“First VPN Service” Used by Ransomware Actors to Compromise Systems

    Friday, May 29, 2026 In: Threat Research Print

    Date: 05/29/2026

    Severity: High

    Summary

    First VPN Service was a criminally oriented VPN infrastructure that operated for over a decade and was widely used by ransomware groups and other cybercriminals to conduct network reconnaissance, intrusions, scanning, botnet activity, denial-of-service attacks, and scams. The service provided global exit nodes and was frequently advertised on cybercrime forums, enabling threat actors to conceal their operations and compromise victim networks. A coordinated international law enforcement operation has since disrupted the service and its associated infrastructure.

    Indicators of Compromise (IOC) List  

    Domains/URLs

    1vpns.com

    1vpns.org

    1vpns.net

    1jabber.com

    https://t.me/FirstVPNService

    IP Address

    92.38.180.39 

    195.206.107.203 

    178.175.139.203

    37.120.143.203 

    91.232.29.114 

    86.105.25.219

    134.255.210.160 

    190.97.163.88 

    193.106.31.98

    82.146.50.52 

    185.247.71.107 

    51.79.208.134

    92.38.162.4 

    77.246.157.26 

    54.37.200.68

    185.253.98.243 

    51.79.111.220 

    188.92.78.242

    51.75.34.158 

    92.223.66.103 

    46.105.79.45

    92.38.186.86 

    82.202.160.36 

    92.38.148.58

    193.239.86.19 

    139.99.255.144 

    91.193.5.91

    5.181.234.59 

    91.132.139.67 

    95.213.164.12

    89.38.224.3 

    77.83.247.81 

    152.89.162.139

    31.135.14.182 

    94.23.27.208 

    134.255.210.26

    31.210.70.184 

    94.242.253.11 

    178.209.51.234

    31.210.70.186 

    94.242.253.13 

    179.43.184.22

    31.210.70.190 

    94.242.254.43 

    185.128.43.54

    139.99.68.157 

    94.242.254.54 

    185.178.209.193

    37.235.55.113 

    94.242.254.8 

    185.184.192.108

    37.235.60.141 

    94.26.226.75 

    145.239.5.30

    152.89.162.138 

    95.141.32.237 

    185.253.98.242

    46.148.16.138 

    95.213.164.11 

    185.65.205.82

    49.12.133.165 

    95.215.61.192 

    188.126.79.82

    49.50.66.72 

    95.216.15.11 

    188.127.244.3

    5.135.164.8 

    95.216.15.25 

    188.165.236.151

    5.181.234.56 

    103.16.26.135 

    188.227.173.198

    5.181.234.58 

    103.16.26.229 

    188.40.81.84

    5.188.163.34 

    103.16.27.96 

    188.42.253.16

    51.38.66.162 

    108.59.1.133 

    190.123.46.11

    178.175.139.202 

    111.90.141.47 

    190.2.142.25

    185.247.71.106 

    111.90.158.72 

    190.2.142.28

    190.97.163.213 

    139.99.122.162 

    190.97.163.117

    62.112.8.202 

    139.99.149.85 

    190.97.163.142

    77.83.247.80 

    193.239.86.18 

    192.71.211.77

    80.90.39.95 

    147.135.11.223 

    192.71.249.70

    80.90.55.44 

    147.135.11.234 

    192.99.0.114

    195.206.107.202 

    147.135.36.162 

    193.105.134.152

    88.150.220.248 

    147.135.40.102 

    193.106.31.99

    217.182.199.126 

    147.135.87.184 

    37.120.143.202

    45.12.222.150 

    46.105.107.231 

    51.161.128.135

    66.70.179.236 

    158.255.208.155 

    198.50.157.109

    92.38.162.11 

    158.255.211.165 

    199.71.233.178

    93.113.36.137 

    176.123.1.250 

    209.58.131.32

    93.113.36.142 

    176.123.175.242 

    212.7.217.5

    93.190.142.7 

    176.123.6.58 

    213.128.89.184

    94.185.85.210 

    176.31.252.121 

    217.12.219.11

    94.23.218.129 

    176.53.40.221 

    217.23.1.110

    79.137.69.34 

    86.105.25.218 

    89.38.224.2

    91.132.139.66 

    91.193.5.90

    Emails

    support@1vpns.com

    1vpns@1jabber.com

    support@1vpns.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "1vpns.com" or url like "1vpns.com" or siteurl like "1vpns.com" or domainname like "1jabber.com" or url like "1jabber.com" or siteurl like "1jabber.com" or domainname like "1vpns.net" or url like "1vpns.net" or siteurl like "1vpns.net" or domainname like "https://t.me/FirstVPNService" or url like "https://t.me/FirstVPNService" or siteurl like "https://t.me/FirstVPNService" or domainname like "1vpns.org" or url like "1vpns.org" or siteurl like "1vpns.org" 

    Detection Query 2 :

    dstipaddress IN ("185.178.209.193","46.105.107.231","77.83.247.81","188.92.78.242","188.126.79.82","49.50.66.72","91.193.5.91","145.239.5.30","217.182.199.126","134.255.210.26","82.146.50.52","178.175.139.202","185.253.98.242","5.181.234.58","37.120.143.202","192.71.249.70","92.38.162.11","92.38.148.58","147.135.11.223","111.90.141.47","139.99.68.157","51.161.128.135","190.97.163.213","31.210.70.186","147.135.36.162","66.70.179.236","178.175.139.203","86.105.25.218","195.206.107.202","185.247.71.106","193.239.86.18","190.2.142.25","79.137.69.34","95.215.61.192","77.83.247.80","37.235.55.113","93.190.142.7","193.106.31.98","31.135.14.182","92.38.180.39","195.206.107.203","37.120.143.203","91.232.29.114","86.105.25.219","134.255.210.160","190.97.163.88","185.247.71.107","51.79.208.134","92.38.162.4","77.246.157.26","54.37.200.68","185.253.98.243","51.79.111.220","51.75.34.158","92.223.66.103","46.105.79.45","92.38.186.86","82.202.160.36","193.239.86.19","139.99.255.144","5.181.234.59","91.132.139.67","95.213.164.12","89.38.224.3","152.89.162.139","94.23.27.208","31.210.70.184","94.242.253.11","178.209.51.234","94.242.253.13","179.43.184.22","31.210.70.190","94.242.254.43","185.128.43.54","94.242.254.54","94.242.254.8","185.184.192.108","37.235.60.141","94.26.226.75","152.89.162.138","95.141.32.237","46.148.16.138","95.213.164.11","185.65.205.82","49.12.133.165","95.216.15.11","188.127.244.3","5.135.164.8","95.216.15.25","188.165.236.151","5.181.234.56","103.16.26.135","188.227.173.198","103.16.26.229","188.40.81.84","5.188.163.34","103.16.27.96","188.42.253.16","51.38.66.162","108.59.1.133","190.123.46.11","190.2.142.28","139.99.122.162","190.97.163.117","62.112.8.202","139.99.149.85","190.97.163.142","192.71.211.77","80.90.39.95","80.90.55.44","147.135.11.234","192.99.0.114","193.105.134.152","88.150.220.248","147.135.40.102","193.106.31.99","147.135.87.184","45.12.222.150","158.255.208.155","198.50.157.109","158.255.211.165","199.71.233.178","93.113.36.137","176.123.1.250","209.58.131.32","93.113.36.142","176.123.175.242","212.7.217.5","176.123.6.58","213.128.89.184","94.185.85.210","176.31.252.121","217.12.219.11","94.23.218.129","176.53.40.221","217.23.1.110","89.38.224.2","91.132.139.66","91.193.5.90") or srcipaddress IN ("185.178.209.193","46.105.107.231","77.83.247.81","188.92.78.242","188.126.79.82","49.50.66.72","91.193.5.91","145.239.5.30","217.182.199.126","134.255.210.26","82.146.50.52","178.175.139.202","185.253.98.242","5.181.234.58","37.120.143.202","192.71.249.70","92.38.162.11","92.38.148.58","147.135.11.223","111.90.141.47","139.99.68.157","51.161.128.135","190.97.163.213","31.210.70.186","147.135.36.162","66.70.179.236","178.175.139.203","86.105.25.218","195.206.107.202","185.247.71.106","193.239.86.18","190.2.142.25","79.137.69.34","95.215.61.192","77.83.247.80","37.235.55.113","93.190.142.7","193.106.31.98","31.135.14.182","92.38.180.39","195.206.107.203","37.120.143.203","91.232.29.114","86.105.25.219","134.255.210.160","190.97.163.88","185.247.71.107","51.79.208.134","92.38.162.4","77.246.157.26","54.37.200.68","185.253.98.243","51.79.111.220","51.75.34.158","92.223.66.103","46.105.79.45","92.38.186.86","82.202.160.36","193.239.86.19","139.99.255.144","5.181.234.59","91.132.139.67","95.213.164.12","89.38.224.3","152.89.162.139","94.23.27.208","31.210.70.184","94.242.253.11","178.209.51.234","94.242.253.13","179.43.184.22","31.210.70.190","94.242.254.43","185.128.43.54","94.242.254.54","94.242.254.8","185.184.192.108","37.235.60.141","94.26.226.75","152.89.162.138","95.141.32.237","46.148.16.138","95.213.164.11","185.65.205.82","49.12.133.165","95.216.15.11","188.127.244.3","5.135.164.8","95.216.15.25","188.165.236.151","5.181.234.56","103.16.26.135","188.227.173.198","103.16.26.229","188.40.81.84","5.188.163.34","103.16.27.96","188.42.253.16","51.38.66.162","108.59.1.133","190.123.46.11","190.2.142.28","139.99.122.162","190.97.163.117","62.112.8.202","139.99.149.85","190.97.163.142","192.71.211.77","80.90.39.95","80.90.55.44","147.135.11.234","192.99.0.114","193.105.134.152","88.150.220.248","147.135.40.102","193.106.31.99","147.135.87.184","45.12.222.150","158.255.208.155","198.50.157.109","158.255.211.165","199.71.233.178","93.113.36.137","176.123.1.250","209.58.131.32","93.113.36.142","176.123.175.242","212.7.217.5","176.123.6.58","213.128.89.184","94.185.85.210","176.31.252.121","217.12.219.11","94.23.218.129","176.53.40.221","217.23.1.110","89.38.224.2","91.132.139.66","91.193.5.90")

    Detection Query 3 :

    sender IN ("support@1vpns.com","1vpns@1jabber.com","support@1vpns.com") or recipient IN ("support@1vpns.com","1vpns@1jabber.com","support@1vpns.com") or from IN ("support@1vpns.com","1vpns@1jabber.com","support@1vpns.com")

    Reference:    

    https://www.ic3.gov/CSA/2026/260521.pdf                   


    Tags

    MalwareRansomwareBotnetDDoS Attacks

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.