- Authorities from seven countries took down ‘First VPN’ and seized 33 servers
- The VPN was heavily marketed as a safe haven for ransomware operators
- The takedown led to the exposure of thousands of cybercriminals
A coalition of European law enforcement agencies has successfully taken down a massive virtual private network (VPN) that allegedly served as a digital shield for ransomware gangs and cybercriminals. The joint operation, coordinated by Europol and Eurojust, was carried out by the criminal service known as ‘First VPN’.
While ordinary consumers use the VPN services to protect their privacy on public Wi-Fi or securely stream their favorite geo-blocked content, ‘First VPN’ seems to be purpose-built for the criminal underworld. The platform expressly offered a “secure environment to carry out illegal activities”, according to Eurojust, and assured its users that it kept zero logs, avoided global jurisdiction and would never cooperate with authorities.
That promise collapsed between 19 and 20 May. In a coordinated strike dubbed “Operation Saffron,” police from seven countries seized 33 servers, shut down the platform’s primary web domains (including 1vpns.com, 1vpns.net, 1vpns.org, and related onion-house searches), and conducted an interview with a key house in Ukraine.
TechRadar has contacted Europol and Eurojust for further comment, a spokeswoman said they were “unable to provide further details at this time as the investigations are currently ongoing.”
For regular users, the removal of this rogue provider is a huge win. Cybercriminals relied heavily on ‘First VPN’ to mask their true locations while launching crippling ransomware attacks, stealing consumer data and orchestrating large-scale fraud.
Removing this layer of anonymity leaves these bad actors exposed, making the digital landscape significantly safer for the general public.
Exposing the criminal underworld
Marketed heavily on Russian-speaking cybercrime forums, ‘First VPN’ had become a regular tool for digital thieves. It was so deeply embedded in the malicious ecosystem that, according to Europol, the service “appeared in almost every major cybercrime investigation supported by Europol in recent years.”
The operation to dismantle the network began gathering steam back in December 2021. Pooling resources across a joint investigation team established by Eurojust in November 2023, and involving heavy figures such as the French Prosecutor’s Office in Paris, the Dutch National High-Tech Crime Unit and the UK’s National Crime Agency, authorities managed to infiltrate the network before pulling the plug.
Eurojust played a crucial role in navigating the complex legal landscape and hosted 16 coordination meetings to prepare for the sting — the organization explains in an official statement.
This stealthy, multinational infiltration allowed investigators to get hold of the platform’s heavily guarded user database. As a result, users of the crime service who thought they were surfing anonymously have now been directly notified by the police that their true identity has been compromised.
“For years, cybercriminals saw this VPN service as a gateway to anonymity,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre. “They thought it would keep them out of reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”
A treasure trove of cybercrime intelligence
The fallout from Operation Saffron has only just begun. With the infrastructure dead and the suspected administrator facing questioning, authorities across multiple jurisdictions are now sifting through a mountain of seized traffic data. The operation also received crucial assistance from cybersecurity firm Bitdefender.
The intelligence service has been monumental. Europol confirmed that the collected data has already generated 83 intelligence packages and exposed 506 specific users internationally. Furthermore, this treasure trove of traffic records has actively fueled 21 ongoing Europol-backed cybercrime investigations.
Michael Jepson, head of penetration testing at cybersecurity consultancy CybaVerse, told TechRadar that the data collected from this takedown “will fuel follow-up investigations into activity conducted via First VPN and help target additional illicit infrastructure.”
The removal also serves as a stark reminder that while VPN technology is essential to legitimate online privacy and security, criminal networks that attempt to misuse the technology to accommodate illegal activities remain in the crosshairs of global law enforcement.
