A coordinated international police operation has dismantled First VPN, a service that gave ransomware gangs and cyber criminals the anonymity they needed to operate undetected. Led by French and Dutch authorities with support from Europol, the UK’s National Crime Agency, and security firm Bitdefender, this marks the first time law enforcement has successfully taken down a criminal VPN service of this scale.
The operation began in December 2021. Over four and a half years, investigators gained access to the First VPN service, obtained a copy of its user database, and identified the connections used specifically by cyber criminals.
The administrator behind First VPN was arrested in Ukraine. Their home was searched and 33 servers were dismantled, along with the seizure of multiple domain names including 1vpns.com, .net, and .org.
Intelligence gathered during the investigation has already exposed over 500 known users of the service. Over 80 intelligence packages have been shared with law enforcement agencies worldwide.
The intelligence from this single operation has already fed into 21 separate criminal investigations, demonstrating the ripple effect of dismantling the infrastructure that cyber criminals depend on.
First VPN was specifically designed for criminal use, offering anonymised payments and hidden infrastructure. Removing it strips away a key layer of protection that threat actors relied on.
This was not a quick raid. Investigators spent four and a half years building their case, proving that law enforcement is willing to play the long game against cyber crime infrastructure.
France, the Netherlands, the UK, Europol, and private sector firms all worked together. Cyber crime crosses borders, and so must the response.
Rather than chasing individual attackers, law enforcement is increasingly targeting the shared services that enable cyber crime at scale. Take down the tools, and you disrupt entire networks.
First VPN appeared in almost every major Europol cyber investigation in recent years. Its removal directly impacts the operational capability of ransomware gangs who depended on it.
Criminals assumed they were beyond reach. This operation proves that even purpose-built criminal infrastructure can be infiltrated, mapped, and dismantled over time.
Legitimate VPNs remain an important security tool. But this is a reminder that the technology itself is neutral. Make sure your business uses reputable, audited VPN providers and that staff understand the difference.
Operations like this generate intelligence that often surfaces in breach databases and dark web monitoring feeds. If your organisation has been targeted by ransomware in recent years, new leads from this takedown could be relevant.
Criminal infrastructure will be rebuilt. New services will replace First VPN. The lesson is not that law enforcement has won, but that your own security layers need to be strong enough to withstand attacks regardless of what tools criminals use.
The physical infrastructure behind First VPN was dismantled across multiple locations, along with all associated domain names and onion services.
Over five hundred known criminal users of the service have been identified and linked to cyber crime activity through the seized database.
Europol has already distributed over 80 intelligence packages to agencies worldwide, generating actionable leads across multiple ongoing investigations.
The investigation ran from December 2021 to May 2026 - a sustained, patient effort that culminated in the arrest, server seizure, and infrastructure takedown.