A major international crackdown on cybercrime has uncovered the scale of criminal activity linked to First VPN, a controversial VPN provider that was recently dismantled by law enforcement agencies across Europe.
According to newly released information from the FBI, at least 25 ransomware groups were actively using the service’s infrastructure when authorities shut it down as part of a coordinated operation.
The revelation offers fresh insight into how cybercriminals have been exploiting privacy focused services to conceal their activities, launch attacks, and evade detection. It also highlights the growing cooperation between international law enforcement agencies as they work to disrupt digital crime networks.
Operation Saffron Takes Down First VPN Infrastructure
The action against First VPN was carried out under Operation Saffron, a joint effort led by Europol and Eurojust. During the operation, authorities seized the provider’s European domain and took 33 servers offline, effectively dismantling a service that investigators say had become a preferred tool for cybercriminals.
The investigation began in late 2021 and continued for several years before reaching its conclusion in May. Officials believe the service played a significant role in enabling a wide range of criminal activities, including ransomware campaigns, online fraud operations, botnet activity, and network scanning.
The FBI’s findings indicate that numerous threat actors relied on the VPN provider to mask their identities and route malicious traffic through legitimate looking infrastructure.
One of the most notable groups identified in the report was Avaddon Ransomware, a cybercriminal operation known for targeting businesses across multiple sectors and for its high profile attack against insurance giant AXA in 2021.
Investigators also confirmed that they gained access to First VPN’s user database during the operation. The data has already helped identify more than 500 users and is supporting multiple ongoing cybercrime investigations across Europe.
How First VPN Allegedly Attracted Criminal Customers
According to investigators, First VPN did not simply attract cybercriminals by chance. Authorities claim the service actively promoted itself within underground communities where hackers buy and sell stolen data, malware, and attack tools.
The VPN reportedly advertised on well known Russian language cybercrime forums and promoted features specifically designed to appeal to individuals seeking anonymity. These included no log policies, cryptocurrency payments, international server locations, and a stated refusal to cooperate with law enforcement agencies.
Users could purchase subscriptions ranging from a single day to a full year. The service operated dozens of servers across multiple countries and allowed customers to route traffic through several nodes, making attribution significantly more difficult for investigators.
To further support its user base, First VPN allegedly maintained dedicated technical support channels through encrypted communication platforms and private messaging services.
Criminals Used the Network to Hide Attacks
The FBI says cybercriminals leveraged the VPN infrastructure in several ways. One common tactic involved gaining unauthorized access to corporate networks through password spraying and brute force attacks. Once inside a victim’s environment, attackers could map internal systems, identify valuable assets, and prepare for ransomware deployment.
Because traffic was routed through First VPN’s exit nodes, malicious activity often appeared to originate from trusted sources rather than from the attackers themselves. This added another layer of complexity for security teams attempting to trace and block attacks.
The infrastructure was also reportedly used to launch distributed denial of service attacks. These attacks flood targeted systems with traffic, disrupting operations and sometimes serving as a distraction while more damaging activity takes place in the background.
Investigators noted that the provider’s cloud based and virtualized setup further complicated attribution efforts. IP addresses could be reassigned between different users and services, making it harder to establish direct connections between specific attacks and the individuals behind them.
FBI Urges Organizations to Strengthen Defenses
Following the takedown, the FBI issued a series of recommendations aimed at helping organizations reduce their exposure to ransomware and other cyber threats.
Among the agency’s top recommendations is the implementation of multi factor authentication across all remote access services and cloud applications. MFA remains one of the most effective defenses against credential based attacks and can significantly reduce the likelihood of unauthorized access.
Organizations are also encouraged to monitor and block infrastructure associated with First VPN and other anonymization services that may be abused by threat actors. Continuous monitoring for suspicious VPN connections, unusual login attempts, and unexpected network activity can help security teams identify threats before they escalate.
The agency further recommends adopting layered security controls that combine network restrictions, identity verification measures, and behavioral monitoring. Together, these protections can improve visibility across corporate environments and make it more difficult for attackers to establish a foothold.
The First VPN takedown marks another significant victory for international law enforcement, but officials warn that cybercriminals will continue searching for new ways to hide their activities online. As ransomware threats evolve, organizations will need to remain vigilant and strengthen their security posture to stay ahead of increasingly sophisticated attacks.
FollowĀ TechBSBĀ For More Updates
