TechDogs-"Law Enforcement Shuts Down First VPN Used By 25 Ransomware Gangs"

Cyber Security

Law Enforcement Shuts Down First VPN Used By 25 Ransomware Gangs

By TechDogs Bureau

TD NewsDesk

Updated on Fri, May 22, 2026

Overall Rating

An international law enforcement operation has dismantled First VPN, a criminal virtual private network service allegedly used by ransomware gangs and other cybercriminals to hide intrusions, fraud, botnet activity, denial-of-service attacks, and internet scanning operations.
 

TL;DR

  • First VPN was taken down in a joint operation led by French and Dutch authorities, with support from Europol, Eurojust, the FBI, and other international partners.
  • The FBI said the service had operated since around 2014 and was used by at least 25 ransomware groups.
  • Authorities dismantled more than 33 servers and seized domains linked to the service.
  • Investigators obtained user and traffic data, then notified users that they had been identified.


Law enforcement agencies across several countries have shut down First VPN, a virtual private network service that investigators say had become a key anonymity layer for cybercriminals.

According to the FBI, First VPN had been active since approximately 2014 and, as of April 2026, offered around 32 exit-node servers across 27 countries. The bureau said at least 25 ransomware groups, including Avaddon, used the service’s infrastructure for network reconnaissance and intrusions. It also linked First VPN IP addresses to scanning activity, botnets, denial-of-service attacks, scams, and hacking.

The coordinated action was carried out by French and Dutch authorities, with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg, and support from the FBI. Eurojust said the wider joint action took place on May 19 and 20, and resulted in the dismantling of more than 33 servers tied to the criminal service.

First VPN allegedly targeted cybercriminals directly by advertising on criminal forums and promising users a secure environment to carry out illegal activity, including hacking and ransomware attacks. The FBI said the service was almost exclusively advertised on known criminal dark web forums, including Exploit and XSS, two Russian-language marketplaces used to trade access to compromised systems, stolen personal data, hacking tools, and other illicit goods.

Eurojust said the service promoted anonymity by claiming it would not cooperate with judicial authorities, would not store data, and would not be subject to any jurisdiction. However, investigators gained access to the VPN service before it went offline, obtaining valuable insights and traffic data from users who believed they were operating securely.

The takedown also affected First VPN’s web infrastructure. The FBI identified the service’s websites as 1vpns.com, 1vpns.org, and 1vpns.net, along with an onion service accessible through Tor. It also said First VPN hosted a Jabber server at 1jabber.com and accepted cryptocurrency payments for subscriptions ranging from one day to one year.

Cybercriminal VPN used by ransomware actors dismantled in global crackdown
source

Eurojust said the seized domain names included 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. Users of the service were notified of the shutdown and informed that they had been identified.

Europol described First VPN as deeply embedded in the cybercrime ecosystem and said it appeared in almost every major cybercrime investigation supported by the agency in recent years. It also said criminals used the service to conceal identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offenses.

There is one wording difference across public statements. Europol and media reports described the administrator as arrested, while Eurojust’s public release described a search and interview of a suspect in Ukraine. For publication, the safest phrasing is that authorities dismantled the service and took action against a suspected administrator, unless we rely specifically on Europol’s wording.

For defenders, the FBI advised organizations to block and monitor known First VPN infrastructure, restrict authentication to approved networks or managed devices, enforce multi-factor authentication, harden remote access services, and correlate IP indicators with behavioral telemetry instead of relying only on IP blocking.

First published on Fri, May 22, 2026

TechDogs Bureau

TechDogs Bureau

Editorial Team

The TechDogs Bureau is the collective voice of our editorial team—writers, researchers, and subject-matter specialists who collaborate to explain technology with clarity and context. Articles under this byline blend reporting, analysis, and practical takeaways across enterprise, marketing, and emerging tech. Our goal is simple: turn complex ideas into useful, credible insights that connect innovation with real-world impact.

Liked what you read? That’s only the tip of the tech iceberg!

Explore our vast collection of tech articles including introductory guides, product reviews, trends and more, stay up to date with the latest news, relish thought-provoking interviews and the hottest AI blogs, and tickle your funny bone with hilarious tech memes!

Plus, get access to branded insights from industry-leading global brands through informative white papers, engaging case studies, in-depth reports, enlightening videos and exciting events and webinars.

Dive into TechDogs' treasure trove today and Know Your World of technology like never before!

Disclaimer - Reference to any specific product, software or entity does not constitute an endorsement or recommendation by TechDogs nor should any data or content published be relied upon. The views expressed by TechDogs' members and guests are their own and their appearance on our site does not imply an endorsement of them or any entity they represent. Views and opinions expressed by TechDogs' Authors are those of the Authors and do not necessarily reflect the view of TechDogs or any of its officials. While we aim to provide valuable and helpful information, some content on TechDogs' site may not have been thoroughly reviewed for every detail or aspect. We encourage users to verify any information independently where necessary.

Tags:

Cyber AttackCyber ThreatCybercrimeInternet SecurityRansomwareFirst VPNRansomware GangsVPN TakedownEuropolFBIEurojustCyber Security

Loading comments...

  • Dark
  • Light