Europe dismantles VPN service used by cybercriminals to hide ransomware attacks

European law enforcement agencies have dismantled a VPN service long favored by cybercriminals to conceal ransomware attacks, fraud schemes and other illicit activities.

The international operation, led by France and the Netherlands and carried out May 19-20, targeted a service known as First VPN, which had been marketed for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement.

Authorities in Ukraine questioned the service’s administrator at the request of French investigators and conducted a house search as part of the coordinated operation. Law enforcement agencies also dismantled 33 servers linked to the platform.

According to a Europol statement Thursday, First VPN had appeared in “almost every major cybercrime investigation” the agency had supported in recent years.

The service allowed users to make anonymous payments and promised hidden infrastructure designed to shield criminal activity. Cybercriminals reportedly used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud and data theft operations.

“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong,” said Edvardas Sileris, head of Europol's European Cybercrime Centre.

“Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement,” he added.

Europol said investigators gained access to the service and obtained its user database, allowing authorities to identify VPN connections allegedly used by cybercriminals to conceal their activities.

The data exposed thousands of users linked to the cybercrime world and gave investigators new leads tied to ransomware attacks, fraud operations and other crimes around the world, the agency said.

Dutch authorities said First VPN specifically targeted criminal users and openly promoted itself on cybercrime forums. Investigators said the service claimed it would refuse cooperation with law enforcement, operate outside any jurisdiction and avoid storing user data.

“The service gave the impression that it was reliable and that its users were safe, which was not the case in reality,” Dutch authorities said.

Authorities notified users of the shutdown and informed them they had been identified. An investigationis ongoing.