- The FBI identified 25 hacker groups linked to First VPN’s illegal activities
- Avaddon Ransomware was included in the list
- The FBI recommends stricter controls
At least 25 ransomware groups were actively using the First VPN Service IP for criminal purposes at the time it was dismantled in a coordinated international operation led by European law enforcement, the Federal Bureau of Investigation (FBI) has confirmed.
Last week, 33 servers belonging to the free VPN service were taken offline and its European domain seized as part of “Operation Saffron”, jointly led by European law enforcement agencies Europol and Eurojust.
In a report, the US intelligence agency described how First VPN facilitated cybercrime, with hackers using its service to carry out criminal web activity, including fraud, botnets and scanning. Among the 25 names on the list is Avaddon Ransomware, a malware group that targeted various business sectors, notably hitting insurance giant AXA in 2021.
The success of Operation Saffron, which was launched in December 2021 and culminated in May, showed that thanks to the monumental efforts of law enforcement agencies to tackle illegal activities, we can continue to enjoy the real privacy benefits that the best VPNs can offer.
Investigators managed to get hold of the platform’s user database and have already identified 506 specific users, with the data collected already proving useful in 21 of Europol’s ongoing cybercrime investigations – and we can only expect more to emerge soon.
How Cybercriminals Used First VPN
According to the FBI report, the VPN explicitly targeted cybercriminals by advertising directly in their circles on the dark web, including Russian-language online forums — Exploit[.]in and XSS[.]is — where cybercriminals trade in stolen data and hacking tools.
There, First VPN explicitly offered a safe environment for illegal activities, offering no-logs policies, circumvention of global jurisdiction, and a refusal to cooperate with authorities.
Specifically, users could use cryptocurrencies to purchase subscription services that offer varying degrees of digital anonymity for periods ranging from a day to a year. To maximize user anonymity, First VPN provided 32 services across 27 countries, from which users could choose up to four ‘hubs’.
The service even had its own technical support for criminals via Telegram and a self-hosted Jabber server.
Since the malicious infrastructure was hosted in the cloud or virtualized, the IP addresses used for the ransomware were randomly redistributed to legitimate services, making it more difficult for investigative authorities to trace the source of the criminal activity.
Using techniques such as ‘password spraying’ and brute force attacks, hackers guessed passwords to gain access to their victims’ environments, such as corporate desktops and apps, from which they were able to scan the networks to identify the devices, servers and users connected to them.
By routing their attack through First VPN’s available exit nodes, their attack appeared to originate from a legitimate and trustworthy source.
Cybercriminals also exploited the infrastructure to launch denial-of-service (DDoS) attacks, flooding victims’ networks with traffic to overwhelm the victim and render their systems unusable—a technique often used to prevent detection of a more serious attack in progress.
How to be safe
The FBI has published detailed recommendations for organizations that call for the implementation of multi-layered security controls, combined network restrictions, identity-based protections and behavioral monitoring to prevent ransomware attacks, data breaches and unauthorized network access.
It recommends blocking and monitoring First VPN’s infrastructure and continuously monitoring unauthorized VPN connections or IP addresses associated with anonymization services.
It is critical that multi-factor authentication (MFA) should be implemented for all remote access services and cloud-based applications to limit authentication attempts originating from unknown regions or IP addresses.
