‘First VPN’, used by ransomware groups, scammers and data thieves, dismantled
‘First VPN’, used by ransomware groups, scammers and data thieves, dismantled
Publish Date: 2026-05-22 08:39:00
Source Domain: www.escudodigital.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
An international operation led by France and the Netherlands, with the support of Europol and Eurojust and the collaboration of 16 other countries, has dismantled ‘First VPN’, an anonymisation service widely used by ransomware groups, fraudsters and cybercriminals involved in data theft.
According to Europol, First VPN had been advertised for years on Russian-speaking cybercrime forums as a reliable tool for staying off the radar of law enforcement agencies. The service had become deeply embedded in the global cybercrime ecosystem, appearing in almost every major investigation supported by the agency in recent years.
The platform enabled users to conceal infrastructure, make illicit payments anonymously and access other services specifically designed for criminal activity.
“Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences,” emphasizes Europol.
A coordinated operation involving 18 countries over more than five years
According to Europol, the dismantling of First VPN came five and a half years after the investigation began, which dates back to December 2021.
Almost two years later, in November 2023, a joint investigation team was established with the support of Eurojust, allowing French and Dutch authorities to work closely together, exchange evidence and intelligence, and define a common judicial strategy.
Throughout the operation –codenamed Saffron– Eurojust organised 16 coordination meetings to prepare the joint action carried out this week by all participating countries: France, the Netherlands, Canada, Denmark, Estonia, Germany, Latvia, Lithuania, Luxembourg, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Ukraine, the United Kingdom and the United States.
The operational phase took place on 19 and 20 May and not only resulted in the disruption of First VPN’s infrastructure. Authorities also arrested its administrator in Ukraine, searched his home and dismantled 33 servers and domains linked to the service.
In addition, Europol highlighted that the operation has already produced other “significant operational results” within its broader fight against cybercrime:
The distribution of 83 intelligence packages.
The identification of 506 First VPN users, whose data has been shared internationally.
The launch of 21 investigations based on the intelligence gathered.
In the words of Edvardas Šileris, Head of Europol’s European Cybercrime Centre: “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”
The investigation remains open
The operation also involved Bitdefender, which contributed intelligence through Europol to identify hundreds of individuals related to criminal activities. It is the first time the cybersecurity company has participated in the dismantling of a criminal VPN service, within the work of its Draco Team unit, specialized in cybercrime investigation.
“Every ransomware group that relied on First VPN now needs to find an alternative, evaluate whether it provides equivalent protections, and rebuild operational security around a new service. Some will succeed. Many will make mistakes during the transition, creating investigative opportunities that didn’t exist when First VPN was operational,” states Bitdefender in a blog post dedicated to its participation in this operation.
Additionally, it notes that the operation will continue with the analysis of the seized infrastructure and the information of the 506 identified users, who represent a portion of the service’s customer base.
“Ongoing investigations will determine which of those connections map to active criminal operations. Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed,” points out the cybersecurity firm.
An international operation led by France and the Netherlands, with the support of Europol and Eurojust and the collaboration of 16 other countries, has dismantled ‘First VPN’, an anonymisation service widely used by ransomware groups, fraudsters and cybercriminals involved in data theft.
According to Europol, First VPN had been advertised for years on Russian-speaking cybercrime forums as a reliable tool for staying off the radar of law enforcement agencies. The service had become deeply embedded in the global cybercrime ecosystem, appearing in almost every major investigation supported by the agency in recent years.
The platform enabled users to conceal infrastructure, make illicit payments anonymously and access other services specifically designed for criminal activity.
“Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences,” emphasizes Europol.
A coordinated operation involving 18 countries over more than five years
According to Europol, the dismantling of First VPN came five and a half years after the investigation began, which dates back to December 2021.
Almost two years later, in November 2023, a joint investigation team was established with the support of Eurojust, allowing French and Dutch authorities to work closely together, exchange evidence and intelligence, and define a common judicial strategy.
Throughout the operation –codenamed Saffron– Eurojust organised 16 coordination meetings to prepare the joint action carried out this week by all participating countries: France, the Netherlands, Canada, Denmark, Estonia, Germany, Latvia, Lithuania, Luxembourg, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Ukraine, the United Kingdom and the United States.
The operational phase took place on 19 and 20 May and not only resulted in the disruption of First VPN’s infrastructure. Authorities also arrested its administrator in Ukraine, searched his home and dismantled 33 servers and domains linked to the service.
In addition, Europol highlighted that the operation has already produced other “significant operational results” within its broader fight against cybercrime:
The distribution of 83 intelligence packages.
The identification of 506 First VPN users, whose data has been shared internationally.
The launch of 21 investigations based on the intelligence gathered.
In the words of Edvardas Šileris, Head of Europol’s European Cybercrime Centre: “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”
The investigation remains open
The operation also involved Bitdefender, which contributed intelligence through Europol to identify hundreds of individuals related to criminal activities. It is the first time the cybersecurity company has participated in the dismantling of a criminal VPN service, within the work of its Draco Team unit, specialized in cybercrime investigation.
“Every ransomware group that relied on First VPN now needs to find an alternative, evaluate whether it provides equivalent protections, and rebuild operational security around a new service. Some will succeed. Many will make mistakes during the transition, creating investigative opportunities that didn’t exist when First VPN was operational,” states Bitdefender in a blog post dedicated to its participation in this operation.
Additionally, it notes that the operation will continue with the analysis of the seized infrastructure and the information of the 506 identified users, who represent a portion of the service’s customer base.
“Ongoing investigations will determine which of those connections map to active criminal operations. Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed,” points out the cybersecurity firm.
Become a premium member for free!
