A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation.

Authorities have seized dozens of First VPN servers located in 27 countries, arrested the administrator, and conducted a house search in Ukraine.

The VPN service was advertised on various cybercrime forums as a privacy-focused VPN that does not log user data and ignores law enforcement requests for user information.

VPN tools encrypt users’ traffic and hide their real IP addresses. While they are used legitimately to protect privacy on public WiFi, bypass censorship, reduce tracking, and enable secure remote work, threat actors also rely on them to hide their location and infrastructure.

Depending on the region they operate in, VPN providers may be legally required to comply with law enforcement requests and hand over any data they retain for criminal investigations.

According to Europol, the name of the service came up in almost every major cybercrime investigation the agency supported. Europol says that First VPN names have been shut down.

The investigation into the service started in December 2021 and was led by the French and Dutch authorities, who formed a joint investigation team in November 2023.

At some point, the investigators infiltrated the VPN infrastructure before it went offline and collected the user database and identified the VPN connections cybercriminals used in attacks.

In an official communication video in the form of a cartoon, Europol highlights that even if threat actors promise to remove the data, oftentimes the information is still present on the servers.

“An Operational Taskforce was set up at Europol, which brought together investigators from 16 countries to analyze the seized data and coordinate intelligence sharing with international partners,” explains Eurojust.

A coordinated international operation conducted between May 19 and 20 targeted the “First VPN” service and resulted in the following actions:

• Seizure of 33 servers linked to “First VPN”
• Seizure of the 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains
• Disruption of key infrastructure supporting the service
• Identification and questioning of a Ukrainian suspect
• Notifications issued to identified users of the platform

The press release from the Dutch police confirms that all users of First VPN have been identified and directly notified, though no specific numbers were mentioned, and it’s unclear whether there are plans for subsequent legal action against them.

Europol’s announcement mentions that information about 506 users was shared internationally, as well as 83 "intelligence packages" that will aid ongoing or upcoming investigations.

"The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide," Europol states.