Source: The Hacker News — 22 May 2026
What we are tracking
Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The disruption of First VPN Service was led by France and the Netherlands, with several other nations supporting the investigation since December
RingSafe analysis
First VPN was a piece of upstream criminal-anonymisation infrastructure used by 25-plus ransomware groups for reconnaissance and intrusion staging. Operationally the takedown means Indian SOCs and IR teams will see two transient effects over the next four to eight weeks: first, a brief drop in noisy scan-and-pivot activity from known First VPN egress IPs; second, re-emergence of similar activity from new and unfamiliar ranges as adversary operators migrate to alternative anonymisation services. Re-baseline your detection engineering for ransomware precursors — ADCS abuse, Cobalt Strike beaconing, AnyDesk install, suspicious scheduled-task creation — so they do not rely on now-stale IP indicators. Map to MITRE ATT&CK T1090.003 (Multi-hop Proxy), T1046 (Network Service Discovery), and T1486 (Data Encrypted for Impact). Behavioural detection, not threat intel feeds, is the durable control here.
Read the original report
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups → at The Hacker News
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.