Seizure of First VPN service operations amid widespread abuse in cybercrime investigations
Summary
Hide ▲
Show ▼
An international law enforcement operation has dismantled the 'First VPN' service, widely abused in ransomware and data theft campaigns, after a multi-year investigation. Operations included the seizure of 33 servers across 27 countries, the arrest of a Ukrainian administrator, and the takeover of associated domains (1vpns.com, 1vpns.net, 1vpns.org, and onion variants). The platform was marketed as no-logging and privacy-focused but allegedly used by threat actors to conceal infrastructure and identities. Investigators infiltrated the service, collected traffic data, and identified thousands of users globally, sharing 506 user identities and 83 intelligence packages with international partners to support ongoing cybercrime investigations.
Timeline
-
21.05.2026 16:09 1 articles · 1h ago
First VPN service seized in international law enforcement operation
On May 19–20, 2026, a coordinated international operation dismantled the First VPN service. Actions included seizure of 33 servers across 27 countries, arrest of a Ukrainian administrator, domain takedowns (1vpns.com, 1vpns.net, 1vpns.org, onion variants), and takeover of the service’s infrastructure. Investigators collected traffic data enabling identification of thousands of users, with Europol sharing 506 user identities and 83 intelligence packages internationally to support ongoing cybercrime investigations.
Show sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
Information Snippets
-
First VPN, a privacy-focused VPN service advertised on cybercrime forums, was seized in a coordinated international operation between May 19 and 20, 2026.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
-
Law enforcement seized 33 servers linked to First VPN across 27 countries, arrested a Ukrainian administrator, and took control of domains including 1vpns.com, 1vpns.net, 1vpns.org, and related onion sites.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
-
The investigation began in December 2021, led by French and Dutch authorities, with a joint investigation team established in November 2023.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
-
Investigators infiltrated the VPN infrastructure and collected traffic data enabling identification of service users, including those linked to ransomware and data theft operations.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
-
Europol reports that user information from First VPN was shared across 16 countries, with 506 user identities disclosed and 83 intelligence packages created to support ongoing investigations.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09
-
Dutch police confirmed all users of First VPN have been identified and notified, with no specific numbers released; further legal actions against users remain unspecified.
First reported: 21.05.2026 16:091 source, 1 articleShow sources
- Police seize “First VPN” service used in ransomware, data theft attacks — www.bleepingcomputer.com — 21.05.2026 16:09