Europol leads operation to shut down a VPN exploited by criminals; thousands identified and arrested.
In a remarkable operation orchestrated by international law enforcement agencies, Europol has succeeded in dismantling First VPN, a virtual private network service that had become a go-to for cybercriminals believing their activities were shielded from law enforcement.
The operation, primarily led by authorities in France and the Netherlands, resulted in the shutdown of First VPN and the arrest of its operator. The VPN was reportedly used by multiple criminal organizations to facilitate ransomware attacks and other nefarious activities.
Europol revealed the results of the operation on a recent announcement, indicating that the First VPN website has since displayed a message confirming its seizure by law enforcement. This site was pitched as a secure tool for anonymity, heavily advertised on Russian-speaking cybercrime forums.
“The VPN service utilized by cybercriminals to conceal ransomware attacks, data theft, and various serious offenses has been dismantled,” Europol detailed. The service had gained notoriety over the years for providing users with anonymous payment methods and hidden infrastructure specifically tailored for criminal endeavors.
The operation unfolded over several months, beginning in December 2021 when investigators first gained access to First VPN’s internal systems. This breakthrough allowed law enforcement to compile an extensive user database. The intelligence gathered provided clues linking numerous users to criminal activities.
Following the infiltration of First VPN, authorities were able to gather logs and details about thousands of users, many of whom had mistakenly believed they were operating under the protective cloak that the VPN promised.
The Dutch National Police Corps emphasized that prior to the seizure of the domains connected with First VPN, they were able to monitor the criminal traffic engaged by these users. The illusion of safety was shattered once users were made aware of the operation and that they had been identified.
An Internet Archive capture of First VPN's website displayed grandiose claims about providing users with complete anonymity and security. Assertions such as “no logs” were made, a common reassurance among VPN providers aiming to build trust with their customer base. “All of our servers meet high security requirements and do not keep logs,” the website claimed, presenting an unshakeable front of reliability.
First VPN had been operational since 2014 and managed a network of 32 exit node servers spread across 27 countries. Charmingly marketed on Russian-language forums notorious for harboring cybercriminal activity, the VPN drew many unsavory characters into its fold.
The FBI noted in an intelligence alert that at least 25 ransomware groups, including operations like Avaddon Ransomware, utilized First VPN to launch attacks.
According to FBI reports, addressing the associated scanning activity from First VPN's IP addresses demonstrated efforts made by adversaries aiming to identify open ports and network configurations. The agency's assessment underscored that the VPN infrastructure served as a crucial tool in facilitating subsequent attacks on target networks, utilized for operations such as password spraying or brute-force attempts.
The culmination of the extensive investigation and operational strategies led to action taken on May 19 and May 20. Authorities in multiple countries collaborated to interview the operator of First VPN and execute a house search in Ukraine. A coordinated effort led to the dismantling of 33 servers associated with the criminal service.
In total, Europol revealed that this operation produced 83 intelligence packages that resulted in information about 506 users being disseminated internationally. This shared intelligence has already started to support at least 21 ongoing investigations across multiple jurisdictions.
The domain seizures were authorized by judicial orders, effectively targeting the domains 1vpns.com, 1vpns.net, 1vpns.org, in addition to associated onion domains. Users were notified of the shutdown and informed that they had been identified in the process.
Support from European Justice agency Eurojust facilitated significant coordination among participating countries, ensuring that vital evidence and insights were exchanged amongst law enforcement agencies. Eurojust contributed to 16 coordination meetings aimed at shaping a coherent prosecutorial strategy, underscoring the complexities of multinational judicial cooperation.
The impact of this operation initiates a potential paradigm shift in how VPN services are perceived, especially those marketed towards individuals engaged in illicit activities. With the knowledge of law enforcement's ability to penetrate such services, criminals may reconsider their reliance on these tools.
This situation serves as a vital reminder that while VPNs can offer layers of security and privacy, not all services can be trusted. The penetration of First VPN by law enforcement illustrates that even the most strongly advertised safety features can be deceptive.
Users should remain vigilant when choosing VPN providers, ensuring that they are investing in legitimate, reputable services that uphold privacy and security standards. As seen from this incident, relying solely on promises made on a website may not provide the expected legal protection.
The lessons learned from the shutdown of First VPN underline the critical need for enhanced user awareness and diligence when navigating the digital landscape.
The recent dismantling of First VPN offers a compelling glimpse into the future of cyber law enforcement. As criminal enterprises increasingly leverage technology to operate with seeming impunity, the international coalition of law enforcement agencies indicates a robust response is forming to combat these threats.
With the lessons drawn from this operation, it is likely that further actions against such VPN services will intensify. As investigations evolve and new technologies emerge, the dynamic between cybersecurity and law enforcement will continue to develop.
The case of First VPN serves as a pivotal example—illustrating the fine line between privacy and crime in the digital age and the lengths to which law enforcement will go to dismantle criminal networks hiding in the shadows.
First VPN was primarily used by cybercriminals to conceal their malicious activities, including ransomware attacks, data theft, and various cyberfraud schemes.
Investigators gained access to the service's internal systems and user database, allowing them to collect intelligence about the activities of its users.
Users have been notified of the seizure and identified, indicating that many may face legal consequences for their activities while using the VPN service.