Police boast of hacking VPN where criminals “believed themselves to be safe”

警方宣称已攻破犯罪分子“自以为安全”的 VPN 服务

European law enforcement say they hacked into a VPN (virtual private network) service used for ransomware attacks and other crimes, and identified thousands of users before shutting the VPN down and arresting its administrator. 欧洲执法部门表示，他们已成功入侵了一项被用于勒索软件攻击及其他犯罪活动的 VPN（虚拟专用网络）服务。在关闭该 VPN 并逮捕其管理员之前，执法部门已识别出数千名用户。

Europol announced yesterday the results of the operation against the service, First VPN. The First VPN website now displays a message saying the domain was seized by a joint international law enforcement action. 欧洲刑警组织（Europol）昨日公布了针对该服务“First VPN”的行动结果。目前，First VPN 的网站显示一条通知，称该域名已被国际联合执法行动查封。

“A VPN service used by cybercriminals to conceal ransomware attacks, data theft, and other serious offenses has been dismantled in an international operation led by France and the Netherlands, with support from Europol and Eurojust,” the agency said. “For years, the service, known as ‘First VPN,’ was promoted on Russian-speaking cybercrime forums as a trusted tool for remaining beyond the reach of law enforcement. It offered users anonymous payments, hidden infrastructure, and services designed specifically for criminal use.” 该机构表示：“一项被网络犯罪分子用于掩盖勒索软件攻击、数据窃取及其他严重罪行的 VPN 服务，在法国和荷兰主导、欧洲刑警组织和欧盟司法协作组织（Eurojust）支持的国际行动中被取缔。多年来，这项名为‘First VPN’的服务在俄语网络犯罪论坛上被宣传为逃避执法部门追踪的可靠工具。它为用户提供匿名支付、隐藏的基础设施以及专门为犯罪用途设计的服务。”

The probe began in December 2021. At some point, “investigators gained access to the service, obtained its user database and identified VPN connections used by cybercriminals seeking to conceal their activities,” Europol said. Security vendor Bitdefender helped law enforcement conduct the operation, Europol said. 调查始于 2021 年 12 月。欧洲刑警组织称，调查人员在某个阶段“获得了该服务的访问权限，获取了其用户数据库，并识别出了网络犯罪分子为掩盖其活动而使用的 VPN 连接”。欧洲刑警组织表示，安全厂商 Bitdefender 协助执法部门执行了此次行动。

“The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offenses worldwide,” according to Europol. 据欧洲刑警组织称：“收集到的情报曝光了数千名与网络犯罪生态系统有关联的用户，并为全球范围内的勒索软件攻击、欺诈计划及其他严重罪行提供了行动线索。”

Users “mistakenly believed themselves to be safe”

用户“误以为自己很安全”

A statement from the Dutch National Police Corps said that before the domain seizures, “police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe.” 荷兰国家警察部队的一份声明称，在域名被查封之前，“警方已经能够访问该服务用户的犯罪流量，而这些用户当时还误以为自己是安全的。”

An Internet Archive capture of the now-defunct VPN service’s website shows it advertised the ability to conceal one’s IP address, encrypt all communications, and hide one’s actions “from the provider and other interested persons.” First VPN also made the “no logs” promise that is common among VPN providers to assure customers that they don’t store records that could be handed to law enforcement or other third parties. 互联网档案库（Internet Archive）对该已停用 VPN 服务网站的快照显示，其曾宣传能够隐藏用户的 IP 地址、加密所有通信，并向“服务提供商及其他相关方”隐藏用户的操作。First VPN 还做出了 VPN 提供商中常见的“无日志”承诺，以向客户保证他们不会存储可移交给执法部门或其他第三方的记录。

“All of our servers, meet high security requirements and do not keep logs, are set up by specialists with vast experience in this field. Big Brother is watching you, we are not!” the website said. 该网站曾宣称：“我们所有的服务器都符合高安全要求且不保留日志，由在该领域拥有丰富经验的专家设置。老大哥在看着你，但我们不会！”

Like many online platforms, VPNs can be used for both legitimate and criminal purposes. It’s difficult or impossible for users to know whether a VPN service’s privacy and security claims are credible. The risk of law enforcement infiltrating a VPN provider’s internal systems adds to that uncertainty for users, although Dutch police stressed that this particular VPN service “was considered criminal, because it specifically targeted cyber criminals and gave them the opportunity to protect their identity.” 像许多在线平台一样，VPN 既可用于合法目的，也可用于犯罪目的。用户很难甚至无法判断 VPN 服务的隐私和安全声明是否可信。执法部门渗透 VPN 提供商内部系统的风险增加了用户的不确定性，尽管荷兰警方强调，这项特定的 VPN 服务“被视为犯罪工具，因为它专门针对网络犯罪分子，并为他们提供了保护身份的机会”。

FBI: 25 ransomware groups used First VPN

FBI：25 个勒索软件组织曾使用 First VPN

First VPN “mainly advertised on the cyber criminal forums known to the police and thus expressly approached cyber criminals as potential clients,” Dutch police said. “The website of the service also stated that any cooperation with the judiciary would be denied, that the service was not subject to any jurisdiction and that no data on users was stored. As a result, the service pretended to be reliable and its users safe, which in reality was not the case.” 荷兰警方表示，First VPN “主要在警方已知的网络犯罪论坛上进行广告宣传，从而明确将网络犯罪分子作为潜在客户。该网站还声称拒绝与司法部门进行任何合作，不受任何司法管辖，且不存储任何用户数据。因此，该服务伪装成可靠且用户安全的服务，但事实并非如此。”

Eurojust, the European Union Agency for Criminal Justice Cooperation, said that “First VPN’s website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction.” 欧盟司法协作组织（Eurojust）表示：“First VPN 的网站通过强调匿名性来推销自己，向用户承诺不会与任何司法机构合作，不会存储数据，且该服务不受任何司法管辖。”

First VPN had been active since 2014 and provided 32 exit node servers in 27 countries, the FBI said in an intelligence alert yesterday. It advertised in Russian-language forums that “provide marketplaces for cyber criminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband,” according to the agency. 美国联邦调查局（FBI）在昨日的一份情报预警中表示，First VPN 自 2014 年起开始活跃，在 27 个国家提供了 32 台出口节点服务器。据该机构称，它在俄语论坛上进行广告宣传，这些论坛“为网络犯罪分子提供了买卖计算机系统未经授权访问权限、被盗个人身份信息、黑客工具和违禁品的市场”。

“At least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions,” the FBI said. “First VPN Service IP addresses have been used for scanning activity, botnets, denial of service attacks, scams, and hacking.” FBI 表示：“至少有 25 个勒索软件组织（如 Avaddon Ransomware）使用过 First VPN 的基础设施进行网络侦察和入侵。First VPN 的 IP 地址曾被用于扫描活动、僵尸网络、拒绝服务攻击、诈骗和黑客攻击。”

The scanning activity observed from First VPN IP addresses was “consistent with adversary efforts to identify open ports, services, and network configurations,” the FBI said. The agency said that “VPN infrastructure may be used to enumerate systems within a target network following initial access,” and that “VPN exit nodes can facilitate password spraying or brute force attempts against exposed services such as SSH, RDP, or web applications.” FBI 指出，从 First VPN IP 地址观察到的扫描活动“与对手识别开放端口、服务和网络配置的企图一致”。该机构表示，“VPN 基础设施可在获得初步访问权限后，用于枚举目标网络内的系统”，并且“VPN 出口节点可以辅助针对 SSH、RDP 或 Web 应用程序等暴露服务的密码喷洒或暴力破解尝试。”

Users “informed that they have been identified”

用户“被告知其身份已遭识别”

Europol said the operation against First VPN produced 83 “intelligence packages,” resulted in information on 506 users being shared internationally, and helped advance 21 Europol-supported investigations so far. 欧洲刑警组织表示，针对 First VPN 的行动产生了 83 个“情报包”，促成了 506 名用户的信息在国际间共享，并迄今已协助推进了 21 项由欧洲刑警组织支持的调查。

“With the infrastructure dismantled and the administrator under arrest, investigators across multiple jurisdictions are now using the intelligence gathered to support ongoing cybercrime investigations worldwide,” Europol said. 欧洲刑警组织表示：“随着基础设施被拆除、管理员被捕，多个司法管辖区的调查人员目前正在利用收集到的情报，支持全球范围内正在进行的网络犯罪调查。”

After the yearslong investigation, authorities took down the VPN in a series of actions on May 19 and May 20. Authorities “interviewed the administrator and conducted a house search in Ukraine” and “dismantled 33 servers linked to the criminal service,” Europol said. 经过多年的调查，当局在 5 月 19 日和 5 月 20 日的一系列行动中取缔了该 VPN。欧洲刑警组织称，当局“在乌克兰对管理员进行了讯问并进行了搜查”，并“拆除了 33 台与该犯罪服务相关的服务器”。

Europol said the domain seizures were authorized by judicial orders and targeted 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains. “Users of the criminal service have been notified of the shutdown and informed that they have been identified,” Europol added. 欧洲刑警组织表示，域名查封已获得司法命令授权，目标包括 1vpns.com、1vpns.net、1vpns.org 及相关的洋葱域名（onion domains）。欧洲刑警组织补充道：“该犯罪服务的用户已收到关停通知，并被告知其身份已被识别。”