European law enforcement has done what any good bouncer would do: they hacked into a VPN service used by ransomware gangs and other digital miscreants, identified thousands of users, then shut the whole thing down and arrested the person running it.
Europol announced yesterday that the operation targeted First VPN, a service whose website now displays a seizure notice rather than its usual promises of total invisibility. “For years, the service, known as ‘First VPN,’ was promoted on Russian-speaking cybercrime forums as a trusted tool for remaining beyond the reach of law enforcement,” the agency said. It turns out that trust was somewhat misplaced.
The investigation began in December 2021, and at some point investigators managed to get inside the service, grab its user database, and identify VPN connections used by criminals trying to hide. Bitdefender, the security vendor, lent a hand. “The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem,” Europol said.
The Dutch National Police Corps noted that before seizing the domains, “police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe.” That’s the digital equivalent of finding out your secret hideout had a hidden camera all along.
First VPN’s website, preserved by the Internet Archive, promised to conceal IP addresses, encrypt communications, and hide actions “from the provider and other interested persons.” It also made the classic “no logs” promise, assuring customers that no records would be kept for law enforcement or other third parties. “Big Brother is watching you, we are not!” the site proclaimed. Well, Big Brother was watching, just not the one they expected.
The VPN advertised primarily on cybercriminal forums, targeting criminals as potential clients and stating it would never cooperate with any judicial authority. Eurojust, the EU’s justice cooperation agency, said First VPN promised it “would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction.”
First VPN had been active since 2014 and provided 32 exit node servers in 27 countries, the FBI said in an intelligence alert. It advertised on Russian-language forums that “provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband.” At least 25 ransomware groups, including Avaddon Ransomware, used First VPN infrastructure for network reconnaissance and intrusions. The FBI noted that its IP addresses were used for scanning activity, botnets, denial of service attacks, scams, and hacking.
The operation produced 83 “intelligence packages,” shared information on 506 users internationally, and advanced 21 Europol-supported investigations so far. Authorities took down the VPN on May 19 and May 20, “interviewed the administrator and conducted a house search in Ukraine,” and dismantled 33 servers. Domain seizures targeted 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. “Users of the criminal service have been notified of the shutdown and informed that they have been identified,” Europol added, which is probably not the notification they were hoping for.