| The Federal Bureau of Investigation (FBI) released this FBI Liaison Alert System (FLASH) to disseminate indicators of compromise (IOCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions. First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband. |
| This reporting applies solely to the First VPN Service and does not extend to other VPN providers with similar naming. |
| The release of this FLASH follows the coordinated takedown of the First VPN Service through a joint law enforcement operation supported by the FBI. This operation was conducted by France’s Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg. |
| This FBI FLASH contains technical details, indicators, MITRE ATT&CK mapping, recommended mitigations, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.. |
| Administrative Note The information in this document is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cybersecurity professionals and system administrators guard against the persistent malicious actions of cyber actors. The FBI does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI. |