Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks.
Codenamed Operation Saffron, the disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
First VPN, per Europol, offered services designed specifically for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identities when carrying out ransomware attacks, large-scale fraud, and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is as a tool to evade law enforcement.
The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service’s administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.
The names of confiscated domains are listed below –
- 1vpns[.]com
- 1vpns[.]net
- 1vpns[.]org
- Related onion domains operating on the Tor network
“First VPN’s website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction,” Eurojust said.
Europol also said First VPN’s users have been notified of the shutdown and warned that their identities are now known to authorities. Bitdefender, which supported the investigation through Europol and shared information linked to 506 users, said disrupting anonymization services raises the cost of operation across the cybercriminal ecosystem.
“New anonymization services will appear. The economic demand hasn’t changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions,” the Romanian cybersecurity company said. “First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists.”
In a coordinated flash alert, the U.S. Federal Bureau of Investigation (FBI) said the service has been active since about 2014, providing 32 exit node servers in 27 countries. Three of the exit nodes were located in the U.S. –
- 2.223.66[.]103
- 5.181.234[.]59
- 92.38.148[.]58
Other exit nodes were located in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K.
No less than 25 ransomware groups, such as Avaddon Ransomware, are said to have used First VPN infrastructure to perform network reconnaissance and intrusions. The subscription duration ranged anywhere from one day to one year. Based on the subscription plan, they cost between $2 for a single day and $483 for a whole year. It accepted payments through Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass.
“First VPN Service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP,” the FBI said.
“Technical support was also offered to users via a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Service offered ‘VLESS’ and ‘Reality’ which provides the ability to disguise VPN Internet traffic as HTTPS traffic over ports which are commonly used to connect to websites.”
According to snapshots captured on the Internet Archive, First VPN offered “Anonymity, Stability, Security,” stating “We do not store any logs that would allow us or third parties to associate an IP address in a specific period of time with the user of our service.”
“The only data we store is e-mail and username, but it’s impossible to connect the user’s activity on the Internet with a specific user of our service,” it added.
As a way to escape liability, First VPN also noted in its FAQ that it “strictly” prohibited the use of its servers for illicit activities. “This facilitates the receipt of complaints about our servers, and as a result, they will be disabled,” read the FAQ.
