrastructure, active since approximately 2014, was used by at least 25 ransomware groups to conduct network reconnaissance, intrusions, and data theft. Authorities seized 33 servers across multiple countries and confiscated the service's primary domains.

What happened

Authorities in 16 countries conducted a coordinated takedown of First VPN Service, a virtual private network operated to support criminal actors. The operation was led by France and the Netherlands, with investigative support from Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal, alongside Europol and Eurojust.

The investigation began in December 2021. The operational takedown occurred between 19 and 20 May, during which authorities:

Interviewed the service's administrator
Conducted a house search in Ukraine targeting infrastructure operators
Seized 33 servers globally
Confiscated the primary domains 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org, along with related Tor onion domains

First VPN had been operational since approximately 2014. The FBI confirmed the service operated 32 exit node servers across 27 countries, including three nodes in the United States (2.223.66[.]103, 5.181.234[.]59, 92.38.148[.]58). Exit nodes were also distributed across Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the United Kingdom.

Why it matters

First VPN was purpose-built for criminal abuse. According to Europol, the service offered anonymous payments and hidden infrastructure enabling customers to obscure their identities while conducting ransomware attacks, large-scale fraud, data theft, network scanning, and denial-of-service attacks. The service was actively promoted on Russian-speaking cybercrime forums including Exploit[.]in and XSS[.]is as a tool to evade law enforcement detection.

At least 25 ransomware groups—including Avaddon Ransomware—relied on First VPN infrastructure for network reconnaissance and intrusions. The infrastructure's global distribution across exit nodes in 27 countries provided attackers with geographic diversity to mask attack origins and complicate attribution.

For defenders in the MENA region and beyond, the takedown demonstrates that even long-running criminal VPN services remain subject to international law enforcement action. However, the four-year investigation timeline and technical sophistication of the service's obfuscation methods (discussed below) illustrate the sustained effort required to dismantle such infrastructure.

Affected systems and CVEs

No CVE assigned at the time of publication. This is an infrastructure takedown, not a vulnerability disclosure.

Seized VPN service:

First VPN Service (active 2014–2026)

Confiscated domains:

1vpns[.]com
1vpns[.]net
1vpns[.]org
Related Tor onion domains (specific addresses not disclosed in source)

What to do

Monitor for residual infrastructure: Organizations should continue monitoring for attempts to reach confiscated First VPN domains and known exit node IP addresses (2.223.66[.]103, 5.181.234[.]59, 92.38.148[.]58) in network logs and DNS queries. Continued connectivity to these addresses may indicate historical or ongoing compromise.
Review logs for reconnaissance activity: Conduct network forensics for the period when First VPN was operational (2014–May 2026), searching for indicators consistent with ransomware group reconnaissance using this VPN infrastructure.
Disable and monitor VPN protocols used by the service: Organizations running intrusion detection should ensure signatures are active for anomalous use of OpenConnect, WireGuard, Outline, VLESS TCP Reality, OpenVPN ECC, L2TP/IPSec, and PPtP, particularly those configured to disguise traffic as HTTPS.
Cross-reference with ransomware threat intelligence: Organizations should obtain detailed threat intelligence from law enforcement or vendors on the 25 ransomware groups confirmed to have used First VPN infrastructure and review their own security posture against each group's known techniques.

Open questions

Specific identities of the First VPN Service administrator(s) have not been disclosed. The source does not confirm whether arrests were made or charges filed.
The complete list of confiscated Tor onion domains used to access the service was not enumerated in the source material.
The names of all 25 ransomware groups using the service are not provided; only Avaddon Ransomware is named.
Specific legal charges or jurisdiction-specific actions against operators are not detailed.
The total number of active subscribers or users of First VPN at the time of takedown is not disclosed.
Financial losses or incident counts directly attributable to attacks using this infrastructure have not been quantified.