The Seizure Notice Published First VPN's IP Addresses. A Free Certificate-Transparency Query Handed Us Its Entire Twelve-Year Stack.

When law enforcement seizes a piece of criminal infrastructure, the advisory that follows usually contains a list of IP addresses, and defenders dutifully feed those into their logs to check for historical connections. That is the right thing to do, and it is also the smallest version of what is available. This week's takedown of First VPN — the anonymization service used by at least twenty-five ransomware groups since 2014, seized May 19 and 20 in the French-and-Dutch-led Operation Saffron that rolls up into the FBI's broader Operation Riptide — is a clean example of the gap. The seizure notice gave the world a handful of exit-node IP addresses and three domains. A free, public certificate-transparency query gave us the operator's entire twelve-year stack. I want to walk through that, because the technique generalizes to every seizure advisory you will ever read, and because being honest about it means also telling you what we did not have.

First, The Part We Did Not Have

We track a lot of infrastructure, and on most of the breaches in this year's headlines we can show you indicators we held before the public knew. We documented Vercel's impersonation domains seven months before the announcement, tracked the TeamPCP crew that hit OpenAI since March, and watched the ShinyHunters confederation walk through one vertical every forty-eight hours. First VPN is not one of those. When the IOCs published, we checked our corpus for any trace of 1vpns and its siblings and found nothing. We did not pre-hold this one, and the honest cap on our methodology is that we catch the infrastructure that stages where we are looking and miss the infrastructure that does not. A twelve-year-old anonymization service quietly serving ransomware crews from European hosting was simply not in our field of view. Saying so is the price of being believed the other ninety-five percent of the time.

What we could do, the moment the domains were public, was pivot — and that is where the day turned productive.

The Pivot: A Domain Plus crt.sh Is A Time Machine

Every time a server presents an HTTPS certificate, that certificate is logged, publicly and permanently, in the certificate-transparency system. The system exists to catch misissued certificates, but for an investigator it doubles as a complete, timestamped history of a domain's infrastructure that the operator cannot retroactively delete. You query it for free at crt.sh. We pointed it at 1vpns.com, and the seizure notice's flat IP list turned into a structured, eleven-and-a-half-year map.

The oldest certificate for the domain was issued on September 3, 2014, which independently confirms the "operational since 2014" claim with a hard timestamp rather than a press-release assertion. The most recent was issued June 2, days before the takedown. In between, the subject-alternative-name fields named the operator's actual stack: ocserv.1vpns.com and luocserv.1vpns.com, the OpenConnect VPN daemons that were the service's reason for existing; vpn2dev.1vpns.com and a randomized devbackend6d60d9b18drryfty.1vpns.com, the development and build backend that the marketing site would never link to; and an entire sub-brand called trynm, with api, broker, dashboard, turnapi, and turn hosts under trynm.1vpns.com — a relay and TURN layer that suggests a second product or a newer iteration of the service. None of those subdomains were in the seizure advisory's IP list. All of them are now in our feed, sixteen indicators total, tagged as Operation Riptide research import, which means our public STIX feed currently carries a more complete picture of First VPN's infrastructure than the official notice did.

The certificate authorities tell their own small story, too. The operator cycled through Let's Encrypt across eight different issuing intermediates, plus ZeroSSL, Sectigo, COMODO, Google Trust, and — notably — Cloudflare, meaning at points they fronted the criminal VPN behind Cloudflare's network the same way any legitimate site would. Free and automated certificate issuance is a gift to defenders precisely because it leaves a dense, dated trail; the same convenience that let the operator stand up infrastructure cheaply for a decade also recorded every host they ever secured.

Why The IP List Is The Snapshot And The Certs Are The Movie

A seizure advisory's IP addresses are, almost by definition, the last frame of the film: the servers that were live at the moment the plug was pulled. An anonymization service that ran for twelve years moved across far more infrastructure than whatever it happened to be using in May 2026. The certificate history is the closer thing to the full movie — every host that ever presented a cert, in order, with dates. It is not complete either; hosts that never served HTTPS, or that used certs from logs that predate universal CT enforcement, will be missing. But as a first pivot off a published domain, it routinely returns an order of magnitude more than the advisory, and it costs nothing and touches no one's systems, because you are reading a public ledger rather than scanning a target.

The honest limitation we hit next is worth naming so you do not repeat it: we wanted to ask our own block history whether we had ever rejected traffic from First VPN's exit nodes before the takedown, and we could not answer it cleanly, because our block index does not yet treat the raw IP as an exactly-filterable field — a full-text query on a dotted IP fragments on the dots and matches noise. That is a real gap in our own tooling, not a clean negative, and the right next step is historical-DNS resolution of these subdomains into the operator's true IP range followed by an exact-match cross-reference. We are queuing that rather than pretending the question is closed.

What A Defender Should Take From This

When the next seizure advisory lands with a short list of IPs, do not stop at the IPs. Take every domain it names and run it through certificate transparency at crt.sh, and pull historical DNS for the same names, because the operator's full subdomain stack — the VPN daemons, the dev backends, the sub-brands, the mail and management hosts — is almost always larger and more revealing than the seizure snapshot, and it tells you what the infrastructure was for. Review your logs for that full set of hostnames, not just the published addresses. And internalize the cheapest lesson in this whole exercise: certificate transparency is a free, permanent, timestamped record of nearly everyone's infrastructure, including the people who very much wish it were not, and a single query against it turned a three-line IP list into a twelve-year map. We did not see First VPN coming. We did, the moment it was public, see further into it than the people who seized it chose to publish — and that is a capability available to anyone willing to type a domain into a search box.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register