Plenty of logs

Police boast of hacking VPN where criminals “believed themselves to be safe”

Law enforcement intercepted VPN traffic, seized domains, and arrested its operator.

Jon Brodkin – May 22, 2026 2:43 pm | 12

Screenshot of the First VPN website after its domain was seized.

European law enforcement say they hacked into a VPN (virtual private network) service used for ransomware attacks and other crimes, and identified thousands of users before shutting the VPN down and arresting its administrator.

Europol announced yesterday the results of the operation against the service, First VPN. The First VPN website now displays a message saying the domain was seized by a joint international law enforcement action.

“A VPN service used by cybercriminals to conceal ransomware attacks, data theft, and other serious offenses has been dismantled in an international operation led by France and the Netherlands, with support from Europol and Eurojust,” the agency said. “For years, the service, known as ‘First VPN,’ was promoted on Russian-speaking cybercrime forums as a trusted tool for remaining beyond the reach of law enforcement. It offered users anonymous payments, hidden infrastructure, and services designed specifically for criminal use.”

The probe began in December 2021. At some point, “investigators gained access to the service, obtained its user database and identified VPN connections used by cybercriminals seeking to conceal their activities,” Europol said. Security vendor Bitdefender helped law enforcement conduct the operation, Europol said.

“The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offenses worldwide,” according to Europol.

Users “mistakenly believed themselves to be safe”

A statement from the Dutch National Police Corps said that before the domain seizures, “police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe.”

An Internet Archive capture of the now-defunct VPN service’s website shows it advertised the ability to conceal one’s IP address, encrypt all communications, and hide one’s actions “from the provider and other interested persons.” First VPN also made the “no logs” promise that is common among VPN providers to assure customers that they don’t store records that could be handed to law enforcement or other third parties.

“All of our servers, meet high security requirements and do not keep logs, are set up by specialists with vast experience in this field. Big Brother is watching you, we are not!” the website said.

Like many online platforms, VPNs can be used for both legitimate and criminal purposes. It’s difficult or impossible for users to know whether a VPN service’s privacy and security claims are credible.

The risk of law enforcement infiltrating a VPN provider’s internal systems adds to that uncertainty for users, although Dutch police stressed that this particular VPN service “was considered criminal, because it specifically targeted cyber criminals and gave them the opportunity to protect their identity.”

FBI: 25 ransomware groups used First VPN

First VPN “mainly advertised on the cyber criminal forums known to the police and thus expressly approached cyber criminals as potential clients,” Dutch police said. “The website of the service also stated that any cooperation with the judiciary would be denied, that the service was not subject to any jurisdiction and that no data on users was stored. As a result, the service pretended to be reliable and its users safe, which in reality was not the case.”

Eurojust, the European Union Agency for Criminal Justice Cooperation, said that “First VPN’s website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction.”

First VPN had been active since 2014 and provided 32 exit node servers in 27 countries, the FBI said in an intelligence alert yesterday. It advertised in Russian-language forums that “provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband,” according to the agency.

“At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions,” the FBI said. “First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking.”

The scanning activity observed from First VPN IP addresses was “consistent with adversary efforts to identify open ports, services, and network configurations,” the FBI said. The agency said that “VPN infrastructure may be used to enumerate systems within a target network following initial access,” and that “VPN exit nodes can facilitate password spraying or brute force attempts against exposed services such as SSH, RDP, or web applications.”

Users “informed that they have been identified”

Europol said the operation against First VPN produced 83 “intelligence packages,” resulted in information on 506 users being shared internationally, and helped advance 21 Europol-supported investigations so far. “With the infrastructure dismantled and the administrator under arrest, investigators across multiple jurisdictions are now using the intelligence gathered to support ongoing cybercrime investigations worldwide,” Europol said.

After the yearslong investigation, authorities took down the VPN in a series of actions on May 19 and May 20. Authorities “interviewed the administrator and conducted a house search in Ukraine” and “dismantled 33 servers linked to the criminal service,” Europol said.

Europol said the domain seizures were authorized by judicial orders and targeted 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. “Users of the criminal service have been notified of the shutdown and informed that they have been identified,” Europol added.

While the investigation began in December 2021, it moved into a new phase in November 2023. Support from Eurojust helped French and Dutch authorities “work closely together, exchange evidence and information, and decide on a prosecutorial strategy. Eurojust hosted 16 coordination meetings among the involved authorities to prepare for the joint action day taking place this week, underscoring the need for complex judicial cooperation,” Europol said.

The direct actions on May 19 and May 20 were carried out by authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the UK. There were various levels of support from Canada, Germany, the US, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Europol said it set up a task force that brought together investigators from different countries “to analyze the seized data and coordinate intelligence sharing with international partners.”

Jon Brodkin Senior IT Reporter

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

12 Comments