Become a TechRadar Insider
- The FBI identified 25 hacking groups linked to First VPN's illegal activities
- Avaddon Ransomware was included on the list
- The FBI recommends stricter controls
At least 25 ransomware groups were actively using First VPN Service IP for criminal purposes at the time it was dismantled in a coordinated international operation led by European law enforcement forces, the Federal Bureau of Investigation (FBI) has confirmed.
Last week, 33 servers belonging to the free VPN service were taken offline, and its European domain was seized as part of "Operation Saffron," jointly led by European law enforcement agencies Europol and Eurojust.
In a report, the US intelligence agency detailed how First VPN facilitated cybercrime, with hackers using its service to carry out criminal web activity, including scams, botnets, and scanning. Among the 25 names listed is Avaddon Ransomware, a malware group that targeted various business sectors, notably striking the insurance giant AXA in 2021.
Launched in December 2021 and culminating in May, the success of Operation Saffron proved that, thanks to the monumental efforts of law enforcement agencies to tackle illegal activities, we can continue to enjoy the real benefits of the privacy that the best VPNs can offer.
Investigators managed to obtain the platform's user database and have already identified 506 specific users, with the data gathered already proving useful in 21 Europol ongoing cybercrime investigations — and we can only expect more to emerge soon.
How cybercriminals used First VPN
According to the FBI report, the VPN explicitly targeted cybercriminals by advertising directly in their circles on the dark web, including Russian-language online forums — Exploit[.]in and XSS[.]is — where cybercriminals trade stolen data and hacking tools.
There, the First VPN explicitly offered a secure environment for unlawful acts, offering no-log policies, global jurisdiction circumvention, and a refusal to cooperate with the authorities.
Specifically, users could use cryptocurrencies to purchase subscription services offering varying degrees of digital anonymity for periods ranging from one day to one year. To maximise user anonymity, First VPN provided 32 services spread across 27 countries from which users could select up to four 'nodes'.
The service even had its own technical support for criminals via Telegram and a self-hosted Jabber server.
As the malicious infrastructure was hosted in the cloud or virtualised, the IP addresses used for the ransomware were randomly reassigned to legitimate services, making it harder for investigating authorities to trace the source of the criminal activity.
By using techniques such as ‘password spraying’ and brute force attacks, hackers guessed passwords to access their victims’ environments, such as corporate desktops and apps, from where they were able to scan the networks to identify the devices, servers, and users connected to them.
By routing their attacks through the First VPN’s available exit nodes, their attacks appeared to originate from a legitimate and trustworthy source.
Cybercriminals also exploited the infrastructure to launch denial-of-service (DDoS) attacks, flooding victims’ networks with traffic to overwhelm the victim and render their systems inoperable — a technique often used to prevent the detection of a more serious attack in progress.
How to be safe
The FBI has published detailed recommendations for organisations, calling for the implementation of multi-layered security controls, combined network restrictions, identity-based protections, and behavioural monitoring to prevent ransomware attacks, data breaches, and unauthorised network access.
It recommends blocking and monitoring First VPN’s infrastructure, and continuously monitoring unauthorized VPN connections or IP addresses associated with anonymisation services.
Crucially, multi-factor authentication (MFA) should be implemented for all remote access services and cloud-based applications to limit authentication attempts originating from unknown areas or IP addresses.
