Overview
- The coordinated Franco‑Dutch operation ran May 19–20 and removed First VPN from service after authorities seized 33 servers, took three domains and related onion sites offline, and arrested and questioned the alleged administrator in Ukraine.
- Investigators accessed First VPN’s internal systems and obtained a copy of its user database, and Europol says the operation produced 83 intelligence packages and information on 506 users that have already helped advance 21 investigations.
- The FBI and partner agencies say First VPN had operated since about 2014 with dozens of exit nodes across 27 countries and was used by at least 25 ransomware groups for reconnaissance, intrusions, scanning and other attacks.
- Europol and prosecutors say the service was advertised on Russian‑language cybercrime forums, offered anonymous payments and concealed infrastructure, and was marketed to users seeking to evade law enforcement despite public ‘no‑logs’ claims.
- Experts say the takedown removes a key layer of criminal infrastructure and supplies intelligence for prosecutions and victim recovery, while warning that demand for anonymous services means threat actors may shift to new providers over time.