Police op targets VPN service favoured by ransomware gangs
A digital non-public community (VPN) favoured by cyber criminals to masks knowledge exfiltration, fraud ransomware assaults and different criminality has been dismantled in Operation Saffron, a Franco-Dutch led motion supported by Europol and different companies, together with the UK’s Nationwide Crime Company (NCA), and non-public sector associate Bitdefender.
The First VPN service was closely used amongst Russian-speaking risk actors, and in keeping with Europol, was utilized in “nearly each” main cyber investigation it has undertaken up to now few years. Moreover obscuring malicious visitors from regulation enforcement surveillance, First VPN’s operators are additionally identified to have provided providers comparable to anonymised funds and hidden infrastructure.
“For years, cyber criminals noticed this VPN service as a gateway to anonymity. They believed it might hold them past the attain of regulation enforcement. This operation proves them improper. Taking it offline removes a crucial layer of safety that criminals relied on to function, talk and evade regulation enforcement,” mentioned Edvardas Šileris, head of the European Cybercrime Centre at Europol.
A spokesperson for Bitdefender added: “We’re extraordinarily happy with the profitable takedown of First VPN, and congratulate international regulation enforcement, and all these concerned.
“Operation Saffron exemplifies the ability of collaboration between the private and non-private safety sector in dismantling unlawful on-line actions, on this case, a VPN service designed to hide assaults. It additionally serves a message to criminals who consider the darkish net covers their actions and ensures their anonymity. In the event that they develop into the goal of a global effort, they’ll’t cover.”
Operation Saffron marks the primary time Bitdefender Labs’ digital Draco Group unit has labored on a counter-VPN motion, having beforehand been concerned in a variety of different operations together with stings on the Hansa darkish net market, 2024’s Operation Endgame concentrating on botnets, and actions in opposition to ransomware gangs together with GandCrab and its successor REvil.
Multi-year operation
The takedown operation itself – which came about on 19 and 20 Could – noticed First VPN’s administrator arrested and interviewed, and their house in Ukraine searched, 33 servers dismantled, and wider infrastructure disrupted. A number of domains have been shut down and seized, together with 1vpns.com, 1vpns.web, 1vpns.org, and a few related Onion domains.
These actions marked the fruits of a four-and-a-half yr investigation relationship again to December 2021. Through the course of this work, investigators had been capable of acquire entry to the First VPN service, acquire a replica its consumer database, and determine the VPN connections used particularly by cyber criminals.
This trove of intelligence has each uncovered particular person customers linked to cyber criminality, and generated operational leads linked to previous cyber assaults and different digital offences.
Certainly, Europol’s coordinating Operational Taskforce (OTF) has already disseminated over 80 intelligence packages worldwide and recognized 506 identified First VPN customers. The EU company mentioned it has already been capable of assist 21 different investigations due to this work.
Trade response
Responding to the takedown, John Watters, CEO of iCounter – a risk intelligence platform, mentioned: “This case demonstrates that cyber crime is finally an ecosystem downside, not only a malware downside. The infrastructure layer that helps ransomware and fraud operations has develop into extremely commercialised, with risk actors counting on shared providers that promise anonymity, resiliency, and safety from regulation enforcement scrutiny.
“When investigators efficiently penetrate these ecosystems, they acquire a chance to map relationships, operational dependencies, and repeat offender exercise throughout a number of prison campaigns concurrently. The operationalisation of that intelligence is crucial as a result of it permits defenders and governments to maneuver past reactive incident response and towards proactive disruption of adversary infrastructure.
Watters added: “These providers are sometimes a number of the restricted ways in which regulation enforcement can influence risk actors who’re in nations outdoors their attain. We must always count on continued stress on the enabling providers that underpin cybercrime economies globally.”
“Focusing on not solely particular person criminals and teams but additionally their infrastructure is turning into one of the crucial very important fronts within the worldwide battle in opposition to cyber crime,” mentioned CybaVerse head of penetration testing, Michael Jepson.
“Companies like First VPN, alongside related criminal-friendly VPNs and internet hosting suppliers, give risk actors the elemental scaffolding to launch assaults. These providers are sometimes tough to focus on as a result of they resist authorized complaints and court docket orders, and usually function from permissive jurisdictions that not often cooperate with international regulation enforcement.
“Pursuing particular person criminals and teams turns into far tougher when their exercise is obfuscated and guarded by these providers,” added Jepson, “[so] shutting down these illicit hosts and VPNs is efficient as a result of it disrupts total networks, and creates a knock-on impact the place additional prison teams are disrupted as risk actors must migrate their operations and reorient within the face of potential publicity.”
