Source: SecurityWeek — 22 May 2026
What we are tracking
The FBI says First VPN has been used by dozens of ransomware groups for network reconnaissance and intrusions. The post ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested appeared first on SecurityWeek.
RingSafe analysis
Crime-as-a-service infrastructure takedowns — LabHost, BreachForums, now First VPN — consistently buy defenders weeks rather than months, and the displacement effect drives competitors to scale. For Indian SOCs the practical play is to re-baseline lateral-reconnaissance detections (network scanning, ADCS abuse, SMB enumeration, AnyDesk install) over the next four weeks while threat actors migrate to alternative anonymisation infrastructure and your IP-based blocklists go stale. Map to MITRE ATT&CK T1090.003 (Multi-hop Proxy) and T1046 (Network Service Discovery). For BFSI under the RBI cyber framework and DPDP-regulated entities, this is also a clean window to validate that your incident-response playbook still works when adversary egress IPs no longer cluster on the known First VPN infrastructure ranges — behavioural detection, not IP intel, is the durable control.
Read the original report
‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested → at SecurityWeek
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.