Back

First VPN Service Taken Down in Major Cybercrime Crackdown

Severity: High (Score: 67.2)

Sources: Cyberscoop, www.europol.europa.eu, www.eurojust.europa.eu, www.politie.nl, Infosecurity-Magazine

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: first, used, ransomware, service, operation, data, taken

Severity indicators: ransomware, rat

Summary

On May 19 and 20, 2026, law enforcement agencies from France and the Netherlands, supported by Europol, dismantled the criminal VPN service known as First VPN. This service was used by cybercriminals for ransomware attacks and data theft, providing anonymity through encrypted traffic and IP address masking. Authorities seized 33 servers across 27 countries and arrested the service's administrator in Ukraine. The operation, dubbed Operation Saffron, revealed that First VPN had been involved in nearly every major cybercrime investigation supported by Europol. Investigators accessed the user database, identifying thousands of users linked to cybercrime activities. All identified users were notified of the service's shutdown and the fact that their identities are now known to law enforcement. The operation resulted in the sharing of 83 intelligence packages with international partners to aid ongoing investigations. Key Points: • First VPN was a major VPN service used by cybercriminals for anonymity in illegal activities. • 33 servers were dismantled, and the administrator was arrested during a coordinated international operation. • Thousands of users were identified, and intelligence gathered will support ongoing investigations into cybercrime.

Detailed Analysis

**Impact** The takedown affected thousands of users globally, with 506 identified and notified, many linked to ransomware, fraud, and data theft operations. The VPN service was used primarily by cybercriminals operating across multiple sectors and geographies, including Europe and beyond, facilitating illegal activities by masking their identities and infrastructure. The operation disrupted ongoing cybercrime investigations and supported 21 additional inquiries worldwide. Thirty-three servers and three domains were seized, impacting the VPN's operational capabilities. **Technical Details** First VPN was advertised on Russian-speaking cybercrime forums and accepted anonymous payments, providing encrypted traffic and IP masking to users. Investigators infiltrated the VPN infrastructure, obtaining user databases and traffic data before the service was taken offline. The infrastructure included 33 servers across 27 countries and domains such as 1vpns.com, 1vpns.net, and 1vpns.org, including onion-routed addresses. No specific malware, CVEs, or attack vectors were detailed in the sources. **Recommended Response** Defenders should monitor for network traffic originating from or destined to the seized domains and associated IP addresses to identify potential residual connections or fallback infrastructure. Organizations should enhance detection rules for VPN usage patterns linked to cybercrime forums and review logs for anomalous encrypted traffic. No specific patches or CVEs were mentioned; focus should be on intelligence sharing and monitoring for indicators related to First VPN user activity.

Source articles (7)

  • Cybercriminal VPN Dismantled in Europol Crackdown — Infosecurity-Magazine · 2026-05-21
    A VPN service used by ransomware operators, fraudsters and data thieves to mask their activity has been taken offline in a coordinated operation led by France and the Netherlands. According to Europol…
  • Cybercriminal Vpn Used Ransomware Actors Dismantled In Global Crackdown — www.europol.europa.eu · 2026-05-21
  • Eurojust Coordinated Investigation Shuts Down Criminal Vpn Network — www.eurojust.europa.eu · 2026-05-21
  • Criminele Vpn Dienst First Vpn Offline Gehaald — www.politie.nl · 2026-05-21
    Op 19 en 20 mei is in een internationale actie de criminele VPN-dienst First VPN offline gehaald. Dit is gedaan door Team High Tech Crime van de Eenheid Landelijke Opsporing, onder gezag van het Lande…
  • European authorities take down prolific cybercrime VPN service — Cyberscoop · 2026-05-21
    European authorities took down a prominent virtual private network service and arrested the alleged administrator behind an operation that cybercriminals used to steal data, commit fraud and ransomwar…
  • Authorities dismantle First VPN, used by ransomware actors — Feeds2.Feedburner · 2026-05-21
    First VPN, a virtual private network service marketed to cybercriminals, promising anonymity for its users, was taken offline on May 19 and 20 as part of Operation Saffron. During the operation, Frenc…
  • Police seize “First VPN” service used in ransomware, data theft attacks — Bleepingcomputer · 2026-05-21
    A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. Authorities have seized doze…

Timeline

  • 2021-12-01 — Investigation into First VPN initiated: Authorities began investigating First VPN, focusing on its use by cybercriminals for illegal activities.
  • 2023-11-01 — Joint investigation team formed: French and Dutch authorities established a joint investigation team to tackle First VPN's operations.
  • 2026-05-19 — First VPN taken offline: Law enforcement agencies executed a coordinated operation, dismantling the VPN service and seizing its servers.
  • 2026-05-20 — User notifications sent: All identified users of First VPN were notified that their identities are now known to authorities.

Related entities

  • Data Breach (Attack Type)
  • Ransomware (Attack Type)
  • Operation Saffron (Campaign)
  • France (Country)
  • Netherlands (Country)
  • Ukraine (Country)
  • 1vpns.com (Domain)
  • 1vpns.net (Domain)
  • 1vpns.org (Domain)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • First VPN (Platform)
  • VPN (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed