VPNLab.net, a VPN provider that was used by malicious actors to deploy ransomware and facilitate other cybercrimes, was taken offline following a coordinated law enforcement operation.

Europol said it took action against the misuse of the VPN service by grounding 15 of its servers on January 17 and rendering it inoperable as part of a disruptive action that took place across Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the U.S., and the U.K.

A second outcome of the seizure is that at least 100 businesses that have been identified as at risk of impending cyber attacks are being notified. Europol didn't disclose the names of the companies.


Established in 2008, the tool provided an advanced level of anonymity by offering double VPN connections to its clients — wherein the internet traffic is routed through two VPN servers located in different countries instead of one — for as cheap as $60 a year.

"This made VPNLab.net a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities," Europol detailed in a press release, adding it "provided a platform for the anonymous commission of high value cybercrime cases, and was involved in several major international cyberattacks."

VPNLab.net is said to have caught the attention of law enforcement officials when its infrastructure began to be widely used to disseminate malware, with the investigators uncovering evidence of the illicit service being advertised on the dark web.


In a separate announcement, Ukraine's Cyber Police said the VPN service was used in more than 150 ransomware infections, causing the victims to shell out a total of €60 million in ransom payments.

The dismantling of VPNLab.net is the latest action taken by authorities to close in on VPN providers with proven links to criminal groups. In December 2020, bulletproof VPN service Safe-Inet was shut down and this was followed by the takedown of DoubleVPN in June 2021.

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," Edvardas Šileris, head of Europol's European Cybercrime Centre (EC3), said. "Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.