Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to hide the origin of ransomware attacks, data theft, scanning, and denial-of-service attacks.
The disruption of First VPN Service was led by France and the Netherlands, with several other countries supporting the investigation as of December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the UK, Canada, Germany, the US, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
The first VPN, per Europol, offered services designed specifically for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identity when carrying out ransomware attacks, serious fraud, and data theft. It was developed by Russian-speaking cyber crime sites like Exploit[.]in XSS[.]it is a tool to avoid the application of the law.
The international operation took place between May 19 and 20, where the authorities took a series of parallel actions that included interviewing the service manager, searching a house in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercrime activity around the world.
Names of domains taken are listed below –
- 1 vpns[.]com
- 1 vpns[.]the net
- 1 vpns[.]org
- Onion related domains running on the Tor network
“The first VPN website promoted itself with an emphasis on anonymity, promising its users that it would not cooperate with any law enforcement authority, that it would not store data, and that the service would not be subject to any jurisdiction,” Eurojust said.
In a joint flash warning, the US Federal Bureau of Investigation (FBI) said the service had been operating since around 2014, providing 32 exit servers in 27 countries. Three outlets were located in the US –
- 2.223.66[.]103
- 5.181.234[.]59
- 92.38.148[.]58
Other destinations were Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the UK.
No less than 25 ransomware groups, such as the Avaddon Ransomware, are said to have used First VPN’s infrastructure to perform network detection and intrusion. The duration of the subscription ranged from anywhere from one day to one year. Based on the subscription plan, they cost between $2 for one day and $483 for a year. Accept payments via Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass.
“The first VPN service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP,” the FBI said.
“Technical support was also provided to users through a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Service offered ‘VLESS’ and ‘Reality’ which provide the ability to mask VPN internet traffic as HTTPS traffic over ports commonly used to connect to websites.”
According to snapshots captured in the Internet Archive, First VPN offers “Anonymity, Stability, Security,” saying “We do not keep any logs that would allow us or third parties to associate an IP address at a particular time with a user of our service.”
“The only data we store is the user’s email and name, but it is not possible to connect a user’s online activity with a specific user of our service,” it added.
As a way to avoid liability, First VPN also notes in its FAQ that it “strictly prohibits” the use of its servers for illegal activities. “This facilitates the detection of complaints about our servers, and as a result, they will be disabled,” reads the FAQ.
