CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Seizure of First VPN service operations amid widespread abuse in cybercrime investigations

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

An international law enforcement operation dismantled the 'First VPN' service, widely abused in ransomware and data theft campaigns, after a multi-year investigation. Operations included the seizure of 33 servers across 27 countries, the arrest of a Ukrainian administrator, and the takeover of associated domains (1vpns.com, 1vpns.net, 1vpns.org, and onion variants). The platform was marketed as no-logging and privacy-focused but allegedly used by threat actors to conceal infrastructure and identities. Investigators infiltrated the service, collected traffic data, and identified thousands of users globally, sharing 506 user identities and 83 intelligence packages with international partners to support ongoing cybercrime investigations. Europol coordinated the operation with support from Bitdefender, advancing 21 investigations through the intelligence gathered.

Timeline

  1. 21.05.2026 16:09 2 articles · 1d ago

    First VPN service seized in international law enforcement operation

    The coordinated operation dismantled First VPN between May 19–20, 2026, led by France and the Netherlands with Europol coordination. Actions included seizure of 33 servers across 27 countries, arrest of a Ukrainian administrator during a house search, domain takedowns (1vpns.com, 1vpns.net, 1vpns.org, onion variants), and infrastructure takeover. Investigators infiltrated the service, obtained its user database, and shared 506 user identities and 83 intelligence packages internationally, advancing 21 Europol-supported investigations. Cybersecurity firm Bitdefender supported the operation through Europol.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Disruption of 53 DDoS-for-hire domains in global law enforcement operation

Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.

Open in new tab

SocksEscort Proxy Network Disrupted by Law Enforcement

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Open in new tab

FBI Seizes RAMP Cybercrime Forum

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem. Additionally, the FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. The forum had over 142,000 members and more than 215,000 messages between members as of December 2025. The seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries. The operation included the shutdown of LeakBase's domains, posting seizure banners, and warning members of the seizure. Law enforcement executed search warrants, made arrests, and conducted interviews in multiple countries. The seizure banner notes that the forum's database and all its contents, including IP logs and private messages, will be used for evidentiary purposes in future investigations. The domain nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation involved around 100 enforcement actions worldwide, including measures against 37 of the most active users of the platforms. LeakBase was active since 2021 and had over 142,000 members, offering access to databases, a market for selling leaks, exploits, and other cybercrime services, and an escrow payment system.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab