One VPN Served 25 Ransomware Crews. Operation Riptide Seized All 33 Servers. The Leverage Was Never the Payload — It Was the Shared Infrastructure.

The FBI's Boston field office went public today with the seizure side of an operation called Riptide, and the shape of it is the thing I want defenders to sit with, because it is the same lesson we have been writing all week from a different angle. The target was not a ransomware gang. It was a single virtual private network service — marketed as "First VPN Service," advertised almost exclusively on Russian-language criminal forums, in operation since roughly 2014 — that served as the shared reconnaissance-and-intrusion layer for at least twenty-five different ransomware groups. One piece of infrastructure. Twenty-five crews. And when the international coalition moved on it between May 19 and 20, they took down thirty-three servers in one coordinated action. The public reveal landed today, which is why it feels new even though the operation itself ran three weeks ago.

The arithmetic is the whole story. A ransomware payload is replaceable — every crew has one, they fork and rebrand constantly, and killing a single gang's encryptor inconveniences exactly one gang. But the anonymity layer those gangs route their scanning and their intrusions through is a different kind of target, because it is shared. First VPN gave at least twenty-five operations — the FBI specifically names Avaddon among the historical customers — a common place to hide the origin of their network reconnaissance, their botnet traffic, their denial-of-service runs, and the actual hands-on-keyboard intrusions. Take that one service offline and you do not degrade one crew, you degrade the operational tradecraft of every crew that depended on it at once. That is leverage. That is why a VPN seizure with no arrests attached is still a bigger result than most gang takedowns: it hit the chokepoint instead of a node.

This is exactly the frame from this morning's piece on NightSpire, just viewed from the other end of the intrusion. We wrote that the busiest ransomware crew on the planet gets in through exposed RDP and commodity remote-desktop tools — that the money is in watching the access layer, not the encryption layer. Operation Riptide is the law-enforcement version of the same instinct: do not chase the payload, chase the shared infrastructure that every payload sits on top of. It is the same reason we spend our time mapping Tor exit-relay operators and bulletproof-hosting clusters rather than cataloging the thousandth variant of a Go encryptor. The infrastructure is finite, it is shared, and it is where one move affects many actors. The payload is infinite and disposable. Hunt the part that does not regenerate overnight.

Now the honest part, because a chokepoint story is only useful if you say what you actually have. I checked our index for First VPN's infrastructure the moment this crossed, and we did not have it — and I want to be precise about why, because "we didn't catch it" and "it was never published" are different failures and only one of them is ours. The agencies seized thirty-three servers but have not released the IP list; takedown press releases routinely hold indicators back for weeks while the forensics and the prosecutions proceed. There is nothing for anyone to match against yet. On the actor side we do hold the relevant profile — Avaddon's operator is tracked in our adversary index as RIDDLE SPIDER, CrowdStrike's designation — but Avaddon itself wound down in 2021, so that is historical context, not a live indicator. The straight answer is: we had the actor lineage, we did not have the VPN's servers, and neither did anyone outside the investigation, because the list is not out.

Here is the part that is ours to do, and we are setting it up now. The instant those thirty-three server IPs are published — and they will be — we ingest them and run them backward through our own edge. We hold roughly two and a half million block events and over eight million autonomous edge decisions, every one of them timestamped. The question that answers is concrete and falsifiable: did traffic from First VPN's exit nodes ever hit our infrastructure, and did our autonomous blocker stop it, before the FBI took the service down? If even a handful of those IPs show up in our block history with dates that predate May 19, that is not a narrative, it is a receipt — proof that the shared infrastructure feeding twenty-five ransomware crews was already being rejected at one small Minnesota edge while it was still live. We have set a watch for the indicator drop. When it lands, we will run the cross-reference in the open and publish whatever it says, including if the answer is that we never saw them — because the discipline that makes the receipt worth anything is being willing to print it when it comes back empty.

The defender takeaway does not depend on our retrospective, though. It is this: when you allocate your own hunting and your own detection budget, weight it toward the shared and the finite. Egress to known anonymity and bulletproof networks, repeated infrastructure across seemingly unrelated incidents, the access layer that every intrusion has to cross — those are the surfaces where one piece of work pays off against many adversaries at once. Operation Riptide just demonstrated the principle at the scale only a multinational coalition can reach: one cable, twenty-five predators, one cut. You cannot seize servers from your SOC, but you can decide to hunt the chokepoint instead of the payload, and that decision is available to everyone.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register