Europol Dismantles 'First VPN' — the Cybercrime Underground's Most-Used Anonymity Service — and Walks Away With a List of Thousands of Its Users

First VPN was the anonymity layer underneath the cybercrime economy — Europol says it appeared in nearly every major investigation it has supported. Its takedown did more than remove a service: it handed investigators a subscriber list of thousands of cybercriminals and operational leads into active ransomware and fraud cases. The intelligence yield, not the disruption, is the story.

THE HAGUE, NETHERLANDS — Between May 19 and May 20, 2026, a Europol- and Eurojust-coordinated operation dismantled First VPN, also styled 1VPNS — a VPN service marketed on Russian-language cybercrime forums explicitly as a tool to hide from law enforcement and conceal cyberattacks. Authorities arrested a suspected administrator, dismantled 33 servers, and seized the service's primary domains along with associated Tor onion domains. Europol described First VPN as having grown into 'the most widely used service in the cybercrime underground,' appearing in nearly every major cybercrime investigation Europol has supported; criminals used it to mask identities and infrastructure while running ransomware attacks, large-scale fraud, and data theft. The takedown — the result of a years-long investigation launched in 2021, involving 27 countries, led by France and the Netherlands with support from Europol, Eurojust, and Bitdefender — also identified thousands of First VPN users linked to cybercrime and generated operational leads tied to ongoing ransomware and fraud cases.

What Happened

What First VPN Was — and Was Not

It is worth being precise about what was taken down, because the word 'VPN' invites a wrong assumption. First VPN — styled 1VPNS in its own marketing — was not a mainstream consumer privacy product. It was a criminal-marketed service, advertised on Russian-language cybercrime forums with an explicit pitch: hide from law enforcement, conceal your cyberattacks. Its customers were not privacy-conscious consumers but cybercriminals using it to mask their identities and the infrastructure behind ransomware operations, large-scale fraud, and data theft. Europol's characterization is blunt — First VPN had grown into 'the most widely used service in the cybercrime underground,' appearing in nearly every major cybercrime investigation the agency has supported. It was, in effect, the anonymity layer the criminal economy ran on.

The Takedown

The operation, coordinated by Europol and Eurojust and carried out between May 19 and May 20, 2026, struck the service on multiple fronts at once. Authorities arrested a suspected administrator, dismantled 33 servers, and seized First VPN's primary domains — 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org — along with associated Tor onion domains. Taking the clear-web and onion infrastructure together matters: it removes both the service's public face and its dark-web presence in a single action, leaving customers without an obvious migration path back to the same operator. The action was the culmination of a years-long investigation launched in 2021, involving 27 countries, led by France and the Netherlands with support from Europol, Eurojust, and the security firm Bitdefender.

The Intelligence Yield Is the Real Outcome

The most consequential result of the takedown is not the servers seized or the domains darkened — it is what investigators recovered. Europol says the operation identified thousands of First VPN users linked to cybercrime and generated operational leads connected to ongoing ransomware attacks, fraud schemes, and other offenses. That is the durable outcome. A VPN service can be rebuilt or replaced within days; a subscriber list of thousands of named cybercriminals, plus investigative threads into live cases, is a compounding asset that does not expire. It also raises a quiet question about the service itself: a criminal anonymity product that marketed concealment apparently retained enough data to expose its own customers — which is its own cautionary tale for the actors who trusted it.

Scope and Impact

First VPN's dismantling is not an isolated win; it is the latest strike in a sustained 2026 campaign of transnational cyber-enforcement. The CyberSignal has tracked INTERPOL's Operation Ramz, the first regional cybercrime operation focused on the Middle East and North Africa, which produced 201 arrests across 13 countries, and Europol's Operation PowerOFF, which seized DDoS-for-hire infrastructure and sent 75,000 warning letters to the customers of booter services. The pattern across them is deliberate. Law enforcement is no longer only pursuing individual criminals or individual gangs — it is systematically dismantling the infrastructure-as-a-service layer the cybercrime economy is built on: the booters, the bulletproof hosts, the initial-access brokers, and now the anonymity VPNs. First VPN is the anonymity layer's turn.

Several details remain open. The identity and nationality of the arrested suspected administrator have not been released; Europol says 'thousands' of users were identified without giving an exact figure; and which specific ransomware and fraud cases the operational leads connect to is not public. Whether the seized subscriber data leads to further arrests, and on what timeline, is the question that will determine the takedown's ultimate impact. One inference is fair, though: the scale of the intelligence yield strongly suggests First VPN logged far more about its users than a service marketed on concealment would ever have admitted. That is consistent with a recurring lesson from the Russian-language cybercrime ecosystem The CyberSignal has documented — including the resilience of groups like NoName057(16), whose activity rose rather than fell after an earlier Europol crackdown. Enforcement disrupts; it does not, on its own, end the ecosystem.

Response and Attribution

For threat-intelligence teams, the First VPN takedown is best treated as an intelligence event rather than a news item. Through Europol national central bureau or ISAC channels, request any indicators tied to First VPN infrastructure — the 33 seized servers, the 1vpns domains — and correlate them against historical incident data; investigations where attacker traffic once traced to First VPN infrastructure may now carry attribution leads, which makes a review of relevant cold cases worthwhile. Expect adversaries who relied on the service to migrate to alternative anonymity providers within days, so tracking should be updated to anticipate a short disruption followed by infrastructure rotation. For SOC and incident-response teams, any past investigation that touched the 1vpns domains or the seized server IP addresses should be revisited and correlated; some active campaigns routed through First VPN may briefly go quiet or visibly re-tool.

For CISOs, the takedown belongs in board and regulator briefings alongside Operation Ramz and the broader enforcement tempo, as evidence that the adversary's anonymity safe harbor is eroding — and as a prompt for adversary risk modeling: criminal-infrastructure-as-a-service is now a sustained law-enforcement target, which raises the operational cost and risk for every actor who depends on it. For policy and government-engagement teams, First VPN's dismantling — 27 countries, France- and Netherlands-led, Europol- and Eurojust-coordinated — is another concrete data point for the case that the international enforcement model works, useful in oversight and resourcing discussions. The intelligence yield in particular, thousands of identified users, demonstrates the downstream value of infrastructure takedowns beyond their immediate disruption: the seized service is the smaller prize; the seized subscriber base is the larger one.

The CyberSignal Analysis

Signal 01 — The Subscriber List Outlasts the Service

The instinct on reading 'VPN takedown' is to measure the win in disruption: a service is offline, criminals lose a tool. That measure understates this operation badly. A VPN is software and servers; it can be stood up again, by the same operator or a competitor, within days, and the criminal market will route around the gap quickly. What cannot be rebuilt is what investigators carried away — a list of thousands of cybercrime-linked users and live investigative leads into ransomware and fraud cases. That asset does not degrade. It compounds, as each identified user becomes a thread into other cases, other infrastructure, other actors. The right way to score the First VPN takedown is not 'a service was disrupted' but 'a subscriber base was unmasked.' The disruption is temporary; the intelligence is permanent.

Signal 02 — Law Enforcement Is Dismantling the Infrastructure Layer, Not Just the Criminals

For years, cybercrime enforcement was framed as a hunt for individuals and gangs — identify the operator, build the case, make the arrest. The 2026 pattern is different and more structural. First VPN, the booter services behind Operation PowerOFF, the initial-access brokers and bulletproof hosts targeted elsewhere this year — these are not criminals in the ordinary sense; they are the suppliers, the infrastructure-as-a-service layer that lets the actual criminals operate at scale and with deniability. Going after that layer changes the economics for everyone above it. A ransomware crew does not need to be arrested to be hurt; it can be hurt by losing the anonymity service it depended on, and hurt again by learning that service kept records. The strategic shift worth noting is that enforcement has moved from prosecuting cybercrime to degrading the market that supplies it.

Signal 03 — Enforcement Disrupts the Ecosystem; It Does Not End It

The honest framing of the First VPN takedown holds two truths at once. It is a genuine and significant win — years of work, 27 countries, a service that touched nearly every major Europol investigation, now dismantled with a subscriber list in hand. And it is not the end of criminal anonymity services, because the demand that created First VPN has not gone anywhere; competitors will absorb its customers, and some of those customers will simply be more careful next time. The CyberSignal has documented the resilient side of this dynamic directly — NoName057(16) increased its activity after an earlier Europol crackdown rather than diminishing. The realistic posture for defenders and policymakers is to treat takedowns like this one as exactly what they are: high-value, repeatable disruptions that raise the adversary's cost and yield durable intelligence, within an ecosystem that enforcement is steadily degrading but has not defeated. Progress here is measured in sustained pressure, not final victories.

Sources