Law enforcement is shutting down a VPN service used by more than two dozen ransomware gangs

An international coalition of law enforcement agencies announced on Thursday that it had taken down a popular virtual private network service used by cybercriminals and arrested its administrator.

The FBI said in an alert that First VPN was so popular that “at least” 25 ransomware gangs used the service to hide their malicious activities. Cybercriminals have also relied on VPNs to scan the Internet, run botnets, launch distributed denial-of-service attacks, and carry out scams. First VPN operated servers in 27 different countries, according to the bureau.

Aside from offering anonymous connections, First VPN provided cybercriminals with anonymous payments, hidden infrastructure and other services specifically marketed to criminal hackers, Europol said in an announcement.

“The first VPN has become deeply entrenched in the cybercrime ecosystem, featuring in almost every major cybercrime investigation Europol has supported in recent years,” the announcement said. “Criminals have used it to hide their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious crimes.”

The service was advertised on well-known cybercrime forums, including at least two Russian-speaking markets, and promised to protect criminals from being identified.

“We stand for anonymity. We do not store any logs that would allow us or third parties to associate an IP address in a specific time period with a user of our service,” FirstVPN said in a post seen by TechCrunch. “The only data we store is email and username, but it is impossible to link a user’s online activity to a specific user of our service.”

However, Europol said that First VPN users were notified of the network shutdown and were “informed that they have been identified”. Investigators said they did this by obtaining the service’s user database and identifying VPN connections, which “uncovered thousands of users linked to the cybercrime ecosystem.”

The international law enforcement agency also said that First VPN’s administrator was arrested, dozens of servers were “dismantled”, and its infrastructure was down – all results of an investigation that began in December 2021.