International police dismantle VPN used by 25 ransomware groups

French and Dutch authorities led a multinational law enforcement operation on May 19–20 that disrupted First VPN, seizing 33 servers and the service’s domains. Investigators identified the VPN as a tool used by roughly 25 ransomware groups to conceal attack origins, perform network reconnaissance and move payments.

Teams from Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland and Portugal supported the operation alongside Europol and Eurojust. Actions included interviewing an individual identified as the service administrator, a house search in Ukraine and the seizure of servers and other equipment. Authorities also disabled related onion addresses on the Tor network.

Europol and Eurojust reported First VPN had been promoted on Russian-language cybercrime forums and that its public materials emphasized anonymity and noncooperation with judicial authorities. Archived snapshots of the provider’s site showed the operator claiming, “We do not store any logs that would allow us or third parties to associate an IP address in a specific period of time with the user of our service.” The site also listed only email and username as retained data.

The U.S. Federal Bureau of Investigation reported First VPN had operated since about 2014 with roughly 32 exit-node servers across 27 countries, including three nodes in the United States. Technical details provided by investigators describe multiple connection protocols and encryption options offered by the service, and support provided via a self-hosted Jabber server and Telegram. Investigators noted protocol options that could obscure VPN traffic to resemble HTTPS on common web ports.

Authorities identified at least 25 ransomware groups that used First VPN infrastructure for intrusions and reconnaissance, including Avaddon. Subscription plans ranged from one day to one year, priced between $2 for a single day and $483 for an annual plan. The service accepted bitcoin and various e-cash systems such as Perfect Money, Webmoney, EgoPay and InterKass.

Officials said the seized equipment and data will be used to support ongoing investigations into users and criminal networks that relied on the service.