First VPN Dismantled After Police Hacked Service, Users Identified

First VPN is gone. Police secretly hacked into its infrastructure, identified thousands of users, and arrested its administrator after the VPN service openly marketed itself to cybercriminals on Russian-speaking forums. But European law enforcement agencies announced the takedown yesterday, and it's capping a yearslong operation that spanned multiple continents and exposed the hollow promise of criminal anonymity.

It's a blunt seizure notice. This digital tombstone marks a platform once boasting it was beyond any jurisdiction; operation led by France and the Netherlands with support from Europol and Eurojust culminated in coordinated raids on May 19 and 20.

The Promise That Was Never True

For years, First VPN carved out a niche that few legitimate VPN providers would touch. It did not just tolerate criminal customers. It courted them. The service was promoted on Russian-speaking cybercrime forums as a trusted tool for staying ahead of law enforcement. Anonymous payments, hidden infrastructure, and services designed specifically for criminal use were the selling points.

An archived version of the now-defunct website reveals the marketing pitch in full. "Big Brother is watching you, we are not!" the site declared. It promised to conceal IP addresses, encrypt all communications, and hide user actions "from the provider and other interested persons." The service made the classic "no logs" guarantee, assuring customers that no records existed that could ever be handed to authorities.

But that framing misses something. Dutch police stressed a critical distinction: this particular VPN service "was considered criminal, because it specifically targeted cyber criminals and gave them the opportunity to protect their identity." The site even stated that any cooperation with the judiciary would be denied and that the service was not subject to any jurisdiction. Every word of that turned out to be wrong.

How the Operation Unfolded

The investigation began in December 2021. At some point thereafter, investigators did what the service's users assumed was impossible. They gained access to the First VPN infrastructure, obtained the user database, and identified VPN connections used by cybercriminals seeking to conceal their activities. Security vendor Bitdefender assisted law enforcement in conducting the operation.

Here is the part the press release skipped. The Dutch National Police Corps issued an unusually blunt statement: before the domain seizures, "police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe."" Those five words at the end carry the weight of the entire operation. Users who thought they were invisible were being watched.

"The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offenses worldwide." , Europol

The operation moved into an intensified phase in November 2023. Eurojust hosted 16 coordination meetings among the involved authorities to prepare for the joint action. By the time the servers were taken offline, the participating countries had built a detailed picture of who was using the service and what they were doing with it.

The Numbers Behind the Takedown

First VPN had been active since 2014. It operated 32 exit node servers across 27 countries, a footprint that gave its users a wide selection of geolocations to route their traffic through. The FBI issued an intelligence alert yesterday detailing the scope of criminal activity tied to those servers.

At least 25 ransomware groups used First VPN infrastructure. The Avaddon ransomware group was among those named. The FBI noted that First VPN IP addresses were observed conducting scanning activity consistent with identifying open ports, services, and network configurations on target systems. The addresses were also linked to botnets, denial of service attacks, scams, and broader hacking campaigns.

VPN exit nodes, the FBI explained, can facilitate password spraying or brute force attempts against exposed services such as SSH, RDP, or web applications. The infrastructure was not a passive shield. It was an active weapon.

A Global Dragnet with a Simple Message

So it's on May 19 and 20 that direct actions involved authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom, and additional support came from Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Seventeen countries had a hand.

The administrator was interviewed and a house search was conducted in Ukraine. Authorities dismantled 33 servers linked to the criminal service. Domain seizures targeted 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. The digital storefront vanished overnight.

This is where it gets interesting. But Europol didn't just shut down the service and walk away; instead, the agency sent a message directly to the users after they did so.

"Users of the criminal service have been notified of the shutdown and informed that they have been identified." ; Europol

What the Operation Produced

The intelligence haul was substantial. Europol reported the following outcomes from the First VPN takedown:

• 83 intelligence packages generated for further investigation
• Information on 506 users shared internationally
• 21 Europol-supported investigations advanced so far

Europol established a dedicated task force that brought together investigators from multiple countries. Their mandate: analyze the seized data and coordinate intelligence sharing with international partners. The work is not finished. It is accelerating.

The Advertising Channels

First VPN marketed itself primarily on cybercrime forums known to police. According to Dutch authorities, the service "expressly approached cyber criminals as potential clients." The FBI added detail: the forums in question "provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband."

It wasn't only there. But it actively sought out its customer base on the open platforms where the criminals congregated, promising them protection that the law enforcement systematically dismantled.

The Lesson No VPN User Will Forget

VPN services occupy a strange position in the digital ecosystem because they're able to protect privacy for legitimate reasons, and journalists, activists, and ordinary citizens use them every day. They can protect privacy. But the promise of anonymity is only as strong as the people running the servers, and users have no practical way to verify whether a VPN provider's privacy claims are credible.

The First VPN case pushes that uncertainty into new territory because law enforcement didn't merely pressure the company to hand over logs, they infiltrated the infrastructure and watched traffic flow through the tunnels. They identified users from inside. But the service's no-logs guarantee meant nothing when the very systems processing the traffic belonged to investigators.

They've arrested the administrator. They took down the infrastructure. But 83 intelligence packages in hands of investigators across multiple jurisdictions suggest the real work has only just begun, and for users who once "mistakenly believed themselves to be safe," the consequences are still unfolding.

Frequently Asked Questions

What is the 'First VPN' service mentioned in the blog post?

First VPN is a virtual private network service that was recently dismantled after police hacked into its infrastructure.

How did the police manage to dismantle First VPN?

Law enforcement hacked into First VPN's servers, compromising the service and identifying its users.

What happened to First VPN users after the police hack?

Users were identified and potentially exposed to legal consequences due to the breach of the VPN's anonymity.

Why is this event significant for VPN users?

It demonstrates that VPNs are not invulnerable to law enforcement, and user anonymity can be compromised.

What should users learn from the First VPN takedown?

Users should choose VPNs with strong no-logs policies and understand that no service guarantees absolute privacy.