Europol led a multinational effort to dismantle the First VPN service, seizing domains and arresting its Ukrainian operator. The operation, spanning May 19-20, involved authorities from seven countries and disrupted a platform used by criminals to evade detection. Over 506 users were identified through 83 intelligence packages, and the infrastructure’s collapse now aids 21 ongoing cybercrime investigations. Europol emphasized that the shutdown “demonstrates how coordinated efforts can dismantle tools enabling global cybercrime.”

The investigation, spanning three years, saw France and the Netherlands play central roles, coordinating via 16 Eurojust-hosted meetings to align strategies. Authorities dismantled 33 servers linked to the service and seized domains like 1vpns.com and associated onion addresses. While users were notified of the shutdown, the operation highlights how VPNs are increasingly targeted by law enforcement to intercept cybercriminal activities. The dismantling of infrastructure also removes a layer of anonymity for threat actors relying on such services.

The scale of this takedown underscores a growing trend: law enforcement is treating VPNs as critical nodes in cybercrime ecosystems. By seizing domains and arresting operators, agencies like Europol are not only punishing perpetrators but also dismantling frameworks that enable activities like password spraying or brute-force attacks on exposed systems. This case illustrates how international collaboration—spanning Canada, Germany, and beyond—can turn the tide against organized cybercrime. The 21 investigations now benefiting from this operation suggest a paradigm shift in how authorities preemptively neutralize digital threats before they scale.