HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

International Law Enforcement Seizes “First VPN” Service Used by Ransomware Actors, Exposing 506 Users

Europol‑coordinated takedown of the “First VPN” service removed a critical privacy‑focused VPN used by ransomware groups, seized 33 servers, arrested the admin, and disclosed a database of 506 identified users, creating immediate third‑party risk for organizations relying on similar services.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

International Law Enforcement Seizes “First VPN” Service Used by Ransomware Actors, Exposing 506 Users

What Happened — A joint Europol‑led operation seized 33 servers of the “First VPN” service across 27 countries, arrested its administrator in Ukraine, and collected the full user database. The VPN had been advertised on cyber‑crime forums as a “no‑logs” service and was repeatedly used to hide the infrastructure of ransomware and data‑theft campaigns.

Why It Matters for TPRM

  • Threat‑actor reliance on third‑party VPNs creates hidden attack infrastructure that can bypass traditional perimeter controls.
  • The seizure provides actionable intelligence (506 identified users, 83 intelligence packages) that can be leveraged to assess downstream risk to your own supply chain.
  • Exposure of the VPN’s user database may lead to credential reuse attacks against legitimate customers of the service.

Who Is Affected

  • Technology/SaaS vendors offering remote‑access or cloud services.
  • Organizations that allow VPN‑based remote work without strict endpoint verification.
  • Any third‑party that integrates with services hosted behind the seized VPN infrastructure.

Recommended Actions

  • Review any contracts or reliance on “First VPN” or similar privacy‑focused VPN providers.
  • Verify that remote‑access solutions enforce strong MFA and device posture checks, regardless of VPN use.
  • Incorporate the disclosed user list into threat‑intel feeds and monitor for credential‑stuffing or phishing attempts.
  • Update incident‑response playbooks to include “VPN‑based infrastructure compromise” scenarios.

Technical Notes — The operation targeted a VPN service that claimed a no‑logs policy, effectively providing a “trusted‑third‑party” hide‑layer for ransomware C2 traffic. No specific CVEs were involved; the attack vector was the third‑party dependency of the VPN itself. Data types seized include user account credentials, connection logs, and payment records. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/police-seize-first-vpn-service-used-in-ransomware-data-theft-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →