Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

First VPN Service as criminal VPN infrastructure for ransomware and fraud operators

Threat Actor Meta
First reported
Last updated
Happening score
H score 18
2 unique sources, 2 articles

Summary

Hide ▲

First VPN Service functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of underground infrastructure. The service was built for anonymous payments and hidden infrastructure, making it easier for offenders to mask attribution and move traffic through trusted-looking nodes. Its use by at least 25 ransomware groups shows that it was a shared cybercrime enabler rather than a niche access tool.

Related Happenings

First VPN had assets seized in First VPN takedown

Law Enforcement
First: 21.05.2026 18:30 Last: 21.05.2026 18:30 Sources 1

How related: The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.

About this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...

Open Happening

First VPN takedown by Europol and French-Dutch authorities

Law Enforcement
First: 21.05.2026 16:09 Last: 21.05.2026 16:09 Sources 1

How related: The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.

About this happening: **Europol** and **French and Dutch authorities** took **First VPN** offline in a cross-border operation that also **seized servers** and **arrested the administrator**. The case m...

Open Happening

NCSC-UK joint advisory on covert botnets and proxy networks

Public Sector Action
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...

Open Happening

SocksEscort criminal proxy-service ecosystem monetizing residential routers

Threat Actor Meta
First: 13.03.2026 07:26 Last: 13.03.2026 07:26 Sources 1

About this happening: The **SocksEscort** proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind **369,000 IP addresses**...

Open Happening

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Timeline

  1. 22.05.2026 20:35 2 articles · 5d ago

    Authorities announce dismantling of First VPN Service

    Initial Disclosure

    Authorities in Europe and North America announced the dismantling of First VPN Service, a criminal VPN used to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The France- and Netherlands-led operation involved concurrent actions on May 19-20, including interviewing First VPN Service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure, while the FBI said the service had been active since about 2014 and had 32 exit node servers in 27 countries.

    Show sources
    Open in new tab
  2. 04.03.2026 17:02 1 articles · 2mo ago

    Huntress traces 1vpns[.]com to ransomware infrastructure

    Technical Analysis Update

    Huntress Tactical Response Team traced a successful brute-force RDP intrusion on an exposed server into a geo-distributed infrastructure cluster centered on specialsseason[.]com and 1vpns[.]com, with TLS-certificate pivots uncovering related domains such as 1jabber[.]com and nologs[.]club. Telemetry and public threat reporting linked the same VPN service and related IP space to Hive ransomware and BlackSuite, reinforcing that the infrastructure supported ransomware operators.

    Show sources
    Open in new tab