An international law enforcement operation has taken down a virtual private network service called First VPN, which authorities say was used by cybercriminals in ransomware, fraud, and data theft attacks.
The operation led to the seizure of dozens of servers across 27 countries, the arrest of the service’s administrator, and a house search in Ukraine. Investigators also seized several domains linked to the VPN, including 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains.
First VPN had been promoted on cybercrime forums as a privacy-focused service that did not keep user logs and ignored requests from law enforcement. VPNs are commonly used for legitimate reasons, such as protecting users on public WiFi, bypassing censorship, reducing online tracking, and securing remote work connections. However, cybercriminals also use them to hide their real location and disguise the infrastructure behind attacks.
According to Europol, First VPN appeared in almost every major cybercrime investigation supported by the agency. The investigation into the service began in December 2021 and was led by French and Dutch authorities. In November 2023, both countries formed a joint investigation team to move the case forward.
Investigators eventually managed to infiltrate the VPN’s infrastructure before it was taken offline. This allowed them to collect traffic data and identify people who had used the service.
Eurojust said an operational task force was created at Europol, bringing together investigators from 16 countries to analyze the seized data and share intelligence with international partners.
The coordinated operation took place between May 19 and May 20. Authorities seized 33 servers linked to First VPN, disrupted key parts of its infrastructure, questioned a Ukrainian suspect, and sent notifications to identified users of the platform.
Dutch police said all users of First VPN had been identified and directly notified. However, officials did not reveal the total number of users or whether further legal action will be taken against them.
Europol said information about 506 users was shared internationally, along with 83 intelligence packages that could support ongoing and future investigations.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
The agency said the seized intelligence exposed thousands of users connected to the cybercrime ecosystem and created new leads tied to ransomware attacks, fraud schemes, and other serious crimes around the world.





