First VPN Service Seized in FBI Operation Riptide
Key insights
- First VPN Service ran servers in an estimated 27 countries since approximately 2014, allegedly aiding at least 25 ransomware groups including Avaddon Ransomware.
- France's National Directorate of the Judicial Police and Dutch National Police led the takedown, with FBI Boston supporting since 2021.
- Americans reported over $20 billion in cybercrime losses last year, a 26 percent increase year-over-year.
Why this matters
Ransomware groups relying on commercial VPN infrastructure to conduct hacking operations and mask their activities now face a documented law enforcement capability to dismantle those anonymizing channels at the infrastructure layer. Operation Riptide's multi-year coalition model, built since 2021 across France, the Netherlands, Ukraine, the UK, Switzerland, Luxembourg, and the FBI, establishes a repeatable framework for attacking shared criminal services rather than chasing individual actors. With Americans reporting over $20 billion in cybercrime losses last year, a 26 percent increase, AI and cloud enterprises have new evidence that infrastructure-level takedowns are achievable but require years of international coordination to execute.
Summary
Operation Riptide seized First VPN Service, dismantling an anonymizing tool used by at least 25 ransomware groups since approximately 2014.
Servers spanned an estimated 27 countries, with U.S. nodes in California, Florida, and New York. Clients included Avaddon Ransomware; the service also backed botnets and denial-of-service attacks.
Essentially: (FBI Boston, France's National Directorate of the Judicial Police, Dutch National Police) anchored a coalition active since 2021.
- France and the Netherlands led; Ukraine, the UK, Switzerland, and Luxembourg also participated.
- Americans reported over $20 billion in cybercrime losses last year, up 26 percent.
- First VPN Service's website now shows a law enforcement seizure banner.
Targeting anonymizing infrastructure raises operational costs for every criminal group that relied on it.
Potential risks and opportunities
Risks
- The at least 25 ransomware groups that relied on First VPN Service could migrate to alternative anonymizing networks within days, limiting the operational impact of the takedown.
- If First VPN Service operators remain unidentified and at large, they could reconstitute under a new brand, since the seizure banner alone does not guarantee permanent service destruction.
- Absence of announced arrests leaves open the possibility that operators moved assets before the action, weakening the deterrence signal for other criminal VPN providers.
Opportunities
- Threat intelligence firms with visibility into ransomware group infrastructure can cross-reference First VPN Service's 27-country server footprint against known attack campaigns, expanding attribution product offerings.
- Cybersecurity vendors specializing in anonymous network detection gain a reference case for selling enterprise tools that flag usage of criminal VPN services before they become attack vectors.
- Operation Riptide's multi-country coalition structure validates demand for international legal consultants with mutual legal assistance treaty expertise, as the operation demonstrates that cross-border coordination is operationally necessary for infrastructure-level takedowns.
What we don't know yet
- Whether any operators of First VPN Service were identified, arrested, or charged alongside the infrastructure seizure has not been reported.
- How many of the at least 25 ransomware groups were actively using the service at the time of seizure versus historically since 2014 is unspecified.
- Whether the three U.S. servers in California, Florida, and New York were physically seized or only identified as infrastructure nodes is unclear.
Originally reported by bostonglobe.com
Read the original article →Original headline: FBI Operation Riptide: International Takedown of 'First VPN Service' Used by 25 Ransomware Groups Since 2014