- Authorities in seven countries took down ‘First VPN’ and confiscated 33 servers
- The VPN was heavily marketed as a safe haven for ransomware operators.
- The takedown left thousands of cybercriminals exposed
A coalition of European law enforcement agencies has successfully taken down a massive virtual private network (VPN) that was allegedly serving as a digital shield for ransomware gangs and cybercriminals. The joint operation, coordinated by Europol and Eurojust, involved the dismantling of the criminal service known as ‘First VPN’.
While everyday consumers use VPN services to protect their privacy on public Wi-Fi or securely stream their favorite geo-blocked content, the ‘First VPN’ appears to have been tailor-made for the criminal underworld. The platform explicitly offered a “safe environment to carry out illegal activities”, according to Eurojust, assuring its users that it kept no logs, evaded global jurisdiction and would never cooperate with authorities.
That promise collapsed between May 19 and 20. In a coordinated attack dubbed “Operation Saffron,” police in seven countries seized 33 servers, shut down the platform’s main web domains (including 1vpns.com, 1vpns.net, 1vpns.org and associated onion sites), and executed a house search and interview of a key suspect in Ukraine.
TechRadar has contacted Europol and Eurojust for further comment; A spokeswoman said they were “unable to provide further details at this time as investigations are currently ongoing.”
For everyday users, the removal of this rogue provider is a big win. Cybercriminals relied heavily on ‘First VPN’ to mask their true locations while launching devastating ransomware attacks, stealing consumer data, and orchestrating large-scale fraud schemes.
By removing this layer of anonymity, these bad actors are exposed, making the digital landscape significantly safer for the general public.
Unmasking the criminal world
Intensely marketed on Russian-speaking cybercrime forums, the ‘First VPN’ had become a staple tool for digital thieves. It was so deeply embedded in the malicious ecosystem that, according to Europol, the service “appeared in almost all major cybercrime investigations supported by Europol in recent years.”
The operation to dismantle the network began to gather steam in December 2021. By pooling resources through a Joint Investigation Team established by Eurojust in November 2023, and involving heavyweights such as the French Prosecutor’s Office in Paris, the Netherlands’ National High-Tech Crime Unit, and the United Kingdom’s National Crime Agency, authorities successfully infiltrated the network before taking it offline.
Eurojust played a key role in navigating the complex legal landscape, organizing 16 coordination meetings to prepare for the covert operation, the organization explains in an official statement.
This stealthy, multinational infiltration allowed researchers to obtain the platform’s heavily guarded user database. As a result, police have directly notified criminal service users who thought they were browsing anonymously that their true identities have been compromised.
“For years, cybercriminals saw this VPN service as a gateway to anonymity,” said Edvardas Šileris, director of Europol’s European Cybercrime Centre. “They believed it would keep them out of the hands of authorities. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals relied on to operate, communicate and evade law enforcement.”
A goldmine of cybercrime intelligence
The consequences of Operation Saffron are just beginning. With the infrastructure dead and the alleged administrator facing questioning, authorities in multiple jurisdictions are now sifting through a mountain of seized traffic data. The operation also received crucial assistance from cybersecurity company Bitdefender.
The haul of intelligence has been monumental. Europol confirmed that the data collected has already generated 83 intelligence packages and unmasked 506 specific users internationally. Additionally, this treasure trove of traffic records has actively advanced 21 ongoing cybercrime investigations supported by Europol.
Michael Jepson, head of penetration testing at cybersecurity consultancy CybaVerse, told TechRadar that the data collected from this takedown “will drive follow-up investigations into activity conducted through First VPN and help attack more illicit infrastructure.”
The removal also serves as a stark reminder that while VPN technology is vital to legitimate online privacy and security, criminal networks attempting to misuse the technology to host illegal activity remain firmly in the crosshairs of global law enforcement.
