First VPN Service as criminal VPN infrastructure for ransomware and fraud operators
Threat Actor Meta
Summary
Hide ▲
Show ▼
First VPN Service functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of underground infrastructure. The service was built for anonymous payments and hidden infrastructure, making it easier for offenders to mask attribution and move traffic through trusted-looking nodes. Its use by at least 25 ransomware groups shows that it was a shared cybercrime enabler rather than a niche access tool.
Related Happenings
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
Vulnerability
H score47
First: 08.06.2026 16:05
Last: 08.06.2026 16:05
Sources 1
About this happening:
**Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
VulnerabilityAbout this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
First VPN had assets seized in First VPN takedown
Law Enforcement
H score17
First: 21.05.2026 18:30
Last: 21.05.2026 18:30
Sources 1
How related:
The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.
About this happening:
Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
First VPN had assets seized in First VPN takedown
Law EnforcementHow related: The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.
About this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
First VPN takedown by Europol and French-Dutch authorities
Law Enforcement
H score17
First: 21.05.2026 16:09
Last: 21.05.2026 16:09
Sources 1
How related:
The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
About this happening:
**Europol** and **French and Dutch authorities** took **First VPN** offline in a cross-border operation that also **seized servers** and **arrested the administrator**. The case m...
First VPN takedown by Europol and French-Dutch authorities
Law EnforcementHow related: The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
About this happening: **Europol** and **French and Dutch authorities** took **First VPN** offline in a cross-border operation that also **seized servers** and **arrested the administrator**. The case m...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
H score66
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Timeline
-
22.05.2026 20:35 2 articles · 1mo ago
Authorities announce dismantling of First VPN Service
Initial DisclosureAuthorities in Europe and North America announced the dismantling of First VPN Service, a criminal VPN used to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The France- and Netherlands-led operation involved concurrent actions on May 19-20, including interviewing First VPN Service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure, while the FBI said the service had been active since about 2014 and had 32 exit node servers in 27 countries.
Show sources
- First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups — thehackernews.com — 22.05.2026 20:35
- First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups — thehackernews.com — 22.05.2026 20:35
-
04.03.2026 17:02 1 articles · 4mo ago
Huntress traces 1vpns[.]com to ransomware infrastructure
Technical Analysis UpdateHuntress Tactical Response Team traced a successful brute-force RDP intrusion on an exposed server into a geo-distributed infrastructure cluster centered on specialsseason[.]com and 1vpns[.]com, with TLS-certificate pivots uncovering related domains such as 1jabber[.]com and nologs[.]club. Telemetry and public threat reporting linked the same VPN service and related IP space to Hive ransomware and BlackSuite, reinforcing that the infrastructure supported ransomware operators.
Show sources
- How a Brute Force Attack Unmasked a Ransomware Infrastructure Network — www.bleepingcomputer.com — 04.03.2026 17:02