Summary
The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate indicators of compromise (IOCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service
infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to
buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband.
This reporting applies solely to the First VPN Service and does not extend to other VPN providers with similar naming.
The release of this FLASH follows the coordinated takedown of the First VPN Service through a joint law enforcement operation supported by the FBI. This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.