Back

Operation Saffron: First VPN Dismantled in Major Cybercrime Takedown

Severity: High (Score: 76.5)

Sources: Cyberscoop, Techcrunch, Cybersecuritynews, Securityaffairs.Co, www.politie.nl

Published: 2026-05-21 · Updated: 2026-05-21

Keywords: first, used, ransomware, service, operation, data, taken

Severity indicators: ransomware, rat

Summary

On May 19-20, 2026, an international law enforcement operation, dubbed Operation Saffron, successfully dismantled First VPN, a virtual private network service heavily utilized by cybercriminals for ransomware, fraud, and data theft. Led by French and Dutch authorities, with support from Europol and Eurojust, the operation resulted in the seizure of 33 servers and the arrest of the service's administrator in Ukraine. First VPN was known for providing anonymity to its users, facilitating illicit activities by masking their identities and infrastructure. The investigation, which began in December 2021, revealed that First VPN had been involved in nearly every major cybercrime investigation supported by Europol in recent years. Authorities identified and notified 506 users linked to cybercriminal activities, disseminating 83 intelligence packages to aid ongoing investigations. This operation marks a significant milestone in the fight against cybercrime, showcasing the effectiveness of international collaboration. Key Points: • First VPN, a VPN service used by cybercriminals, was taken offline during Operation Saffron. • The operation involved 18 countries and resulted in the arrest of the service's administrator in Ukraine. • Authorities identified 506 users linked to cybercrime and shared intelligence across jurisdictions.

Detailed Analysis

**Impact** The takedown of First VPN affects over 500 identified users linked to ransomware, fraud, and data theft operations across 18 countries, including Canada, France, Germany, Ukraine, the UK, and the US. The service was deeply embedded in cybercrime investigations supported by Europol, implicating numerous ransomware gangs and criminal campaigns targeting sectors globally. The disruption removes a critical anonymization layer, exposing infrastructure and user identities, and advancing 21 ongoing investigations internationally. **Technical Details** First VPN provided anonymized VPN connections, anonymous payment options, and hidden infrastructure tailored for cybercriminal use, primarily advertised on Russian-speaking forums. Investigators dismantled 33 servers, seized domains (1vpns.com, 1vpns.net, 1vpns.org), and obtained the user database, enabling identification of VPN connections used to obscure lateral movement, phishing origins, ransom negotiations, and data exfiltration. No specific malware, CVEs, or attack vectors were detailed in the sources. **Recommended Response** Defenders should monitor for network traffic associated with the seized domains and IP ranges linked to First VPN infrastructure and update detection rules to identify anomalous VPN usage patterns consistent with First VPN’s known profiles. Organizations should review and harden VPN and remote access policies to prevent unauthorized anonymized connections. No specific patches or CVEs were mentioned; focus should be on intelligence sharing and monitoring for follow-on activity from displaced threat actors seeking alternative anonymization services.

Source articles (14)

  • Cybercriminal VPN Dismantled in Europol Crackdown — Infosecurity-Magazine · 2026-05-21
    A VPN service used by ransomware operators, fraudsters and data thieves to mask their activity has been taken offline in a coordinated operation led by France and the Netherlands. According to Europol…
  • Eurojust Coordinated Investigation Shuts Down Criminal Vpn Network — www.eurojust.europa.eu · 2026-05-21
  • Criminele Vpn Dienst First Vpn Offline Gehaald — www.politie.nl · 2026-05-21
    Op 19 en 20 mei is in een internationale actie de criminele VPN-dienst First VPN offline gehaald. Dit is gedaan door Team High Tech Crime van de Eenheid Landelijke Opsporing, onder gezag van het Lande…
  • Cybercriminal Vpn Used Ransomware Actors Dismantled In Global Crackdown — www.europol.europa.eu · 2026-05-21
  • Operation Saffron Bitdefender Joins First Vpn Takedown — www.bitdefender.com · 2026-05-21
    An international law enforcement operation led by France and the Netherlands dismantled First VPN , a cybercriminal anonymization service used by ransomware actors, fraudsters, and data thieves across…
  • Law enforcement shuts down VPN service used by two dozen ransomware gangs — Techcrunch · 2026-05-21
    An international coalition of law enforcement agencies announced Thursday that they took down a popular virtual private network service used by cybercriminals and arrested its administrator. The FBI s…
  • Police op targets VPN service favoured by ransomware gangs — Computerweekly · 2026-05-21
    A virtual private network (VPN) favoured by cyber criminals to mask data exfiltration, fraud ransomware attacks and other criminality has been dismantled in Operation Saffron, a Franco-Dutch led actio…
  • Operation Saffron: Bitdefender Joins “First VPN” Takedown — Bitdefender · 2026-05-21
    An international law enforcement operation led by France and the Netherlands dismantled First VPN , a cybercriminal anonymization service used by ransomware actors, fraudsters, and data thieves across…
  • European authorities take down prolific cybercrime VPN service — Cyberscoop · 2026-05-21
    European authorities took down a prominent virtual private network service and arrested the alleged administrator behind an operation that cybercriminals used to steal data, commit fraud and ransomwar…
  • Authorities Have Taken Down “First VPN” Used in Ransomware Attacks — Cybersecuritynews · 2026-05-21
    In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation…
  • France, Netherlands dismantle VPN linked to cybercrime — Straitstimes · 2026-05-21
    First VPN rerouted connections via a third party to avoid identification, and was on Russian-speaking cybercrime forums. PARIS - France and the Netherlands have dismantled a VPN used by cybercriminals…
  • Authorities dismantle First VPN, used by ransomware actors — Feeds2.Feedburner · 2026-05-21
    First VPN, a virtual private network service marketed to cybercriminals, promising anonymity for its users, was taken offline on May 19 and 20 as part of Operation Saffron. During the operation, Frenc…
  • Police seize “First VPN” service used in ransomware, data theft attacks — Bleepingcomputer · 2026-05-21
    A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. Authorities have seized doze…
  • Global law enforcement operation takes First VPN offline — Securityaffairs.Co · 2026-05-21
    Police seized First VPN in a global crackdown, exposed its cybercrime users, and shut down infrastructure tied to ransomware and data theft. A major international law enforcement operation has taken F…

Timeline

  • 2021-12-01 — Investigation into First VPN launched: French and Dutch authorities began investigating First VPN, focusing on its use by cybercriminals.
  • 2023-11-01 — Joint Investigation Team established: A Eurojust Joint Investigation Team was formed to coordinate prosecutorial strategies across jurisdictions.
  • 2026-05-19 — Operation Saffron action days: Law enforcement agencies conducted coordinated actions to dismantle First VPN, seizing servers and domains.
  • 2026-05-20 — First VPN administrator arrested: The administrator of First VPN was arrested during the operation, which involved multiple countries.
  • 2026-05-21 — Operation Saffron announced: Europol and participating countries announced the successful takedown of First VPN, highlighting its impact on cybercrime.

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • First VPN Takedown (Campaign)
  • Hansa Dark-web Marketplace Takedown (Campaign)
  • Operation Endgame (Campaign)
  • Operation Saffron (Campaign)
  • Piilopuoti Marketplace Case (Campaign)
  • First VPN (Platform)
  • Britain (Country)
  • Canada (Country)
  • Denmark (Country)
  • Estonia (Country)
  • France (Country)
  • Germany (Country)
  • Latvia (Country)
  • Lithuania (Country)
  • Luxembourg (Country)
  • Netherlands (Country)
  • Poland (Country)
  • Portugal (Country)
  • Romania (Country)
  • Spain (Country)
  • Sweden (Country)
  • Switzerland (Country)
  • Ukraine (Country)
  • United Kingdom (Country)
  • United States (Country)
  • 1vpns.com (Domain)
  • 1vpns.net (Domain)
  • 1vpns.org (Domain)
  • GandCrab (Ransomware Group)
  • REvil (Ransomware Group)
  • LockerGoga (Malware)
  • MegaCortex (Malware)
  • Sodinokibi (Malware)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • VPN (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed