The scanning activity observed from First VPN IP addresses was “consistent with adversary efforts to identify open ports, services, and network configurations,” the FBI said. The agency said that “VPN infrastructure may be used to enumerate systems within a target network following initial access,” and that “VPN exit nodes can facilitate password spraying or brute force attempts against exposed services such as SSH, RDP, or web applications.”
Users “informed that they have been identified”
Europol said the operation against First VPN produced 83 “intelligence packages,” resulted in information on 506 users being shared internationally, and helped advance 21 Europol-supported investigations so far. “With the infrastructure dismantled and the administrator under arrest, investigators across multiple jurisdictions are now using the intelligence gathered to support ongoing cybercrime investigations worldwide,” Europol said.
After the yearslong investigation, authorities took down the VPN in a series of actions on May 19 and May 20. Authorities “interviewed the administrator and conducted a house search in Ukraine” and “dismantled 33 servers linked to the criminal service,” Europol said.
Europol said the domain seizures were authorized by judicial orders and targeted 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. “Users of the criminal service have been notified of the shutdown and informed that they have been identified,” Europol added.
While the investigation began in December 2021, it moved into a new phase in November 2023. Support from Eurojust helped French and Dutch authorities “work closely together, exchange evidence and information, and decide on a prosecutorial strategy. Eurojust hosted 16 coordination meetings among the involved authorities to prepare for the joint action day taking place this week, underscoring the need for complex judicial cooperation,” Europol said.
The direct actions on May 19 and May 20 were carried out by authorities from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the UK. There were various levels of support from Canada, Germany, the US, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Europol said it set up a task force that brought together investigators from different countries “to analyze the seized data and coordinate intelligence sharing with international partners.”