Law enforcement shuts down VPN service allegedly used by ransomware gangs
International takedown targets First VPN
An international coalition of law enforcement agencies has shut down First VPN, a virtual private network service that investigators say was widely used by cybercriminals to mask ransomware operations and other attacks. Authorities also arrested the service’s administrator, according to announcements released Thursday.
The FBI said in an alert that at least 25 ransomware gangs used First VPN to hide malicious activity. Investigators said the service was also used to scan the internet, run botnets, launch distributed denial-of-service attacks, and support scams. The bureau said First VPN operated servers in 27 countries.
Europol described the service as more than a generic privacy tool, saying it offered anonymous payments, hidden infrastructure, and other services specifically marketed to criminal hackers. In its announcement, the agency said First VPN had become “deeply embedded” in the cybercrime ecosystem and appeared in “almost every major cybercrime investigation supported by Europol in recent years.”
According to Europol, criminals used the service to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other offenses.
The VPN was advertised on known cybercrime forums, including at least two Russian-speaking marketplaces, where it promised protection against being identified. In one post viewed by TechCrunch, the service said it did not store logs that could link an IP address to a user during a specific period of time, and claimed the only stored data was email and username.
Europol said users were notified of the shutdown and informed that they had been identified. Investigators said they obtained the service’s user database and identified VPN connections, exposing thousands of users linked to the cybercrime ecosystem.
The agency said dozens of servers were dismantled and the infrastructure disrupted as part of an investigation that began in December 2021.
Sources:
Doppler VPN: 6 server locations, VLESS protocol, zero tracking. Get started free.