:

POLICE TAKE DOWN 'FIRST VPN' USED IN RANSOMWARE ATTACKS

SECURITY DESK2 MIN READ
THU, MAY 21, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

Law enforcement has seized the 'First VPN' service in an international operation. The platform was actively used by cybercriminals to conduct ransomware and data theft campaigns.

A virtual private network service called 'First VPN' has been taken offline following a coordinated international law enforcement action. The VPN provider facilitated ransomware attacks and data theft operations by masking the digital footprints of threat actors. The takedown involved multiple jurisdictions working together to disrupt the service's infrastructure. First VPN allowed attackers to anonymize their activities while penetrating networks, deploying ransomware, and exfiltrating sensitive data from victims across multiple sectors. Investigators identified the service as a key tool in numerous high-profile cyber incidents. By removing First VPN from operation, authorities aim to disrupt the attack chains used by criminal groups and raise the operational costs for conducting cyberattacks. The seizure is part of a broader effort by international law enforcement to target the infrastructure supporting cybercrime. Recent years have seen increased focus on disrupting VPN services, hosting providers, and communication platforms that enable illegal activity. Authorities did not disclose specific details about the investigation timeline or the number of victims affected by attacks routed through First VPN. However, the operation underscores the critical role VPN services play in cybercriminal operations. The takedown also highlights ongoing challenges in combating ransomware-as-a-service operations, which have proliferated across the dark web. Criminal groups continue adapting their tactics and infrastructure to evade law enforcement. Organizations are advised to review their security logs for indicators of compromise linked to First VPN traffic patterns. The seizure does not eliminate the broader threat landscape, as other VPN services and anonymization tools remain available to threat actors.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.