BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
FBI shuts down First VPN used by dozens of ransomware gangs
Back to homeCiberataques

FBI shuts down First VPN used by dozens of ransomware gangs

FBI shut down First VPN, a criminal VPN service used by dozens of ransomware groups for network reconnaissance and corporate intrusions.

  1. Home
  2. ›
  3. Ciberataques
  4. ›
  5. FBI shuts down First VPN used by dozens of ransomware gangs
by Gorka El Bochi Morillo
·
2 min read
·May 26, 2026

What happened

First VPN was a criminal-oriented VPN service — not a consumer privacy tool. It operated as bulletproof hosting (infrastructure designed to resist legal takedowns and ignore law enforcement requests), providing anonymization to malicious actors.

The FBI, working with international partners, dismantled the infrastructure and arrested the administrator. Service domains were seized and First VPN is now offline.

According to the FBI, dozens of ransomware groups were actively using the service for two specific operations: *network reconnaissance* (scanning corporate networks, identifying exposed services, and mapping assets before an attack) and direct network intrusions.

That positions it as mid-to-high tier criminal infrastructure — not a C2 (server that controls compromised machines) or exploit kit, but the anonymization layer protecting pre-attack operations.

Why it matters

Infrastructure takedowns have real but limited impact. First VPN delivered something concrete: an OPSEC (operational security measures attackers use to avoid attribution) layer separating ransomware operators' real IPs from victim networks.

Without it, *reconnaissance* and intrusions are more exposed to defender detection. That's valuable short-term.

But the criminal ecosystem has redundancy. Groups that relied on First VPN aren't stopping. They'll pivot to equivalent services within days or weeks. The market for criminal VPNs and SOCKS proxies (proxies that redirect network traffic without modifying data, hiding the real origin) is wide and fragmented.

What does change: IOCs (technical indicators that reveal an attacker's presence) tied to First VPN infrastructure are now burned. If you had alerting on those IP ranges, you can confirm they won't be used for criminal activity. But the threat doesn't disappear.

The most notable aspect of this case: the FBI identified and arrested the actual administrator. That means the operation had enough forensic visibility to attribute the service to a real person. Bulletproof hosting operators are not untouchable.

What to do

  • Update your blocklists with IP ranges and domains associated with First VPN as soon as they're published in threat intelligence feeds (AlienVault OTX, abuse.ch, etc.).
  • Audit firewall logs for the past 6-12 months searching for *mass scanning* patterns from anonymized VPN ranges while the service was active.
  • If you run a SOC (security operations center — the team monitoring your network around the clock), add correlation rules to detect pre-attack reconnaissance: multiple failed connections from the same range in a short window, unusual port scanning.
  • Don't rely solely on blocking First VPN. Ransomware groups will rotate infrastructure. Focus on detecting the TTPs (tactics, techniques, and procedures) of the reconnaissance phase, not specific IPs.

The administrator's arrest signals to other bulletproof service operators that attribution is achievable even through shared infrastructure. For defenders, the real value is in the post-takedown window — review historical logs before attackers rebuild their OPSEC.

What to do

  • Pull First VPN IOCs from threat feeds and update blocklists immediately.
  • Search the past 6 months of firewall logs for mass scanning patterns.
  • Add SOC correlation rules to detect pre-attack recon, not just IPs.

Share this story

Help more people discover BBLabs News.

FBI shuts down First VPN used by dozens of ransomware gangs
VerticalDownload image
LinkedInXWhatsApp

Interested in Ciberataques?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
Ciberataques4 jun 2026·2 min

Megalodon malware hits 5,500+ GitHub repos in 6 hours

Megalodon malware pushed malicious commits to 5,500+ GitHub repos in six hours, stealing developer credentials and secrets.

  • Audit recent GitHub commits for unauthorized changes or unknown accounts
  • Rotate all tokens and API keys with write access immediately
  • Enable GitHub secret scanning with push protection across your org
Gorka El Bochi Morillo
Leer artículo
Ciberataques3 jun 2026·2 min

JINX-0164 hits crypto firms with fake recruiter macOS malware

JINX-0164 uses fake recruiter lures to deploy custom macOS malware against crypto firms and steal digital assets.

Leer artículo
Ciberataques1 jun 2026·2 min

Dutch police arrest admins of bulletproof hosting used by Russian hackers

Dutch authorities arrested two admins of a bulletproof hosting service — infrastructure that ignores legal takedown requests — used by Russia-aligned threat actors.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi