An international coalition of law enforcement agencies dismantled First VPN on Thursday, seizing servers across 27 countries and arresting its administrator. The FBI said at least 25 ransomware gangs used the service to hide their activity. Europol called the VPN "deeply embedded in the cybercrime ecosystem," appearing in nearly every major investigation the agency supported in recent years.
The operation, launched in December 2021, culminated with investigators obtaining First VPN's user database. They then identified VPN connections and notified users that they had been exposed. "First VPN users were informed that they have been identified," Europol stated in its announcement. The FBI's alert detailed the scale of criminal reliance on the service.
Beyond the 25 ransomware gangs, cybercriminals used First VPN to scan the internet for vulnerable systems, run botnets, launch distributed denial-of-service attacks, and operate fraud schemes. The service's infrastructure spanned dozens of servers across 27 countries, according to the bureau. What this actually means for your family.
A VPN service marketed as a shield for privacy became a weapon for extortion. Ransomware gangs used it to lock hospitals, schools, and small businesses out of their own data. The policy says one thing.
The reality says another. Europol's announcement revealed that First VPN offered more than just anonymous connections. The service provided anonymous payment options, hidden infrastructure, and other features specifically tailored for criminal hackers. "Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences," the agency said.
First VPN openly advertised on known cybercrime forums. TechCrunch reviewed posts on at least two Russian-speaking marketplaces where the service promised ironclad protection. "We are for anonymity. We do not store any logs that would allow us or third parties to link an IP address in a specific period of time with a user of our service," one advertisement stated. "The only data we store is e-mail and username, but it is impossible to link a user's online activity with a specific user of our service."
That promise collapsed. Investigators dismantled the illusion of anonymity by seizing the very database the service claimed would protect its users. Europol said dozens of servers were dismantled and the entire infrastructure disrupted.
The arrest of the administrator marks a rare decapitation strike against a VPN provider. Most law enforcement actions against cybercrime infrastructure target the users or the servers, not the operators running the service. This signals a shift in strategy.
Going after the enablers, not just the criminals, raises the cost of operating these services. Both sides claim victory. Here are the numbers.
Twenty-five ransomware gangs. Twenty-seven countries. Thousands of exposed users.
One arrested administrator. The takedown represents one of the most significant disruptions of criminal VPN infrastructure in recent years. The economic toll of ransomware alone justifies the scale of this operation.
Ransomware payments exceeded $1 billion globally in 2023, according to blockchain analysis firm Chainalysis. Services like First VPN form the hidden plumbing that makes those attacks possible. Without anonymous infrastructure, extortion campaigns become far riskier for criminals.
The investigation's timeline reveals the patience required for such operations. Europol launched the probe in December 2021. For over four years, investigators mapped the service's infrastructure, tracked its users, and built the case that led to Thursday's action.
That patience paid off. The takedown also exposes a tension in the VPN industry. Legitimate VPN providers market privacy as a fundamental right.
Criminal VPNs exploit that same marketing language to attract clients who need anonymity for illegal purposes. Distinguishing between the two requires examining who the service markets to and what additional features it offers. First VPN crossed that line clearly.
Advertising on Russian-language cybercrime forums is not the behavior of a privacy advocate. Offering anonymous payments and hidden infrastructure tailored for hackers places the service firmly in the criminal category. The exposure of thousands of users creates immediate legal jeopardy.
Europol's notification to users that they "have been identified" is not a courtesy. Law enforcement agencies across the 27 countries where First VPN operated servers now possess evidence linking specific individuals to criminal activity conducted through the service. Prosecutions will follow.
The question is how many and where. Extradition battles may emerge if the arrested administrator is not in the country seeking to prosecute. International cooperation that enabled the takedown must now extend to the judicial phase.
The operation also sends a message to other VPN providers operating in gray areas. Marketing to criminals carries consequences. The anonymity you sell can be stripped away.
Your database can be seized. Your administrator can be arrested. Why It Matters: The First VPN takedown dismantles a critical piece of cybercrime infrastructure that enabled ransomware attacks affecting hospitals, schools, and businesses worldwide.
For ordinary internet users, fewer operational criminal VPNs means higher barriers for ransomware gangs, potentially reducing the frequency of attacks that disrupt essential services and drive up costs for consumers. Key Takeaways: - The FBI confirmed at least 25 ransomware gangs used First VPN to mask their operations before the service was dismantled Thursday. - Europol seized the user database and identified thousands of individuals linked to cybercrime activity across 27 countries. - The service's administrator was arrested, a rare move that signals law enforcement is now targeting VPN operators, not just their criminal users. - First VPN advertised on Russian-language cybercrime forums, promising no-logs policies that investigators ultimately defeated by seizing the database. What comes next is a wave of prosecutions.
Law enforcement agencies across multiple jurisdictions now hold evidence tying specific users to criminal acts. Expect arrests and charges in the coming months. The administrator's extradition and trial will test international cooperation frameworks.
Other VPN operators marketing to criminals will watch closely. The message is clear. Anonymity is not permanent.
Administrators can be found. The takedown reshapes the risk calculus for cybercriminal infrastructure providers.
Key Takeaways
— - The FBI confirmed at least 25 ransomware gangs used First VPN to mask their operations before the service was dismantled Thursday.
— - Europol seized the user database and identified thousands of individuals linked to cybercrime activity across 27 countries.
— - The service's administrator was arrested, a rare move that signals law enforcement is now targeting VPN operators, not just their criminal users.
— - First VPN advertised on Russian-language cybercrime forums, promising no-logs policies that investigators ultimately defeated by seizing the database.
Source: TechCrunch
