FBI confirms 25 ransomware groups using First VPN’s now seized services — here’s what we know
FBI confirms 25 ransomware groups using First VPN’s now seized services — here’s what we know
Publish Date: 2026-05-29 10:18:00
Source Domain: www.techradar.com
- The FBI identified 25 hacking groups linked to First VPN’s illegal activities
- Avaddon Ransomware was included on the list
- The FBI recommends stricter controls
At least 25 ransomware groups were actively using First VPN Service IP for criminal purposes at the time it was dismantled in a coordinated international operation led by European law enforcement forces, the Federal Bureau of Investigation (FBI) has confirmed.
Last week, 33 servers belonging to the free VPN service were taken offline, and its European domain was seized as part of “Operation Saffron,” jointly led by European law enforcement agencies Europol and Eurojust.
In a report, the US intelligence agency detailed how First VPN facilitated cybercrime, with hackers using its service to carry out criminal web activity, including scams, botnets, and scanning. Among the 25 names listed is Avaddon Ransomware, a malware group that targeted various business sectors, notably striking the insurance giant AXA in 2021.
You may like
Launched in December 2021 and culminating in May, the success of Operation Saffron proved that, thanks to the monumental efforts of law enforcement agencies to tackle illegal activities, we can continue to enjoy the real benefits of the privacy that the best VPNs can offer.
Investigators managed to obtain the platform’s user database and have already identified 506 specific users, with the data gathered already proving useful in 21 Europol ongoing cybercrime investigations — and we can only expect more to emerge soon.
How cybercriminals used First VPN
(Image credit: Photo by Fred TANNEAU / AFP via Getty Images)
According to the FBI report, the VPN explicitly targeted cybercriminals by advertising directly in their circles on the dark web, including Russian-language online forums — Exploit[.]in and XSS[.]is — where cybercriminals trade stolen data and hacking tools.
There, the First VPN explicitly offered a secure environment for unlawful…
