Law enforcement agencies in Europe and North America carried out a coordinated operation on 19–20 May to dismantle First VPN Service — a VPN service that, according to Europol, was deliberately created to serve cybercriminals. According to the FBI, at least 25 ransomware groups, including Avaddon Ransomware, used the service’s infrastructure to conduct network reconnaissance, intrusions, large-scale fraud and data theft. During the operation, 33 servers were seized, the domains were confiscated, and a search was carried out in Ukraine with the service administrator questioned.

Timeline and scope of the operation

The investigation began back in December 2021. The operation was led by France and the Netherlands with the support of 16 countries: Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland and Portugal. The active phase took place on 19–20 May and involved simultaneous actions in several jurisdictions: a search in Ukraine, questioning of the administrator, shutting down 33 servers and seizing the infrastructure.

According to a statement by Eurojust, the domains 1vpns[.]com, 1vpns[.]net, 1vpns[.]org, as well as associated onion domains on the Tor network, were confiscated.

Technical infrastructure of First VPN

According to an FBI advisory, the service had been operating since approximately 2014 and had 32 exit nodes in 27 countries. Three nodes were located in the United States.

The service offered a wide range of connection protocols: OpenConnect, WireGuard, Outline and VLess TCP Reality. Encryption options included OpenVPN ECC, L2TP/IPSec and PPTP. Of particular note is support for the VLESS and Reality protocols, which make it possible to disguise VPN traffic as ordinary HTTPS traffic on standard web ports, significantly complicating detection by network monitoring tools.

Customer support was provided via a self-hosted Jabber server and the Telegram messenger.

Indicators of compromise

IP addresses of exit nodes located in the United States, as listed in the FBI advisory:

• 2.223.66[.]103
• 5.181.234[.]59
• 92.38.148[.]58

Seized domains:

• 1vpns[.]com
• 1vpns[.]net
• 1vpns[.]org

The service was advertised on Russian-language cybercriminal forums Exploit[.]in and XSS[.]is as a tool for evading law enforcement.

Business model of the criminal service

First VPN operated on a subscription model with flexible pricing: from 2 US dollars for one day to 483 dollars for a year. Payments were accepted via Bitcoin, Perfect Money, Webmoney, EgoPay and InterKass — a set of payment systems typical for the shadow segment of the internet, where transaction anonymity is a priority.

The service positioned itself under the slogan “Anonymity, Stability, Security” and claimed not to keep logs, not to be able to link an IP address to a specific user, and to refuse cooperation with any judicial authorities. At the same time, the FAQ contained a caveat about a “strict prohibition” on using the servers for illegal activities — an obvious legal buffer not supported by any real control.

Threat context and significance of the operation

The dismantling of First VPN continues a series of international operations to eliminate infrastructure that supports the ransomware ecosystem. The FBI’s statement that at least 25 ransomware groups used the service points to First VPN’s role as one of the key elements in the infrastructure layer that provides anonymity for attackers. Among the named users is the Avaddon Ransomware group, although the full list of groups and supporting evidence have not been disclosed in publicly available materials.

The service’s decade-long period of operation (since 2014) and its presence in 27 countries demonstrate how deeply such criminal services become integrated into the global network infrastructure. The use of advanced traffic-masking protocols such as VLESS and Reality shows that operators of criminal services actively adapt legitimate censorship-circumvention technologies to the needs of cybercrime.

Practical recommendations

• Review of network logs: organizations should review historical network traffic records for connections to the specified IP addresses (2.223.66[.]103, 5.181.234[.]59, 92.38.148[.]58) and the domains 1vpns[.]com/net/org. Detection of such connections may indicate a compromise.
• Monitoring of masked traffic: pay attention to anomalous HTTPS traffic that may in fact be a VPN connection disguised via the VLESS/Reality protocols. Deep packet inspection and analysis of connection patterns will help identify such activity.
• Updating blocking rules: add the listed indicators of compromise to SIEM, IDS/IPS and firewall systems.
• Subscription analysis: if traces of First VPN usage are found within the organization, this is grounds for a full incident investigation, since the service was directly linked to the activities of ransomware groups.

The dismantling of First VPN deprives dozens of criminal groups of a familiar anonymization tool but does not eliminate the demand for such services. Organizations should use the published indicators of compromise for retrospective analysis of network traffic and give priority to detecting masked VPN connections — this technique, implemented via VLESS and Reality, will be used ever more frequently in attacks, regardless of the fate of any particular service.