Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and d...

Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks.

Codenamed Operation Saffron, the disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.

First VPN, per Europol, offered services designed specifically for criminal use, allowing anonymous payments and a hidden infrastructure that enabled paying customers to hide their identities when carrying out ransomware attacks, large-scale fraud, and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is as a tool to evade law enforcement.

The international operation took place between May 19 and 20, during which authorities took a series of concurrent actions that involved interviewing the service's administrator, conducting a house search in Ukraine, taking down 33 servers, and seizing infrastructure used to support cybercriminal activity globally.

"First VPN's website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction," Eurojust said.

Europol also said First VPN's users have been notified of the shutdown and warned that their identities are now known to authorities. Bitdefender, which supported the investigation through Europol and shared information linked to 506 users, said disrupting anonymization services raises the cost of operation across the cybercriminal ecosystem.

"New anonymization services will appear. The economic demand hasn't changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions," the Romanian cybersecurity company said. "First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement's reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists."

In a coordinated flash alert, the U.S. Federal Bureau of Investigation (FBI) said the service has been active since about 2014, providing 32 exit node servers in 27 countries. Three of the exit nodes were located in the U.S. -

Other exit nodes were located in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K.

No less than 25 ransomware groups, such as Avaddon Ransomware, are said to have used First VPN infrastructure to perform network reconnaissance and intrusions. The subscription duration ranged anywhere from one day to one year. Based on the subscription plan, they cost between $2 for a single day and $483 for a whole year. It accepted payments through Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass.

Read original source