Police Are Shutting Down VPNs Used by Criminals

Over the past few years, law enforcement agencies around the world have been working together to shut down virtual private network (VPN) services that criminals use to hide their activities. These operations have targeted networks that helped ransomware gangs, fraud schemes, and other criminal enterprises stay hidden online.

To understand why this matters, it helps to know what a VPN does. A VPN is like a secure tunnel for your internet traffic — it masks your location and identity by routing your data through a different server. Legitimate companies offer VPNs to help people protect their privacy. But some VPN services were built specifically to help criminals, with no interest in lawful privacy.

Major Takedowns

One significant operation took down a criminal VPN called Safe-Inet. Europol, which coordinates law enforcement across Europe, described it as a service that criminals relied on heavily.

Another operation dismantled VPNLab.net by seizing 15 servers that powered the service. U.S. law enforcement worked with international partners on this operation, called "Operation Nova," to make sure the network couldn't operate anymore.

A third takedown eliminated DoubleVPN, which charged customers $25 to access its criminal-focused network. The UK's National Crime Agency led this investigation and removed servers operating in the country.

The Hidden Botnet Problem

One of the most complex cases involved something called the 911 S5 botnet. This operated through free VPN apps that looked legitimate but were actually malicious. Apps with names like MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN infected people's devices without their knowledge.

When someone downloaded these apps, their computer became part of a hidden network. Criminals could then rent access to this network to mask their own activities. The FBI and other agencies put out a public warning about these apps so people could identify and remove them.

The person running 911 S5 was eventually arrested in an international operation that dismantled the entire network.

How These Criminal VPNs Worked

Criminal VPN services operated very differently from legitimate ones. They didn't keep public records of their activities, required minimal identification to join, and accepted cryptocurrency payments to stay hidden. Many were explicitly advertised on criminal websites.

Ransomware gangs were major customers. They used these services to hide their command centers, steal data from victims, and negotiate ransom payments without being traced. The same networks also supported fraud operations and money laundering schemes.

Why This Matters

These law enforcement operations took away key tools that criminals depended on. Think of it like shutting down a highway that smugglers used — it doesn't stop crime entirely, but it forces criminals to find new, riskier routes.

The operations also show that authorities understand a basic principle: disrupting shared infrastructure can damage multiple criminal groups at once, since many of them rely on the same anonymization services.

However, criminals are adapting. Instead of relying on traditional VPN servers, they are now using networks of infected personal computers — like the 911 S5 model — which are harder for law enforcement to find and shut down because they're scattered across the world.

These takedowns also required police in different countries to work together. A criminal VPN service operates across borders, so no single country could shut it down alone. This coordination matters because it shows law enforcement can tackle infrastructure that no individual nation controls.

The broader question ahead is whether police can keep pace with criminals' technical innovations. As criminals move toward more decentralized methods, law enforcement will need to develop new strategies to find and disrupt them. It's a pattern we've seen before in cybercrime — each time authorities crack down on one approach, criminals find a more complicated workaround.

A Related Threat

Europol has also warned that criminals are impersonating the agency itself, including pretending to be senior staff, to defraud people through email and other communication channels. This shows that as criminals lose access to their technical infrastructure, they're turning more to social engineering — tricking people into trusting fraudulent messages that appear to come from law enforcement.

This is a useful reminder that shutting down VPN networks, while important, is only one part of the picture. Criminals are flexible and opportunistic. They'll use technology when it works, and they'll use deception and impersonation when that works better. Both individuals and organizations need to stay alert to both threats.