A virtual private network service called “First VPN,” advertised on cybercrime forums as privacy-focused and “not logging” user data, has been taken offline in a joint international operation. Dozens of servers across 27 countries were seized, the administrato
For many people, a VPN is the last layer between ordinary internet use and the quiet fear of being tracked. For criminals, it can do something else entirely: make their work harder to trace.
That difference is now at the center of an international crackdown after law enforcement took down “First VPN,” a virtual private network service described by authorities as having been used in ransomware and data theft attacks.
In the joint operation, investigators seized dozens of First VPN servers spread across 27 countries. They arrested the service administrator and carried out a house search in Ukraine. Europol says the “First VPN” name appeared in almost every major cybercrime investigation the agency supported. and that “First VPN” names have been shut down.
The service was promoted on cybercrime forums as a privacy-focused VPN that “does not log user data” and ignores law enforcement requests for user information. That pitch matters because it targeted a specific kind of attacker: one who needs their real IP address and location hidden. VPN tools encrypt traffic and mask users’ true IP addresses. They can be used legitimately—to protect privacy on public Wi‑Fi. bypass censorship. reduce tracking. and support secure remote work—but threat actors also use them to obscure infrastructure and locations.
The legal situation is not the same everywhere. Depending on the region they operate in, VPN providers may be legally required to comply with law enforcement requests and hand over any data they retain for criminal investigations.
Investigators did not start this effort in the last few weeks. The investigation into the service began in December 2021. French and Dutch authorities led the work, forming a joint investigation team in November 2023.
At some point, investigators infiltrated the VPN infrastructure before it went offline. They collected the user database and identified the VPN connections cybercriminals used in attacks.
Europol’s communication for the operation—delivered in a cartoon-style video—underlines a point investigators have learned the hard way: even when threat actors promise to remove data, information is often still present on servers.
The operational task behind the scenes was large. Eurojust says an “Operational Taskforce” was set up at Europol, bringing together investigators from 16 countries to analyze the seized data and coordinate intelligence sharing with international partners.
The coordinated international action took place between May 19 and 20. targeting “First VPN” and resulting in several concrete steps: seizure of 33 servers linked to “First VPN”; seizure of the 1vpns.com. 1vpns.net. 1vpns.org. and related onion domains; disruption of key infrastructure supporting the service; identification and questioning of a Ukrainian suspect; and notifications issued to identified users of the platform.
The Dutch police press release says all users of First VPN have been identified and directly notified, though it did not mention how many people were involved. It also remains unclear whether further legal action is planned against those users.
Europol’s announcement adds more detail. It says information about 506 users was shared internationally, along with 83 “intelligence packages” intended to help ongoing or upcoming investigations.
“The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide,” Europol said.
For anyone using a VPN for legitimate reasons. the message landing now is uncomfortable but clear: privacy tools can be marketed for safety. but they can also be engineered into criminal infrastructure. And once investigators gain access to that infrastructure. the data that was supposed to vanish can end up doing the opposite—pointing investigators to the people and pathways behind the attacks.
First VPN Europol Eurojust ransomware data theft cybercrime forums VPN servers 1vpns.com 1vpns.net 1vpns.org onion domains Ukraine