CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Global law enforcement operation dismantles criminal VPN service used by 25 ransomware groups

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated international law enforcement operation dismantled First VPN Service, a criminal-focused VPN infrastructure leveraged by at least 25 ransomware groups, threat actors, and cybercriminals for anonymizing malicious activities including ransomware attacks, data theft, network reconnaissance, and denial-of-service operations. The takedown spanned May 19–20, 2026 and involved authorities from 21 countries, including France, the Netherlands, Ukraine, the U.S., and the U.K., under operations led by Europol and Eurojust. The service, active since 2014, provided 32 exit nodes across 27 countries and promoted itself on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is as an anonymity tool resistant to law enforcement cooperation. Impact includes the seizure of 33 servers, interviews with the service administrator, and disruption of infrastructure supporting global cybercrime operations. The FBI confirmed the service’s role in enabling multiple ransomware operations, including Avaddon Ransomware.

Timeline

  1. 22.05.2026 20:35 1 articles · 1h ago

    First VPN Service seized in international law enforcement operation

    Authorities from 21 countries dismantled First VPN Service, a criminal VPN infrastructure used by at least 25 ransomware groups, during a coordinated operation on May 19–20, 2026. Actions included server seizures across 27 countries, a house search in Ukraine, and interviews with the service administrator. The FBI confirmed the service’s role in enabling ransomware operations since at least 2014.

    Show sources
    Open in new tab

Information Snippets