French and Dutch authorities have shut down First VPN, a service widely used by cybercriminals to hide their online activity while carrying out ransomware attacks, phishing campaigns, and other illegal operations.
The operation, dubbed Operation Saffron by authorities, was carried out with support from Europol and Eurojust and also gave investigators access to user data that could now be used to identify people linked to criminal activity.
According to Europol, First VPN promoted itself on Russian-speaking cybercrime forums as a reliable way for criminals to stay anonymous online. The service offered anonymous payments, concealed infrastructure, and systems designed to help users avoid law enforcement scrutiny while running cyber operations.
Over time, the VPN became heavily linked to ransomware groups, fraud networks, and data theft campaigns. Investigators said the service appeared in many major cybercrime cases supported by Europol in recent years, giving attackers a way to hide both their identities and the servers used during attacks.
Administrator Arrested and Servers Seized
The coordinated action, as per Europol’s press release, took place between 19 and 20 May 2026 and focused on dismantling the infrastructure behind the service. Authorities in Ukraine interviewed the alleged administrator and carried out a house search while investigators seized 33 servers connected to the operation.
Several domains linked to the service were also taken offline, including 1vpns.com, 1vpns.net, and 1vpns.org, along with associated onion domains used for anonymous access. Users attempting to access the service were informed that the platform had been seized and that investigators had identified them.
Data of Thousands of First VPN Users Now with Authorities
The investigation itself began in December 2021, when authorities started working with Europol’s European Cybercrime Centre to gain access to the VPN service and examine its internal systems. Investigators later obtained the user database and traced VPN connections allegedly used to hide cybercrime activity.
That access appears to have produced one of the most valuable parts of the operation. Europol said the seized intelligence exposed thousands of users connected to the cybercrime infrastructure and generated investigative leads linked to ransomware attacks, online fraud schemes, and other serious offences.
With the infrastructure dismantled and the alleged administrator now under arrest, investigators are continuing to examine the seized data for links to cybercrime operations active in multiple countries.
Industry Reaction
Michael Jepson, Head of Penetration Testing at CybaVerse, said law enforcement agencies are putting more attention on the infrastructure that enables cybercrime, not only the people carrying out attacks.
“Targeting not only individual criminals and groups but also their infrastructure is becoming one of the most vital fronts in the international battle against cybercrime,” Jepson said.
He explained that services such as First VPN act as the foundation for many criminal operations because they allow threat actors to hide systems used for attacks and avoid identification. Providers operating in permissive jurisdictions can be difficult to investigate, especially when they refuse to cooperate with foreign legal requests.
That is one reason why infrastructure takedowns have become increasingly valuable to investigators. Removing services used by many cybercriminal groups can disrupt operations at once, forcing attackers to move servers, rebuild systems, and reassess their exposure after customer data is seized.
Jepson added that these operations often generate intelligence far beyond the initial target.
“Moreover, as has happened here, these operations often contain large amounts of data on thousands of criminals and threat actors, which authorities can leverage for further investigation and prosecution,” he said.
Good News in the Fight Against Cybercrime
Cybercriminals can easily move their infrastructure from one server to another or switch between VPN providers when a service gets exposed. Still, investigators gaining access to First VPN’s user database could create serious problems for people who used the platform to hide ransomware operations, fraud schemes, and other illegal activity. Authorities can now use that information to identify suspects, connect activity to specific users, and support future arrests.
The operation also involved law enforcement agencies from 16 countries, including France, the Netherlands, Ukraine, the United Kingdom, Luxembourg, Romania, Switzerland, Canada, Germany, and the United States. That level of international coordination makes it easier for investigators to share intelligence, pursue suspects in multiple countries, and avoid the delays that often affect cross-border cybercrime cases.
This is also one of several major cybercrime operations carried out by Europol in recent months. In January 2026, the agency helped arrest 34 suspected members of the Black Axe criminal network in Spain. The group was accused of stealing millions of euros through online romance scams, business email fraud, and money laundering operations.
A few months later, in March 2026, Europol seized LeakBase, a well-known cybercrime forum used to trade stolen data and leaked credentials. Investigators said the platform had more than 140,000 members before it was dismantled.
Then in April 2026, Europol worked with international partners during Operation PowerOFF, an effort targeting DDoS-for-hire platforms. Authorities arrested suspects, seized more than 53 domains, and sent warning notices to roughly 75,000 users linked to the services, warning them against taking part in cybercrime activity.
More information about Europol’s recent operations is available here.
