First VPN, a virtual private network service marketed to cybercriminals, promising anonymity for its users, was taken offline on May 19 and 20 as part of Operation Saffron.
During the operation, French and Dutch authorities, with support from Europol and Eurojust, dismantled 33 servers linked to the service and interviewed the operator in Ukraine.
The targeted domain names were shut down through international cooperation between law enforcement and judicial authorities. The seized domains included 1vpns.com, 1vpns.net, 1vpns.org, and related .onion domains.
“Before the service went offline, the police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe,” the Dutch Police said.
“All users of this service have received a message stating that the VPN service has been taken offline and they have been identified as the user of the service.”
How First VPN operated
First VPN helped users conceal their identities and hide online activity linked to cybercrime, the authorities claim.
The operator maintained they would not cooperate with judicial authorities, that the service was not subject to any jurisdiction, and that it did not store user data.
Investigators said the service had been operating since 2014 and had been used by more than 5,000 accounts. The platform advertised exclusively on cybercriminal forums, the French Public Prosecutor stated, and offered different pricing tiers depending on the complexity of the connection relays.
Investigation and international cooperation
The investigation began in December 2021 after authorities repeatedly found that the VPN service had been used in crimes affecting French victims.
“The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide,” Europol said.
Authorities shared 83 intelligence packages concerning 506 users with partner countries. Investigators said that the operation produced information relevant to ransomware investigations, including cases linked to the Phobos RaaS outfit.
“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement,” Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said.
