Authorities have taken down a virtual private network service called **'First VPN'**, which was actively used in ransomware and data theft attacks, in a coordinated international law enforcement effort. The operation highlights the ongoing battle against cybercriminals who exploit VPNs to conceal their malicious activities. ### Global Operation Targets Cybercrime Enabler Law enforcement agencies seized numerous **First VPN** servers located in 27 countries. They also arrested the service's administrator and executed a house search in Ukraine, signaling a firm stance against services facilitating cybercrime. **First VPN** was advertised on various cybercrime forums as a privacy-focused VPN that promised not to log user data and to ignore law enforcement requests. This made it attractive to threat actors seeking anonymity. ### Legitimate Use vs. Criminal Exploitation VPNs encrypt user traffic and mask their real IP addresses. While they are legitimately used for privacy on public Wi-Fi, bypassing censorship, reducing tracking, and enabling secure remote work, cybercriminals also exploit them to hide their location and infrastructure. Depending on their jurisdiction, VPN providers may be legally obligated to comply with law enforcement requests and provide data for criminal investigations. **First VPN's** alleged disregard for these obligations made it a prime target. ### Europol's Involvement and Investigation Details According to **Europol**, the name of the service surfaced in nearly every major cybercrime investigation the agency supported, leading to its takedown. <figure>  <figcaption>**Seizure notice published on a First VPN website** *Source: BleepingComputer*</figcaption> </figure> The investigation into **First VPN** began in December 2021, spearheaded by French and Dutch authorities who formed a joint investigation team in November 2023. Investigators infiltrated the VPN infrastructure before the takedown, gathering user databases and identifying VPN connections used in cyberattacks. ### Key Actions and Outcomes A coordinated international operation between May 19 and 20 resulted in: * Seizure of 33 servers linked to **First VPN** * Seizure of the 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains * Disruption of key infrastructure supporting the service * Identification and questioning of a Ukrainian suspect * Notifications issued to identified users of the platform The Dutch police confirmed that all **First VPN** users have been identified and directly notified. **Europol** shared information about 506 users internationally, along with 83 "intelligence packages" to aid ongoing investigations. **Europol** stated that the gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offenses worldwide.