FBI Warns ‘First VPN Service’ Used by Ransomware Gangs for Cyberattacks

The FBI issued an alert on May 21, warning consumers that a virtual private network (VPN) provider called “First VPN Service” was being used by malicious actors to carry out hacking attacks

“The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking,” the May 21 FBI alert reads.

About 75 million Americans use a VPN service, according to a June 2025 survey from Security.org. Since 2023, the share of Americans using VPNs has declined to 32 percent from 46 percent.

“First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband,” the alert reads.

The service used the domains 1vpns.com, 1vpns.org, and 1vpns.net. It hosted a server at 1jabber.com, an open source instant messaging platform. The FBI clarified that the alert does not apply to other VPN providers that may have names similar to First VPN Service.

Threat actors use services such as First VPN Service to route traffic via intermediary systems, which enables them to evade detection by masking the actual origin of malicious activity, the alert states.

Hackers use VPN infrastructure to access victims’ network systems, often using valid accounts to carry out follow-on operations. First VPN Service infrastructure has been linked to denial-of-service activity, which allows malicious actors to disrupt the services of their targets.

The alert was issued following an international joint law enforcement operation backed by the FBI that took down First VPN Service. The operation was led by France and the Netherlands, supported by the UK, Ukraine, Luxembourg, and Switzerland.

In a May 21 statement, the European Union Agency for Law Enforcement Cooperation (Europol) confirmed the takedown of First VPN Service, which it stated was used by cybercriminals to carry out data thefts, large-scale fraud, ransomware attacks, and other serious offenses. The service has appeared in “almost every major cybercrime investigation” that has been supported by Europol over the recent years, the agency stated.

“For years, cybercriminals saw this VPN service as a gateway to anonymity,” said Edvardas Sileris, head of Europol’s European Cybercrime Center. “They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong.

“Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”

The coordinated action took place between May 19 and May 20 and included interviewing the administrator, searching a house in Ukraine, and dismantling 33 servers linked to the service.

1vpns.com, 1vpns.org, 1vpns.net, and other associated domains have been shut down.

Thousands of users linked to cybercrime activity have been identified by authorities. Investigators from various jurisdictions are now using the gathered intelligence in ongoing cybercrime probes globally, Europol said.

VPN and Privacy

In the United States, a group of lawmakers sent a letter to Director of National Intelligence Tulsi Gabbard in March, asking that Americans be warned about how their use of commercial VPNs can affect their constitutional rights, according to a March 26 statement from the office of Sen. Ron Wyden (D-Ore.).

U.S. surveillance law clarifies that when the country of a VPN user is not known, the government can assume the person to be a foreigner. Since the Fourth Amendment protections do not apply to non-Americans outside the United States, U.S. citizens who use VPNs that hide the country where users are located could end up being subject to surveillance.

Americans should be told “if these VPN services, which are advertised as a privacy protection, including by elements of the federal government, could, in fact, negatively impact their rights against U.S. government surveillance,” the lawmakers wrote in the March 26 letter.

“To that end, we urge you to be more transparent with the American public about whether the use of VPNs can impact their privacy with regard to U.S. government surveillance, and clarify what, if anything, American consumers can do to ensure they receive the privacy protections they are entitled to under the law and Constitution,” they wrote.

VPNs are typically used by people in countries with internet censorship, such as China, where citizens use these services to access local and international news and other information deemed sensitive by the Chinese Communist Party (CCP). These include human rights abuses in China, corruption within the CCP, and unfolding large-scale protests.

China has taken various measures to control VPN usage in the country. For instance, in March, it unveiled a new tech patent that enabled the regime to identify whether a device is using a VPN.

The same month, the CCP also intensified a nationwide crackdown against VPNs and other similar tech tools.

In an article published by Taiwan’s Institute of National Defense and Security Research, policy analyst Tseng Min-chen said Beijing’s stringent internet controls are driven by its concerns over information flow amid rising social pressure and economic strain in the country.