You Cannot Hide: Virtual private networks can be useful tools for securing business practices and protecting people privacy online. When used by a criminal group, a robust VPN service provider becomes a massive security threat requiring an international counteraction effort.
Earlier this week, European authorities carried out a continent-wide operation targeting a crime-focused VPN service known as "First VPN." Europol said the illicit service had been promoted for years on Russian-language underground forums, where it was marketed as a "trusted" platform for cybercriminals seeking a safehaven for their malicious online activities.
Europol worked together with Eurojust, the EU's agency for judicial cooperation in criminal matters involving multiple member states. The two agencies coordinated with law enforcement and judicial authorities from 16 countries, concluding a complex investigation that began in December 2021. Romania-based cybersecurity firm Bitdefender also participated in the operation.
First VPN operators were reportedly selling a range of illicit services, including anonymous payment mechanisms, hidden online infrastructure, and other tools supporting cybercriminal activity. Europol said the VPN was involved in nearly every significant crime investigation supported by the agency in recent years. It allegedly facilitated a wide range of cybercrime activities, including ransomware attacks, large-scale fraud operations, data theft, and more.
Edvardas Šileris, Head of Europol's European Cybercrime Centre (EC3), stated that "cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong."
After discovering First VPN being advertised on underground forums, French and Dutch authorities began cooperating in 2022 by sharing evidence and developing a joint prosecution strategy. An additional coordination layer was established in 2023, involving Eurojust and several other European agencies.
European authorities carried out their decisive action between May 19 and 20, targeting and dismantling the infrastructure behind First VPN. Eurojust partners arrested the VPN's administrator and conducted a search of a residence in Ukraine. Authorities dismantled 33 servers linked to the illicit VPN and shut down several DNS resources on both the surface web and the Tor network (onion services).
Furthermore, investigators identified individuals paying for access to First VPN infrastructure. These users have reportedly been informed that the service has been shut down and that they have been identified by authorities.
The final operation involved authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom. As the head of EC3 noted in Europol's official statement, cybercriminals worldwide have now been stripped of a critical layer of protection they had been exploiting to evade law enforcement action.
