Europol dismantles cybercriminal VPN linked to ransomware investigations

Cybercrime investigations intensified after Europol helped dismantle the anonymous First VPN infrastructure.
International authorities dismantled a VPN service linked to ransomware and cybercrime operations.

Europol has announced that international law enforcement agencies dismantled the cybercriminal VPN platform known as First VPN during a coordinated operation targeting ransomware infrastructure and wider cybercrime networks.

The operation, led by authorities in France and the Netherlands with support from Eurojust, targeted infrastructure allegedly used by cybercriminals to conceal ransomware attacks, fraud, data theft and other illegal online activities.

Europol described the service as deeply embedded in the cybercrime ecosystem and said it had featured in almost every major Europol-supported cybercrime investigation over the past few years. The platform was allegedly promoted as an anonymity service for criminal use, offering anonymous payments, concealed infrastructure and tools intended to help users evade law enforcement detection.

Coordinated action days took place on 19 and 20 May, during which authorities dismantled 33 servers connected to the service and shut down associated domain names. Investigators also interviewed the alleged administrator in Ukraine and carried out a residential search linked to the operation.

According to Europol, investigators gained access to the platform’s infrastructure and user database during the investigation, which began in December 2021. The agency said the data helped identify users allegedly connected to ransomware campaigns, fraud schemes and other cybercrime operations across several jurisdictions.

Intelligence generated through the operation led to 83 intelligence packages being distributed internationally, information linked to 506 users being shared with partner agencies, and 21 Europol-supported investigations advancing through newly obtained evidence.

The operation also received support from cybersecurity company Bitdefender, while a joint investigation team coordinated by Eurojust facilitated judicial cooperation and evidence sharing among participating countries.

Why does it matter?

The takedown shows how law enforcement is increasingly targeting the infrastructure that enables cybercrime, not only the attackers themselves. VPN services marketed for criminal use can help ransomware actors and fraud networks hide their identity, route attacks and evade detection. By dismantling First VPN and obtaining user data, investigators can disrupt multiple cybercrime operations at once and strengthen ongoing ransomware investigations.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.