Operation Riptide: The FBI Just Took Down 'First VPN' — the Bulletproof Service That Hid 25 Ransomware Gangs for a Decade

For years, the hardest cybercriminals to catch weren’t the ones pulling the trigger — they were the ones selling the gloves. The “bulletproof” service providers who knowingly rent infrastructure to criminals, then look the other way, are the connective tissue of the modern cybercrime economy. On June 9, 2026, U.S. and European authorities went after one of them directly.

The FBI’s Boston Division announced it had supported a coordinated international takedown of “First VPN” (also styled FirstVPN) — a virtual private network that marketed complete anonymity but, prosecutors allege, was purpose-built to shelter criminals. It is the opening enforcement action of Operation Riptide, a new, ongoing campaign aimed squarely at the services that enable cybercrime rather than only the gangs that commit it.

A VPN Built for Criminals, Not Privacy

Legitimate VPNs exist to protect ordinary people’s privacy. According to investigators, First VPN was something else. Operating since around 2014, it ran roughly 32 exit-node servers across an estimated 27 countries — including three exit nodes inside the United States — and allegedly designed its service specifically to support cybercriminal activity.

The clientele was the tell. Authorities say at least 25 ransomware groups used First VPN’s infrastructure to conduct network reconnaissance and break into victim organizations — among them the notorious Avaddon ransomware operation. By routing their intrusions through First VPN’s chain of servers, attackers could mask their true origin, frustrate investigators, and cost companies in the U.S. and around the world millions of dollars in ransoms, downtime, and recovery.

This is what “bulletproof” means in cybercrime: a provider that promises it won’t cooperate with law enforcement, won’t keep useful logs, and won’t ask questions about what its customers are doing. For a decade, prosecutors allege, First VPN was exactly that — a turnkey anonymity layer for ransomware crews, botnet operators, and dark-web actors.

A Genuinely International Effort

No single country could have done this alone, and the takedown reflects it. The operation was led by France’s Brigade de Lutte Contre la Cybercriminalité (BL2C) and the Dutch National Police’s National High Tech Crime Unit (NHTCU), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg, and coordination support from Europol and Eurojust.

The FBI’s role stretches back years. Since as early as 2021, FBI Boston and the Cyber Division at FBI Headquarters worked alongside their foreign partners, providing technical assistance and sharing intelligence about First VPN’s infrastructure and customers. Dismantling a service with exit nodes scattered across more than two dozen jurisdictions requires exactly this kind of patient, multi-year coordination — seizing servers and untangling operations in many countries at once so the target can’t simply relocate overnight.

What “Operation Riptide” Signals

First VPN is the first major scalp for Operation Riptide, which the FBI announced June 9 as a coordinated, ongoing enforcement campaign implementing Executive Order 14390 and the administration’s National Cyber Strategy. The strategic logic is a notable shift in emphasis.

For years, takedowns focused on the ransomware gangs themselves — naming the crews, indicting members, seizing crypto. But gangs are replaceable; they rebrand, splinter, and reconstitute. The infrastructure they rent — bulletproof VPNs, malware loaders, hosting, and money-laundering rails — is harder to rebuild and serves dozens of criminal groups at once. Knock out a service like First VPN and you don’t disrupt one gang; you degrade the operating environment for all 25 that depended on it.

It’s the same philosophy behind the DOJ’s recent public-private “Disruption Week”, which stripped the accounts and satellite links out from under Southeast Asian scam compounds. Increasingly, the strategy is to attack the shared plumbing of cybercrime — the parts the criminals can’t easily replace.

Why This Matters Even If You’ll Never Hear of First VPN

Most people will never knowingly encounter a bulletproof VPN. But you may well encounter its consequences. Ransomware that locks a hospital’s systems, a school district’s records, or a small business’s payroll often begins with an intrusion routed through exactly this kind of anonymity service. When the access is gained, it’s frequently sold — network access to a compromised company is a commodity, brokered to the highest-bidding ransomware crew. Taking down the cover that hides those initial intrusions raises the cost and risk of the entire chain.

It also draws a clearer line for the gray-market operators who tell themselves they merely provide a “neutral” service. The message from Operation Riptide is that knowingly building your business around criminal customers is itself the crime — and that the international appetite to prosecute it is growing.

Protecting Yourself and Your Business

The First VPN takedown is an infrastructure story, but the intrusions it enabled start the same way most compromises do — and the defenses are within reach.

Harden the front door with multi-factor authentication. Ransomware crews routinely get in through weak or reused credentials and exposed remote-access points. MFA on email, VPNs, and admin accounts blocks the overwhelming majority of these intrusions.

Patch the things attackers actually exploit. Internet-facing systems — remote desktop, firewalls, VPN appliances, web servers — should be patched promptly. Unpatched edge devices are a favorite entry point for the reconnaissance these services concealed.

Back up offline, and test restores. The leverage in ransomware is your inability to recover. Maintain backups that are isolated from your network and verify that you can actually restore from them.

Don’t confuse “no-logs VPN” marketing with safety. Plenty of legitimate VPNs exist, but anonymity tools aggressively marketed to evade all accountability are a red flag. If a service’s pitch is that no authority can ever touch it, ask who its customers really are.

Report intrusions. If your organization is breached, file with the FBI’s Internet Crime Complaint Center at ic3.gov and contact your local FBI field office. Those reports are precisely what allowed investigators to map First VPN’s customers over five years.

Operation Riptide is, by design, a long game. First VPN was the first wave; the FBI has signaled there will be more. For the services that have spent years quietly profiting from cybercrime, the calculation just changed — the people selling the gloves are now targets too.