506 Core Users

Europol Dismantles Criminal Network Behind First VPN

VPN, Europol, VPN takedown, First VPN takedown, Europol shuts down First VPN network, First VPN users identified by Europol, First VPN, Cyber Crime
Facebook
X
LinkedIn
Reddit
WhatsApp

In a global coordinated operation, Europol has taken down the VPN service First VPN. Investigators monitored traffic data and identified thousands of users linked to criminal activity.

The European law enforcement agency Europol carried out a coordinated international operation that completely dismantled the virtual private network service First VPN, also known in specialist circles as 1VPNS. The operation took place between May 19 and May 20, 2026, marking a significant blow to the digital infrastructure of organized cybercrime. The service had been actively promoted for years in Russian-language underground forums.

Ad

The operators promised customers absolute anonymity from law enforcement and the ability to conceal sophisticated cyberattacks, ransomware campaigns, and large-scale fraud schemes without leaving traces. With the shutdown of the platform, one of the key technical protection layers used by criminal actors worldwide has been removed.

33 Server Structures Taken Offline

As part of the operational measures, authorities successfully identified and disconnected a total of 33 server infrastructures, both physically and logically. These servers formed the technological backbone of the VPN service and were strategically distributed across multiple countries. Investigators also seized the platform’s primary internet domains, including 1vpns.com, 1vpns.net, and 1vpns.org. In addition, associated addresses within the encrypted Tor network — so-called onion domains — were taken offline and replaced with official seizure notices.

Alongside the technical infrastructure, the operational leadership of the service was also targeted. Following a court-ordered raid in Ukraine, officers detained a suspected main administrator of the platform and subjected him to detailed questioning. The seized storage devices and evidence are currently being analyzed by forensic experts to uncover further insights into the criminal network.

Ad

Secret Traffic Monitoring Before Shutdown

A key tactical element of the operation was that law enforcement did not immediately announce the shutdown publicly. According to a separate statement from the European judicial authority Eurojust, investigators had gained covert access to First VPN systems well before the final intervention. This access was legally authorized through multiple European Investigation Orders and mutual legal assistance requests between the involved countries.

This covert approach allowed national investigation teams to gain valuable insight into how users operated. They monitored live traffic flows and collected log data from actors who believed they were operating in a secure, non-logging environment. The captured traffic data provides a detailed record of criminal activity as it occurred in real time.

506 Core First VPN Users Identified

Analysis of intercepted traffic and seized server data led to the identification of thousands of users linked to criminal activity. Europol has begun directly notifying identified users about the shutdown of the service and their inclusion in ongoing investigations. The findings have already generated multiple new investigative leads related to global ransomware attacks, complex online fraud schemes, data theft, and other serious cybercrimes.

Data belonging to 506 so-called core users—classified as highly active or high-value targets—has already been shared by European authorities with international partners outside the European Union. Investigators expect this dataset to act as a catalyst for numerous follow-up arrests and enforcement actions within the global cybercrime ecosystem.

Preparation Since 2021 with 27 Countries

The successful takedown of First VPN is the result of years of meticulous investigative work that began in 2021. A total of 27 countries participated in the preparation and execution of the operation. Operational leadership was provided by law enforcement and prosecutors from France and the Netherlands, with continuous support from Europol and Eurojust, as well as technical analysis from cybersecurity provider Bitdefender.

Edvardas Sileris, head of the European Cybercrime Centre at European Cybercrime Centre, stated that cybercriminals had long viewed this VPN service as a safe gateway to anonymity, believing themselves beyond the reach of justice. The operation demonstrates otherwise, he said, proving that there is no permanent impunity in the digital space for providing criminal infrastructure. Over time, First VPN became one of the most widely used anonymization services in the criminal underground and appeared in nearly all major cybercrime investigations coordinated by Europol in recent years.

Authorities expect the disruption of the platform to significantly destabilize the logistical structures of numerous international hacker groups.


Lisa Löw

Lisa

Löw

Junior Editor

it-daily.net

Ad

Artikel zu diesem Thema

Cyberattack, Grafana Labs confirms GitHub environment breach and source code theft, Grafana Labs cyberattack, Grafana Labs hack, GitHub breach, Grafana Labs, Hack
19. May 2026
Cyberattack: Grafana Labs Confirms Source Code Theft
Signal
27. April 2026
German federal government suspects Russia behind Signal attack
Cybersecurity
27. April 2026
Cyberattacks remain undetected for an average of 108 days
China
23. April 2026
Chinese hackers hide behind hijacked devices

Weitere Artikel

Gemini Deletes 30,000 Lines of Production Code in Autonomous AI Incident
Alibaba Takes Aim at Nvidia with New AI Chip “Zhenwu M890”
Critical Cisco Vulnerability Breaks Tenant Isolation
Too Dangerous to Release? Cloudflare Warns Over Anthropic’s Cyber AI “Mythos”