Authorities in Europe and North America have announced the retirement of criminal virtual private network (VPN) services used by criminals to hide the origin of ransomware attacks, data theft, scanning, and denial of service attacks.
The First VPN Service disruption was led by France and the Netherlands, with several other countries supporting the investigation since December 2021, including Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
According to Europol, the first VPNs offered services designed specifically for criminal use, enabling anonymous payments and a hidden infrastructure that allowed paying customers to hide their identities when carrying out ransomware attacks, large-scale fraud, and data theft. It was promoted on Russian-speaking cybercrime forums such as Exploit.[.]and XSS[.]Used as a tool to evade law enforcement.
The international operation took place from May 19th to 20th, during which authorities conducted a series of parallel actions, including interviews with service administrators, raids in Ukraine, suspension of 33 servers, and seizure of infrastructure used to support cybercrime operations around the world.
The names of the confiscated domains are:
1VPN[.]com 1vpns[.]Net 1VPN[.]org Associated onion domains running on the Tor network
“First VPN’s website promoted itself by emphasizing anonymity and promised users that it would not cooperate with any law enforcement authorities, that it would not store data, and that its services would not be subject to any jurisdiction,” Eurojust said.
The U.S. Federal Bureau of Investigation (FBI) announced in a coordinated bulletin that the service has been in operation since around 2014 and provides 32 exit node servers in 27 countries. Three of the exit nodes were in the US –
2.223.66[.]103 5.181.234[.]59 92.38.148[.]58
Other exit nodes were in Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the United Kingdom.
No fewer than 25 ransomware groups, including Avaddon Ransomware, are said to have used First VPN infrastructure to perform network reconnaissance and infiltration. Subscription terms range from 1 day to 1 year. Based on subscription plans, it costs between $2 per day and $483 per year. We accept payments via Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass.
“First VPN Service offered multiple connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options, including OpenVPN ECC, L2TP/IPSec, and PPtP,” the FBI said.
“Technical support was also provided to users through a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Services offered ‘VLESS’ and ‘Reality,’ which provide the ability to disguise VPN internet traffic as HTTPS traffic on ports commonly used to connect to websites.”
According to a snapshot captured in the Internet Archive, First VPN offers “anonymity, stability, and security” and says it “does not store logs that would allow us or a third party to associate IP addresses with users of our service over a specific period of time.”
“Although the only data we store is email and username, it is not possible to link a user’s activity on the Internet to a specific user of our services,” the company added.
As a way to avoid liability, First VPN also noted in its FAQ that it “strictly” prohibits the use of its servers for illegal activities. “This will facilitate the receipt of complaints regarding our servers, which may result in the server being disabled,” the FAQ reads.
Source link
