Europol-Leading Operation Takes Down Notorious VPN Service Used by Ransomware Gangs

Global Operation Targets Ransomware Gangs’ VPN Service

A coordinated international effort, led by Europol and Eurojust, has taken down a virtual private network (VPN) service allegedly used by ransomware gangs and cybercriminals worldwide.

• The service, known as “First VPN,” was promoted on Russian-speaking cybercrime forums as a secure and anonymous infrastructure for conducting ransomware attacks, large-scale fraud, and data theft operations.
• Investigators seized servers, shut down domains, and identified thousands of users linked to cybercrime investigations across multiple jurisdictions.
• Cybersecurity company Bitdefender assisted investigators during the operation.

Background and Investigation

The investigation began in December 2021, when authorities working with Europol’s European Cybercrime Centre gained access to the service and obtained its user database.

Outcome and International Cooperation

Law enforcement agencies seized several domains associated with the service, including 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains.

• The administrators of the service were informed that the platform had been shut down, and investigators had identified the users.
• The operation has already resulted in 83 intelligence packages being shared internationally, information connected to 506 users being disseminated to partner agencies, and progress in 21 cybercrime investigations.
• Authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom participated directly in the action days, while several other countries supported the wider investigation.

Broader Strategy Against Cybercrime Infrastructure

This takedown reflects a broader global strategy by law enforcement agencies to target the infrastructure enabling cybercrime, including VPN services, proxy networks, botnets, and encrypted communication platforms.

About Author

Anuj

See author's posts