Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origin of ransomware attacks, data theft, scanning, and denial-of-service attacks.
The first VPN service disruption was led by France and the Netherlands, with several other countries supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, UK, Canada, Germany, US, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
According to Europol the first VPNs offered services specifically designed for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identities while carrying out ransomware attacks, large-scale fraud and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit[.]I and XSS[.]Meant as a tool to avoid law enforcement.
The international operation took place between May 19 and 20, during which authorities took several concurrent actions, including interviewing the service’s administrator, conducting a home search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.
The names of the seized domains are listed below –
- 1vpns[.]com
- 1vpns[.]Net
- 1vpns[.]Organization
- Related onion domains operating on the Tor network
Eurojust said, “The website of the first VPN promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authorities, that it would not store data, and that the service would not be subject to any jurisdiction.”
In a coordinated flash alert, the US Federal Bureau of Investigation (FBI) said the service has been active since approximately 2014, providing 32 exit node servers in 27 countries. Three exit nodes were located in the US –
- 2.223.66[.]103
- 5.181.234[.]59
- 92.38.148[.]58
Other exit nodes were located in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the UK.
At least 25 ransomware groups, such as Avadon ransomware, are said to have used First VPN infrastructure to conduct network reconnaissance and infiltration. Subscription duration can be anywhere from one day to one year. Depending on the subscription plan, they cost between $2 for a day and $483 for an entire year. It accepted payments via Bitcoin, Perfect Money, WebMoney, eGoPay and Intercash.
“The first VPN service offered multiple connection protocols, including OpenConnect, WireGuard, Outline, and Vless TCP Reality, and multiple encryption options, including OpenVPN ECC, L2TP/IPsec, and PPTP,” the FBI said.
“Technical support was also provided to users through a self-hosted Jabber server and the Telegram encrypted messaging service. Of the VPN protocol options, the First VPN service offered ‘VLESS’ and ‘Reality’, which provide the ability to disguise VPN Internet traffic as HTTPS traffic on ports typically used to connect to websites.”
According to a snapshot captured on the Internet Archive, FirstVPN said it offered “anonymity, stability, security,” adding, “We do not store any logs that would allow us or third parties to associate an IP address with a user of our service over a specific period of time.”
It says, “The only data we store is e-mail and username, but it is impossible to link a user’s activity on the Internet to a specific user of our service.”
As a way to avoid liability, First VPN also mentioned in its FAQ that it “strictly” prohibited the use of its servers for illegal activities. “This makes it easier to receive complaints about our servers and, as a result, they will be disabled,” read the FAQ.
