French and Dutch authorities, supported by Europol and Eurojust, have dismantled a VPN service widely used by cybercriminals to hide ransomware attacks, data theft, and large-scale fraud. The service, known as “First VPN,” had been promoted for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement via anonymous payments and hidden infrastructure.
The operation involved law enforcement agencies from France, the Netherlands, Romania, Ukraine, Switzerland, Luxembourg, and the United Kingdom.
Europol said the platform had become a key part of the global cybercrime ecosystem and was linked to numerous major investigations. Criminal groups allegedly used the service to hide their identities and online infrastructure.
The coordinated action took place between 19 and 20 May and targeted the infrastructure behind the VPN network. Authorities interviewed the service administrator and carried out a house search in Ukraine. Also, 33 servers connected to the service have been dismantled and several domains (1vpns[.]com, 1vpns[.]net, 1vpns[.]org) seized, as well as associated onion domains. Law enforcement agencies also notified users of the service that they had been identified.
In a separate investigation, Ukrainian authorities have detained an 18-year-old man from Odesa suspected of involvement with an international cybercrime crew that compromised nearly 30,000 customer accounts linked to a US online retailer.
The group used info-stealing malware to collect login credentials and session data, which were later sold through online platforms and Telegram channels.
At least 5,800 stolen accounts were allegedly used for unauthorized purchases worth around $721,000, causing more than $250,000 in losses. The suspect is accused of managing the infrastructure used to process and sell the stolen data and of handling cryptocurrency transactions.