Europol and law enforcement agencies from 16 countries have dismantled First VPN, a service that marketed itself as privacy-focused but operated as a haven for ransomware actors, phishing campaigns, and data theft rings. The First VPN ransomware takedown, codenamed Operation Saffron, represents one of the largest coordinated takedowns of criminal infrastructure in recent years, exposing the infrastructure behind thousands of cybercriminals and generating investigative leads that will ripple through global law enforcement for months to come.
Key Takeaways
- Europol shut down First VPN service used by ransomware gangs and cybercriminals across 33 seized servers in 27 countries.
- Authorities obtained access to the user database, identifying roughly 75,000 users and generating leads tied to ransomware, fraud, and data theft.
- The investigation began in December 2021 and culminated in the takedown action between May 19 and 20, 2026.
- French and Dutch authorities led the operation with support from Europol, Eurojust, and law enforcement from 14 additional countries.
- More than 53 domains associated with the service, including 1vpns.com, 1vpns.net, and 1vpns.org, were seized.
How First VPN became a criminal infrastructure hub
First VPN operated as a bulletproof service designed specifically for criminals. The platform advertised anonymous payments, concealed infrastructure, and anti-law-enforcement measures on Russian-speaking cybercrime forums, making no pretense about its intended audience. Unlike mainstream VPN providers that market privacy to legitimate users, First VPN positioned itself as a tool for those actively engaged in illegal activity. The service promised to shield ransomware operators, phishing networks, and fraud rings from detection by law enforcement, and it delivered on that promise long enough to accumulate a substantial criminal user base.
The service’s infrastructure was deliberately distributed across multiple countries to evade shutdown. Authorities eventually identified 33 servers spread across 27 nations, each one designed to route traffic through jurisdictions with weak law enforcement cooperation or inadequate cybercrime legislation. This geographic fragmentation was deliberate—a standard tactic among bulletproof hosting providers that assume some servers will eventually be seized. By spreading infrastructure across dozens of countries, First VPN operators calculated that law enforcement would struggle to coordinate simultaneous seizures. They were wrong.
The First VPN ransomware takedown operation unfolds
The investigation into First VPN began in December 2021 when French and Dutch authorities initiated contact with Europol’s European Cybercrime Centre. Over more than four years, investigators methodically gained access to the VPN service’s internal systems, inspected its architecture, and obtained copies of the user database. This was not a quick raid—it was a patient, technical operation designed to extract maximum intelligence before taking the service offline.
Between May 19 and 20, 2026, authorities executed Operation Saffron across multiple countries simultaneously. French and Dutch law enforcement took the lead, but the operation involved agencies from 16 countries including the United Kingdom, Germany, Luxembourg, Romania, Switzerland, Canada, and the United States. Ukrainian authorities conducted a house search and interviewed the alleged administrator of the service, though the brief provides no details on whether charges were filed or arrests made beyond the initial interview.
The scale of the takedown was substantial. Authorities seized 33 servers and took down more than 53 domains linked to the service, including the primary domains 1vpns.com, 1vpns.net, and 1vpns.org, as well as associated onion domains accessible only through the Tor browser. When users attempted to access First VPN after the takedown, they encountered a law enforcement seizure notice instead of their usual service login.
What the seized data reveals about ransomware infrastructure
The real prize in Operation Saffron was not the servers or domains—it was the user database. Authorities obtained access to records identifying roughly 75,000 users associated with the platform and issued warning notices to each of them. This intelligence is extraordinarily valuable to law enforcement. The user database connects names, payment information, connection logs, and behavioral patterns to specific criminal activity. Investigators can now cross-reference First VPN user accounts with ransomware samples, phishing campaigns, fraud infrastructure, and data theft operations to identify the individuals behind each attack.
Europol stated that the seized intelligence exposed thousands of users connected to cybercrime infrastructure and generated investigative leads tied to ransomware, online fraud, and other serious offences. This is not hyperbole. A single VPN user account, when correlated with payment records, IP address logs, and behavioral metadata, can unravel an entire criminal network. If that user is a ransomware operator, investigators can trace their attacks back to specific victims. If that user is a phishing coordinator, law enforcement can identify the financial institutions being targeted. The database transforms abstract infrastructure into concrete evidence.
What this means for other bulletproof VPN services
First VPN is not unique. Other bulletproof hosting providers, bulletproof VPN services, and criminal infrastructure platforms operate on similar principles and with similar confidence in their ability to evade law enforcement. What Operation Saffron demonstrates is that this confidence is misplaced. A four-year investigation, international coordination, and patient technical work can dismantle even a geographically distributed, deliberately obscured criminal service. The investigation also shows that law enforcement has the technical capability to access internal VPN systems, extract user databases, and trace connections back to specific criminal activity—a reality that should concern any criminal relying on anonymity services.
The takedown also sends a message to the administrators and investors behind other criminal infrastructure platforms. The longer a service operates, the more data it accumulates, and the more valuable it becomes as a target for law enforcement. First VPN’s four-year operational window before takedown is not a success story—it is a warning. Europol and partner agencies were building a case the entire time.
How many users were identified in the First VPN ransomware takedown?
Authorities issued warning notices to roughly 75,000 users associated with the First VPN platform. Not all of these users were necessarily engaged in criminal activity—some may have been using the service legitimately or unaware of its primary use case. However, investigators have now generated investigative leads from the seized user database and can identify individuals connected to specific ransomware attacks, phishing campaigns, fraud operations, and data theft.
What domains were seized in Operation Saffron?
Authorities took down more than 53 domains linked to First VPN, including 1vpns.com, 1vpns.net, and 1vpns.org, as well as associated onion domains accessible through the Tor browser. When users attempt to access these domains now, they encounter a law enforcement seizure notice instead of the service login page.
How long did the investigation into First VPN take?
The investigation began in December 2021 and culminated in the takedown action between May 19 and 20, 2026—a span of more than four years. During this time, authorities from France, the Netherlands, and other countries worked with Europol’s European Cybercrime Centre to gain access to the VPN service’s internal systems and extract the user database.
Operation Saffron demonstrates that international law enforcement has the patience, technical capability, and coordination infrastructure to dismantle even sophisticated criminal services. For ransomware operators and other cybercriminals who believed First VPN offered genuine protection, the takedown is a sobering reminder that anonymity tools are only as durable as the infrastructure supporting them. The next bulletproof service they migrate to could already be under investigation.
Edited by the All Things Geek team.
Source: Tom's Hardware
