An international coalition of law enforcement agencies announced Thursday the takedown of a popular virtual private network (VPN) service used by cybercriminals, along with the arrest of its administrator.
The FBI issued an alert stating that First VPN was so widespread that “at least” 25 ransomware groups utilized it to disguise their malicious actions. Cybercriminals also employed the VPN for internet scanning, running botnets, executing distributed denial-of-service (DDoS) attacks, and scams. First VPN managed servers across 27 countries, as reported by the agency.
Europol announced that besides anonymous connections, First VPN offered anonymous payments, concealed infrastructure, and other services specifically aimed at criminal hackers.
“First VPN had become deeply embedded in the cybercrime ecosystem, appearing in almost every major cybercrime investigation supported by Europol in recent years,” the announcement stated. Criminals used it to hide their identities and infrastructures while executing ransomware attacks, large-scale fraud, data theft, and other serious crimes.
The service advertised on known cybercrime forums, including at least two Russian-speaking marketplaces, assuring users protection against identification.
“We are for anonymity. We do not store any logs that would allow us or third parties to link an IP address in a specific period of time with a user of our service,” FirstVPN stated in a post observed by TechCrunch. “The only data we store is e-mail and username, but it is impossible to link a user’s online activity with a specific user of our service.”
Europol noted that First VPN users were notified of the shutdown and informed they had been identified. Investigators declared they achieved this by acquiring the service’s user database and tracing VPN connections, thus revealing thousands of users tied to the cybercrime ecosystem.
The international law enforcement agency also reported the arrest of First VPN’s administrator, the dismantling of dozens of servers, and disruption of its infrastructure — outcomes of an investigation initiated in December 2021.