What Happened

On May 21, 2026, an international law enforcement coalition dismantled a criminal VPN infrastructure called First VPN Service — and the FBI made it official with FLASH advisory FLASH-20260521-001.

This wasn't a small operation. According to TechCrunch, dozens of servers across 27 countries were taken offline, the service's administrator was arrested, and Europol confirmed the takedown exposed thousands of users tied to the global cybercrime ecosystem.

Thousands of users were identified.

What First VPN Actually Was

First VPN wasn't your average consumer privacy tool. The FBI confirmed it has been active since approximately 2014 and ran 32 exit node servers across 27 countries, according to The Realist Juggernaut's breakdown of the FBI FLASH document.

It was almost exclusively marketed on criminal dark web forums — specifically Exploit.in and XSS.is, which the FBI described as prominent Russian-language platforms used to buy and sell stolen data, hacking tools, unauthorized access credentials, and contraband.

The service's own sales pitch said it all. TechCrunch obtained a forum post where First VPN promised: "We are for anonymity. We do not store any logs that would allow us or third parties to link an IP address in a specific period of time with a user of our service."

That promise turned out to be worthless. Europol got the user database anyway.

The Scale of the Damage

The FBI identified at least 25 ransomware groups that used First VPN, including Avaddon ransomware — a gang known for attacking hospitals, manufacturers, and government agencies across the U.S. and Europe.

Beyond ransomware, First VPN's IP addresses were used for scanning activity, running botnets, launching denial-of-service attacks, and executing scams, according to the FBI alert cited by The Epoch Times.

The Realist Juggernaut's technical breakdown adds important detail most outlets skipped: First VPN was disguising its traffic using VLESS and Reality protocols camouflaged as HTTPS — a sophisticated technique designed to slip past enterprise firewalls and security monitoring tools. Attackers were using it to brute-force SSH, RDP, and web applications to break into corporate networks.

The operation revealed organized, professional criminal infrastructure.

Who Actually Did the Work

The boots on the ground were primarily France and the Netherlands.

According to The Realist Juggernaut's sourcing of the FBI FLASH, the operation was led by France's Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité and the Dutch National Police National High Tech Crime Unit — with support from Ukraine, the United Kingdom, Switzerland, and Luxembourg. The FBI assisted.

Europol coordinated. The investigation launched in December 2021 — nearly four and a half years before the takedown.

During that window, ransomware attacks continued while investigators built the case.

What Media Is Getting Wrong

The Epoch Times headline framed this as an "FBI Warns" story — which misses the bigger news entirely. This wasn't just a warning. It was an active multinational bust with an arrest, server seizures, and criminal exposure of thousands of users.

TechCrunch did better on the operational details but buried the technical specifics — the VLESS/Reality traffic obfuscation, the specific attack vectors (SSH, RDP, cloud services) — that matter to anyone who runs IT infrastructure and needs to update their defenses immediately.

Neither outlet focused enough on the four-year investigation timeline. Twenty-five ransomware gangs operated for years while a complex international legal process advanced. Businesses paid ransoms. Data got stolen. Hospitals got hit.

The extended timeline to shut down one known criminal service raises questions about how quickly Western law enforcement can respond to organized cybercrime.

What the FBI Wants You to Do About It

The FBI was specific. Per the FLASH advisory, organizations should review their exposure across external remote services — SSH, RDP, VPN endpoints, cloud applications, and remote management interfaces. First VPN's IP addresses are now published as indicators of compromise. If those IPs show up in your logs, you have a problem that predates this takedown.

The FBI also made a point of clarifying: this advisory applies solely to First VPN Service and NOT to other VPN providers with similar naming. That's an important distinction to avoid a panic.

The Takeaway

One criminal VPN service got taken down. Its administrator is in custody. Thousands of cybercriminals just got a notification telling them they've been identified.

But 25 ransomware gangs used this infrastructure. They didn't disappear when the servers did. They'll find new infrastructure, new anonymization tools, new ways to hide.

The ransomware economy is a multi-billion dollar criminal industry largely operating out of Russia and Russian-adjacent territory. Taking down one VPN provider is a win, but it represents a fraction of the larger criminal ecosystem.

The four-year timeline to shut down one known criminal service underscores the gap between the pace of criminal innovation and the speed of international law enforcement response.