European law enforcement agencies have dismantled “First VPN,” a VPN platform widely used by cybercriminal groups to hide ransomware attacks, fraud operations, and data theft activity. Authorities say the takedown exposed thousands of users linked to cybercrime investigations worldwide.
The operation was coordinated by Europol and Eurojust and carried out between May 19 and May 20 with support from investigators across 27 countries. Officials arrested a suspected administrator, seized 33 servers, and took control of multiple domains and associated Tor infrastructure connected to the VPN service.
According to Europol, First VPN had become one of the most frequently encountered anonymity services in major cybercrime investigations. The platform was openly advertised on Russian-language cybercrime forums as a tool designed to help criminals evade law enforcement detection while concealing malicious infrastructure.
Investigators said cybercriminals used the VPN network to mask ransomware attacks, credential theft campaigns, account hijacking operations, financial fraud schemes, and large-scale data breaches. Europol stated the service appeared in “almost every major cybercrime investigation” supported by the agency in recent years.
Authorities reportedly gained access to parts of the service’s internal infrastructure and user data during the operation. Europol confirmed that investigators identified thousands of users associated with cybercrime activity, generating new intelligence leads tied to ongoing ransomware and fraud investigations.
Officials have not publicly disclosed how much customer information was recovered. However, law enforcement agencies indicated the seized infrastructure may provide valuable operational data capable of linking threat actors to previous attacks and underground criminal networks.
The takedown highlights increasing international efforts targeting cybercriminal infrastructure rather than focusing solely on individual hacking groups. Security agencies have recently expanded operations against bulletproof hosting providers, underground forums, encrypted communication platforms, and anonymity services frequently used by ransomware gangs and organized cybercrime networks.
VPN services themselves are not illegal and remain widely used for legitimate privacy, security, and remote access purposes. However, investigators said First VPN specifically marketed itself within underground cybercrime communities and promoted features designed to support illegal activity.
Europol officials described the operation as a major blow against cybercriminal anonymity infrastructure and warned that additional investigations linked to the seized data are ongoing.