European authorities have dismantled First VPN, a long-running virtual private network service allegedly tailored to cybercriminals and used by ransomware crews and fraudsters to mask their operations, in a cross-border takedown that seized dozens of servers and key domains. The coordinated action, codenamed Operation Saffron, was led by France and the Netherlands with support from Europol and Eurojust, and unfolded between 19 and 20 May, according to a Europol announcement.
Investigators say First VPN marketed itself for nearly a decade on Russian-speaking cybercrime forums as a “bulletproof” anonymity service and had become deeply embedded in the tooling of at least 25 ransomware groups and other criminal actors. The service allegedly facilitated activities ranging from network intrusions and data theft to phishing campaigns, credential stuffing, DDoS attacks and infrastructure reconnaissance, according to Europol and coverage from Help Net Security and The Record. Authorities estimate more than 5,000 user accounts cycled through the platform, many paying in cryptocurrency and using pseudonymous registration data.
Operation Saffron targeted 33 servers believed to underpin the First VPN infrastructure, including exit nodes that investigators say were routinely observed in connection with high-impact ransomware incidents and financial fraud. French and Dutch authorities, working with partners in Canada, Germany, Lithuania, Romania and Ukraine, seized or dismantled servers and infrastructure in multiple jurisdictions and took down a cluster of domains associated with the service, including 1vpns.com, 1vpns.net, 1vpns.org and related .onion hidden services, Europol said. The alleged administrator of First VPN was interviewed in Ukraine, and digital evidence was collected for further analysis, according to CyberScoop’s reporting.
Unlike consumer VPN providers that pitch broadband users on privacy and streaming access, First VPN allegedly advertised features explicitly aimed at evading law enforcement and abuse handling, including anonymous payment options, multi-hop routing through jurisdictions seen as uncooperative with Western authorities, and infrastructure tuned to resist takedown requests. Europol described the service as a “cybercrime facilitation tool” that had become a staple for ransomware affiliates and other threat actors seeking to break investigative chains, echoing previous infrastructure-focused operations such as the takedowns of bulletproof hosting providers and the LockBit ransomware disruption coordinated by the U.S. and international partners.
For defenders, the takedown offers a rare but temporary reduction in attacker tooling rather than a structural solution. Security teams that maintain threat intelligence feeds and blocklists should review indicators tied to First VPN infrastructure published in official notices or shared by trusted ISACs, but they should also anticipate rapid migration by threat actors to alternative VPNs, proxy chains and compromised residential or cloud hosts. Analysts note that many intrusion sets already employ multiple layers of infrastructure for resilience, so defenders are unlikely to see a dramatic or lasting drop in malicious traffic. Network defenders are better served by reinforcing fundamentals such as multi-factor authentication, strict egress controls, behavioral anomaly detection and rapid log analysis than by relying on the disruption of any single VPN service.
Law enforcement officials framed Operation Saffron as part of a broader strategy to disrupt cybercrime “enablers” by attacking the services that underpin ransomware and fraud operations, rather than only focusing on individual operators or affiliates. Authorities signaled that users of First VPN should not expect anonymity, warning that seized servers and registration data could be mined to support future cases. For organizations investigating past incidents, IP addresses, timestamps and other artifacts that resolve to former First VPN infrastructure may become valuable leads when cross-referenced against law enforcement disclosures and commercial threat intelligence, even as criminal groups inevitably shift to fresh channels to obscure their tracks.
