The Dutch and French police, in collaboration with Europol, have taken the VPN service First VPN offline. This service was used by dozens of ransomware groups. Servers in 27 countries have been shut down, and the Ukrainian administrator has been arrested and questioned. Europol gained access to the user database and was able to identify thousands of users.
On May 19 and 20, the criminal VPN service First VPN was taken offline by the Dutch police’s High Tech Crime Team, in collaboration with the French police and Europol. The investigation lasted five years. Servers in 27 countries have been shut down, and the Ukrainian administrator has been arrested.
First VPN explicitly targeted cybercriminals. The administrator promoted the service on hacker forums and promised complete anonymity, including anonymous payment options. “We only store emails and usernames, but it is impossible to link a user’s online activity to a specific user of our service,” First VPN stated in a post on a hacker forum. Those promises proved untenable. Europol gained access to the user database, allowing thousands of users to be identified. According to the FBI, at least 25 ransomware groups used the service.
Leads for ongoing investigations
The data from the database provided law enforcement agencies with concrete leads for further investigation into ransomware attacks, fraudulent practices, and other serious crimes. In addition to anonymity, the service also offered specific features aimed at criminals, such as anonymous payments, which set it apart from regular VPN providers.
This is not the first time the Dutch police have contributed to taking down a VPN service. In 2021, Team High Tech Crime also took DoubleVPN offline, again in an international operation with Europol and the FBI. That service was also actively promoted on hacker forums and used by ransomware groups.
False promises of anonymity
The police emphasize that the reality differed significantly from the service’s own claims. “This led the service to appear as if it were reliable and its users were safe, which in reality was not the case,” according to the police. The identities of the thousands of users are now known to law enforcement agencies in multiple countries. The investigation into individual users is still ongoing.