An international law enforcement operation led by French and Dutch authorities has dismantled a VPN service allegedly used by ransomware operators, fraudsters, and cybercriminal groups to conceal illegal online activity. The operation, supported by Europol and Eurojust, targeted a service known as “First VPN,” which investigators say had become deeply embedded in the cybercrime ecosystem.
Authorities said the VPN platform was promoted for years on Russian-speaking cybercrime forums as a secure and anonymous infrastructure for conducting ransomware attacks, large-scale fraud, and data theft operations. The coordinated enforcement action took place between 19 and 20 May 2026 and involved agencies from multiple countries.
Authorities Seize Servers and Shut Down Domains
Investigators dismantled 33 servers linked to the VPN infrastructure and conducted a house search while interviewing the administrator in Ukraine. Law enforcement agencies also seized several domains associated with the service, including 1vpns.com, 1vpns.net, 1vpns.org, and related onion domains.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
Officials stated that users of the VPN service were informed that the platform had been shut down and that investigators had identified them. According to Europol, the VPN service appeared in “almost every major cybercrime investigation” supported by the agency in recent years.
Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said:
“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong.”
Investigation Traced Thousands of Suspected Users
The investigation began in December 2021, when authorities working with Europol’s European Cybercrime Centre gained access to the service and obtained its user database. Investigators identified VPN connections allegedly used by cybercriminals to mask ransomware attacks, fraud schemes, and other illegal activities.
Cybersecurity company Bitdefender also assisted investigators during the operation. Authorities said the intelligence gathered exposed thousands of users connected to the wider cybercrime ecosystem and generated operational leads for ongoing investigations worldwide.
International Coordination Expanded the Operation
A Joint Investigation Team backed by Eurojust was established in November 2023 to facilitate cooperation between French and Dutch authorities. Europol simultaneously formed an Operational Taskforce involving investigators from 16 countries to analyze seized data and coordinate intelligence sharing.
According to Europol, the operation has already resulted in 83 intelligence packages being shared internationally, information connected to 506 users being disseminated to partner agencies, and progress in 21 cybercrime investigations.
Authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom participated directly in the action days, while several other countries supported the wider investigation.
Growing Focus on Criminal Infrastructure
The takedown reflects a broader global strategy by law enforcement agencies to target the infrastructure enabling cybercrime, including VPN services, proxy networks, botnets, and encrypted communication platforms. Europol has previously coordinated similar actions against services allegedly used by ransomware operators and phishing groups.
As investigators continue analyzing seized data, authorities across multiple jurisdictions are expected to use the intelligence to support ongoing cybercrime and ransomware investigations worldwide.
