For years, criminals believed this VPN would keep them beyond reach. The administrator is now under arrest. Thousands of users have been identified.
Introduction
For years, cybercriminals believed a certain VPN service would keep them beyond the reach of law enforcement. It was promoted on Russian-speaking cybercrime forums as a trusted tool for anonymity. It offered anonymous payments, hidden infrastructure, and services designed specifically for criminal use.
It appeared in almost every major Europol-supported cybercrime investigation in recent years.
Now it is gone.
The administrator is under arrest. Thirty-three servers have been dismantled. Thousands of users have been identified.
This is the story of the takedown of ‘First VPN’.
What Was First VPN?
Service Name: First VPN (domain names: 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains)
Target Audience: Cybercriminals on Russian-speaking forums
Marketing: Promoted as a trusted tool for remaining beyond the reach of law enforcement
Features:
- Anonymous payments
- Hidden infrastructure
- Services designed specifically for criminal use
How Criminals Used It:
- Concealing identities and infrastructure during ransomware attacks
- Large-scale fraud operations
- Data theft
- Other serious offences
Why First VPN Was a Critical Threat
| Factor | Significance |
|---|---|
| Prevalence | Appeared in almost every major Europol-supported cybercrime investigation in recent years |
| Trusted by criminals | Seen as a gateway to anonymity and beyond law enforcement’s reach |
| Protective layer | Removed a critical layer of protection that criminals depended on to operate, communicate, and evade detection |
The Investigation: December 2021 to May 2026
Investigation launched: December 2021
Key milestones:
- Europol’s European Cybercrime Centre gained access to the service
- Obtained the user database
- Identified VPN connections used by cybercriminals
- Support from cybersecurity partner Bitdefender through Europol
Joint Investigation Team (JIT):
- Set up with Eurojust’s support in November 2023
- Enabled French and Dutch authorities to work closely together
- Exchange evidence and information
- Decide on prosecutorial strategy
- Eurojust hosted 16 coordination meetings
Operational Taskforce (OTF) at Europol:
- Brought together investigators from 16 countries
- Analysed seized data
- Coordinated intelligence sharing with international partners
Joint Cybercrime Action Taskforce (J-CAT):
- Supported coordination, liaison, and deconfliction efforts
- Hosted at Europol
The Action Days: 19–20 May 2026
Coordinated action targeting: The infrastructure behind one of the most widely used VPN services in the cybercrime underground
Actions taken:
- Administrator interviewed
- House search conducted in Ukraine
- 33 servers linked to the criminal service dismantled
- Infrastructure used to support cybercriminal activity worldwide disrupted
Domain names seized:
User notification: Users of the criminal service have been notified of the shutdown and informed that they have been identified.
Intelligence Gathered
| Metric | Result |
|---|---|
| Users identified | Thousands (linked to cybercrime activity) |
| Intelligence packages disseminated | 83 |
| Information shared internationally | Linked to 506 users |
| Europol-supported investigations advanced | 21 |
Participating Authorities
Countries carrying out action days:
France, Netherlands, Luxembourg, Romania, Switzerland, Ukraine, United Kingdom
Countries supporting the investigation:
Canada, Germany, Romania, United States of America
Countries working on seized data:
Spain, Sweden
Countries participating in Europol OTF:
Canada, Denmark, Estonia, France, Latvia, Lithuania, Netherlands, Poland, Portugal, Romania, Switzerland, Ukraine, United Kingdom, United States of America
Lead authorities:
- France: Paris Prosecution Office (J3) and investigative judge; Court of Paris Cybercrime Unit; Préfecture de Police Cybercrime Unit (BL2C); Central Office Cybercrime Unit (OFAC)
- Netherlands: National Public Prosecutor’s Office; Team High Tech Crime of the National Investigation Unit
- Luxembourg: District Prosecution Office; Luxembourg Judicial Police
- Romania: Directorate for Investigating Organised Crime and Terrorism; Directorate for Fighting Organised Crime, Romanian Police
- Switzerland: Zurich Public Prosecutor’s Office III; Zurich Cantonal Police
- Ukraine: Prosecutor General’s Office; Cyber Department of the Security Service of Ukraine (SBU); Main Investigation Department of the National Police of Ukraine; Division for Combating Cyber Security Crimes
- United Kingdom: National Crime Agency – National Cyber-Crime Unit
The Message to Cybercriminals
For years, criminals saw First VPN as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement.
This operation proves them wrong.
- The infrastructure is dismantled
- The administrator is under arrest
- Thousands of users have been identified
- Investigators across multiple jurisdictions are now using the intelligence gathered to support ongoing cybercrime investigations worldwide
The message: No tool, no service, no infrastructure is truly beyond reach. Law enforcement cooperation across borders works. Cybercriminals who believe they are anonymous are wrong.
Why This Operation Matters
For law enforcement:
- Demonstrates the power of international cooperation
- Provides intelligence for ongoing investigations
- Removes a critical layer of criminal infrastructure
For cybercrime victims:
- Potential leads for identifying attackers
- Deterrence effect on future cybercriminals
- Justice becomes more achievable
For the cybercrime ecosystem:
- Trust in “anonymous” services is eroded
- The cost of cybercrime increases
- The risk of detection and prosecution rises
Conclusion
First VPN has been dismantled. The administrator is under arrest. Thirty-three servers have been seized. Thousands of users have been identified.
For years, cybercriminals believed this VPN service would keep them beyond the reach of law enforcement. It appeared in almost every major Europol-supported cybercrime investigation. Criminals used it to carry out ransomware attacks, large-scale fraud, data theft, and other serious offences.
The coordinated action took place between 19 and 20 May 2026, targeting the infrastructure behind one of the most widely used VPN services in the cybercrime underground.
The message is clear: no tool, no service, no infrastructure is truly beyond reach. Law enforcement cooperation across borders works. Cybercriminals who believed they were anonymous have been identified. Investigators across multiple jurisdictions are now using the intelligence gathered to support ongoing investigations worldwide.
The administrator is under arrest. The infrastructure is gone. The users have been identified. The intelligence is being shared.
Cybercriminals: your anonymity is an illusion. Law enforcement is watching. And now, they know who you are.
Q: What made First VPN a preferred tool for ransomware actors? Ans: First VPN Ransomware Takedown intelligence reveals the service was heavily promoted on Russian-speaking cybercrime forums for offering anonymous payments, hidden onion-domain infrastructure, and features tailor-made for avoiding law enforcement detection during ransomware operations.
Q: How did law enforcement overcome the cross-border nature of this cybercrime? Ans: Through a Joint Investigation Team (JIT) coordinated by Eurojust and an Operational Taskforce (OTF) hosted at Europol. This allowed 16 countries to share intelligence seamlessly and execute simultaneous server seizures, bypassing traditional jurisdictional roadblocks.
Q: What happens to the thousands of identified First VPN users? Ans: Their connection logs and digital footprints have been converted into 83 intelligence packages. These have been shared internationally to support 21 advanced investigations, stripping users of their anonymity and leading to future targeted arrests.
How many physical servers were dismantled during the First VPN operation?
- Ans: 33 servers.
Which international agency played a key coordinating role in this takedown?
- Ans: Europol (supported by Eurojust).
What was the primary demographic targeted by First VPN’s marketing?
- Ans: Cybercriminals operating on Russian-speaking forums.
True or False: Law enforcement successfully identified thousands of First VPN users.
- Ans: True.
Adv. Shoeb Hakim
Cybercrime & Digital Forensics Advisor
📌 Follow me on LinkedIn for daily cybercrime and digital forensics insights: https://www.linkedin.com/in/shoebhakim
📌 Visit my website for more articles: www.shoebhakim.com
♻️ Share this article with your network.
Disclaimer: This article is for informational purposes only and does not constitute legal advice.
Hashtags: #Europol #Eurojust #FirstVPN #Ransomware #Cybercrime #VPNTakedown #LawEnforcement #InternationalCooperation #CyberSecurity #DarkWeb #DataTheft #FraudPrevention #CyberInvestigation #Bitdefender #JIT #OTF #JCAT #France #Netherlands #Luxembourg #Romania #Switzerland #Ukraine #UnitedKingdom #Canada #Germany #UnitedStates #Spain #Sweden #Denmark #Estonia #Latvia #Lithuania #Poland #Portugal #Cybercriminal #AnonymousVPN #InfrastructureTakedown #UserIdentification #IntelligenceSharing #GlobalCrackdown #CyberJustice #AdvShoebHakim
Leave a Reply