In a significant coordinated operation led by French and Dutch authorities, with support from international partners across Europe and North America, the criminal VPN infrastructure known as "First VPN Service" has been dismantled. This service was not merely a privacy tool; it was a specialized "bulletproof" hosting provider explicitly marketed to facilitate cybercrime.
Investigations reveal that at least 25 distinct cybercrime groups leveraged this infrastructure to obfuscate the origins of their attacks. The takedown disrupts a critical operational security (OpSec) layer for threat actors engaged in ransomware deployment, data theft, network scanning, and denial-of-service (DoS) attacks. For defenders, this is a unique opportunity: the collapse of this infrastructure creates a window of visibility. If your environment was communicating with First VPN Service nodes, you were likely targeted, compromised, or used as a pivot point. Immediate action is required to identify and remediate this exposure.
Technical Analysis
Affected Infrastructure: First VPN Service (Global IP ranges associated with their exit nodes).
Threat Actors: 25+ distinct cybercrime groups, including ransomware operators and botnet herders.
Attack Chain & Utility:
- Origination Obfuscation: Attackers routed malicious traffic through First VPN Service to mask their true IP addresses, bypassing geo-blocking and basic IP-reputation filters.
- Scanning & Reconnaissance: The high-bandwidth, low-logging nature of the service made it ideal for mass vulnerability scanning without immediate attribution.
- C2 & Exfiltration: Some groups utilized the VPN tunnels as a command-and-control (C2) channel or for exfiltrating stolen data, blending in with "legitimate" VPN traffic.
Exploitation Status: The infrastructure was actively used in the wild for encryption-based incidents (ransomware) and data theft. While the service is now dismantled, historical logs must be checked for prior compromise.
Detection & Response
The following detection mechanisms are designed to identify historical or residual connections to the First VPN Service infrastructure. Note that specific IP lists are usually released via Europol or national CSIRTs (e.g., ANSSI in France) during the takedown. The rules below use the service name as a primary identifier and placeholder IPs; update the DestinationIp lists with the official IOCs once published.
SIGMA Rules
---
title: Potential Connection to First VPN Service Infrastructure
id: 8a4d2e10-6b3f-4c9d-8e1f-9a2b3c4d5e6f
status: experimental
description: Detects outbound network connections to IP ranges or domains associated with the dismantled First VPN Service. Update the 'destination_ip' list with official IOCs from the takedown notice.
references:
- https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'firstvpn-service'
- 'first-vpn.net'
- 'firstvpn.org'
# Uncomment below and add specific IOCs from the official police report
# DestinationIp|startswith:
# - '198.51.100.'
condition: selection
falsepositives:
- Legitimate VPN usage (if naming conventions overlap)
level: high
---
title: Process Execution with First VPN Service Artifacts
id: 9b5e3f21-7c4g-5d0e-9f2g-0b3c4d5e6f7g
status: experimental
description: Detects execution of known First VPN Service client binaries or configuration files on endpoints.
references:
- https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
author: Security Arsenal
date: 2026/05/15
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'FirstVPN'
- 'firstvpn-service'
Image|endswith:
- '\firstvpn.exe'
- '\openvpn.exe' # If specific wrapper is unknown, flag common utils used in suspect paths
ParentImage|contains:
- 'FirstVPN'
condition: selection
falsepositives:
- Authorized corporate VPN usage if naming matches
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for DNS requests or network connections associated with the infrastructure.
// Hunt for connections to First VPN Service infrastructure
// Update the IOC list below with specific IPs from the takedown report
let FirstVPN_Domains = dynamic(['firstvpn-service.com', 'firstvpn.net', 'firstvpn.org']);
let FirstVPN_IPs = dynamic([]); // Populate with released CIDR blocks
DeviceNetworkEvents
| where (RemoteUrl has_any (FirstVPN_Domains) or RemoteIP has_any (FirstVPN_IPs))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
Velociraptor VQL
-- Hunt for network connections or artifacts related to First VPN Service
SELECT Name, Pid, RemoteAddress, RemotePort, State, StartTime
FROM netstat()
WHERE RemoteAddress =~ 'firstvpn-service'
OR RemoteAddress IN ('198.51.100.0/24') // Replace with actual IOCs
OR Name =~ 'FirstVPN'
Remediation Script (PowerShell)
This script blocks the identified domains and IPs via the Windows Firewall. Ensure you update the $BlockedIPs and $BlockedDomains variables with the official list from the authorities.
# Block First VPN Service Infrastructure
# Requires Administrator privileges
# Define IOCs - UPDATE THESE WITH OFFICIAL LIST FROM AUTHORITIES
$BlockedIPs = @("198.51.100.0/24")
$BlockedDomains = @("*.firstvpn-service.com", "*.firstvpn.net")
$RuleName = "Block First VPN Service Infrastructure"
# Remove existing rule if present to avoid duplicates
if (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue) {
Remove-NetFirewallRule -DisplayName $RuleName
}
# Create new firewall rule for IPs
New-NetFirewallRule -DisplayName $RuleName `
-Direction Outbound `
-Action Block `
-RemoteAddress $BlockedIPs `
-Profile Any `
-Description "Block outbound traffic to dismantled First VPN Service infrastructure."
Write-Host "Firewall rule '$RuleName' created/updated for IP addresses." -ForegroundColor Cyan
# Note: Blocking domains via Windows Firewall requires enabling "Block rule" on "Windows Defender Firewall with Advanced Security"
# and typically requires creating specific connection security rules or using hosts file/DNS sinkhole for domain blocking.
# The following adds entries to the hosts file to sinkhole domains to 127.0.0.1
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
foreach ($Domain in $BlockedDomains) {
$Entry = "127.0.0.1 `t $Domain"
if (Select-String -Path $HostsPath -Pattern $Domain -Quiet) {
Write-Host "Entry for $Domain already exists in hosts file." -ForegroundColor Yellow
} else {
Add-Content -Path $HostsPath -Value $Entry
Write-Host "Added $Entry to hosts file." -ForegroundColor Green
}
}
Remediation
- Obtain Official IOCs: Visit the websites of the Dutch Public Prosecution Service (OM), the French Gendarmerie, or Europol to download the complete list of IP addresses and domain names seized during the "First VPN Service" takedown.
- Block Infrastructure: Immediately block all associated IP ranges and domains at your network perimeter (firewalls, secure web gateways) and on endpoints (EDR policies, host firewalls).
- Log Retrospective: Search your SIEM and firewall logs for the past 12 months for any connections to these IOCs. Prioritize internal IPs that made connections to these nodes for forensic investigation.
- Assess Compromise: If connections are detected, treat the associated host as potentially compromised. Initiate a threat hunt process to identify lateral movement, data exfiltration, or persistence mechanisms introduced by the threat actor.
- Review VPN Policy: Re-evaluate your organization's acceptable use policy regarding personal VPNs. Block unauthorized VPN client executates using application control (AppLocker) to prevent future use of similar illicit services.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.