Europol law enforcement operation dismantled First VPN (1VPNS), a notorious VPN service promoted on Russian-language cybercrime forums as a tool to hide from law enforcement and conceal cyberattacks.
Between May 19th and 20th, 2026, authorities arrested a suspected administrator and dismantled 33 servers behind the First VPN service. Police also seized and shut down primary domain names (1vpns.com, 1vpns.net, 1vpns.org), as well as associated onion domains.
The first VPN administrator was interviewed in Ukraine after a house search.
The takedown helped investigators identify thousands of service users linked to cybercrime activity, and generated operational leads connected to ransomware attacks, fraud schemes, and other specious offenses. The action will help further investigations into the cybercrime ecosystem.
Europol notified the criminal service’s users of the shutdown and also informed them that they had been identified. Information linked to 506 service users was shared with international partners.
“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong,” said Edvardas Šileris, Head of Europol’s European Cybercrime Center, in a press release.
Over the years, First VPN has grown into the most widely used service in the cybercrime underground. It has appeared in nearly all major cybercrime investigations supported by Europol.
Criminals used the service to conceal identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offenses. Knocking it offline removes a critical layer of protection that hackers depend on.
Police had access to the VPN service before it went offline
The takedown operation, involving 27 countries, follows a years-long investigation launched in 2021. France and the Netherlands led the operation with support from Europol, Eurojust, and Bitdefender.
Europol said that authorities had secretly gained access to the VPN service before it was taken offline. National teams and prosecutors executed several European Investigation Orders (EIOs) and Mutual Legal Assistance (MLAs) requests.
“This allowed authorities to gain access to the VPN service before it went offline, obtaining valuable insights and traffic data from users who believed they were conducting their criminal operations in a secure environment,” Eurojust said in a statement.
The authorities hope that the gathered intelligence will support other ongoing cybercrime investigations worldwide.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked