Lead story
Inside the Week Law Enforcement Tore Down the Cybercrime Infrastructure Stack
Three separate law enforcement actions dropped within 48 hours this week, and taken together they represent something more than routine policing: a co-ordinated push to dismantle the plumbing that underpins modern cybercrime.
The headliner: "First VPN" is gone. A joint operation led by France and the Netherlands — with support from the FBI and several other nations — dismantled a criminal VPN service that investigators say was used by at least 25 ransomware groups for network reconnaissance, initial access brokering, and anonymising data exfiltration. Law enforcement agencies didn't just seize infrastructure; they reportedly intercepted VPN traffic and arrested the service's administrator. The FBI described First VPN as a critical enabler for ransomware intrusions across critical infrastructure sectors in North America and Europe.
The significance here goes beyond one takedown. Criminal VPNs have historically been a blind spot — investigators can seize botnets, arrest coders, burn malware infrastructure. But the anonymisation layer, the thing that makes all of it harder to attribute, has been far harder to touch. Cracking the traffic is the loud claim in this announcement, and if true, it has implications for how other services in this category assess their own exposure.
Meanwhile, the Netherlands FIOD went even further upstream. Financial crime investigators arrested two men and seized 800 servers belonging to a bulletproof hosting firm they say actively enabled cyberattacks, disinformation campaigns, and interference operations. Bulletproof hosters are the landlords of cybercrime — they take money, ask no questions, and ignore abuse complaints. Taking 800 servers offline at once removes a lot of capacity from multiple criminal ecosystems simultaneously.
And in Canada, a face finally has handcuffs. Jacob Butler, 23, from Ottawa, was arrested and charged with building and operating the Kimwolf botnet — an IoT-targeting DDoS-for-hire service that infected close to two million devices and was used to launch massive distributed denial-of-service attacks over the past six months. KrebsOnSecurity had publicly named Butler back in February after he allegedly retaliated against the journalist and a security researcher with DDoS attacks, doxing, and swatting. The US Department of Justice is seeking extradition.
Why this week's trifecta matters. Criminal infrastructure — VPNs, hosters, botnets — exists in a kind of legal grey zone between the operators who build malware and the organisations that deploy it. Historically, charges have landed on the latter two categories while the enablers keep operating. When all three layers get hit in the same week, it suggests improving intelligence-sharing and a more deliberate strategy to go after the supply side of ransomware, not just arrest the people who pull the trigger.
What to watch next. The First VPN takedown's traffic interception claim is the one that will get stress-tested. Criminal forums are already dissecting what law enforcement could have seen, and other anonymisation services will be reviewing their own exposure. Whether the arrests lead to co-operating witnesses — and what those witnesses know about ransomware operators — is the thread worth following.
For Australian organisations: ransomware groups using this infrastructure have historically targeted critical infrastructure sectors. ACSC's current advisory guidance on third-party network access and VPN hygiene is directly relevant if your incident response playbooks haven't been reviewed recently.