French and Dutch authorities, with Europol and partners from 16 countries, seized 33 servers and multiple domains tied to the 'First VPN' service, which investigators say was widely used in ransomware, fraud, and data-theft attacks. Authorities arrested or questioned a Ukrainian administrator, infiltrated the service, and said intelligence from the takedown identified thousands of users, with 506 users and 83 intelligence packages shared internationally.
Why it matters: The takedown targets a criminal privacy service that allegedly supported major cybercrime operations and may generate follow-on investigations into ransomware and data-theft cases. Defenders and incident responders should watch for new attribution and victim-notification leads emerging from the seized data.
Eduard Kovacs
2026.05.22
98% relevant
This article covers the same First VPN takedown and adds that the alleged administrator was arrested in Ukraine, reiterates FBI details that at least 25 ransomware groups used the service, and notes investigators shared data on 506 identified users plus published IoCs and ATT&CK mappings.
Bill Toulas
2026.05.21
100% relevant
This article appears to be the first tracked report of the coordinated seizure of First VPN infrastructure and the identification of its users.
2026.05.20
98% relevant
This article covers the same Europol-led takedown of First VPN, adding details that the operation occurred May 19-20, involved France, the Netherlands and Ukraine, dismantled 33 servers, and yielded a user database exposing thousands of users tied to ransomware, fraud, and data-theft investigations.
← Back to all stories