Operation Saffron Dismantles First VPN Used by Ransomware Gangs, Europol Says

An international law-enforcement operation known as "Operation Saffron" dismantled the VPN service "First VPN," which Europol said was promoted on Russian-speaking cybercrime forums as a trusted tool for remaining beyond the reach of law enforcement.

Europol said the coordinated action took place between 19 and 20 May, during which authorities interviewed the administrator and conducted a house search in Ukraine, dismantled 33 servers linked to the criminal service, and disrupted infrastructure used to support cybercriminal activity worldwide.

Computer Weekly

The takedown also shut down target domain names including 1vpns.com, 1vpns.net, and 1vpns.org, and users of the criminal service were notified of the shutdown and informed that they had been identified.

TechCrunch reported that the FBI said "at least" 25 ransomware gangs used the service to hide their malicious activity, and said First VPN operated servers across 27 different countries.

In parallel, Computer Weekly described Operation Saffron as a Franco-Dutch led action supported by Europol and other agencies including the UK’s National Crime Agency (NCA) and private sector partner Bitdefender, with the administrator arrested and interviewed and their home in Ukraine searched.

Europol said "For years, cybercriminals saw this VPN service as a gateway to anonymity," adding that they believed it would keep them beyond the reach of law enforcement.

Edvardas Šileris, head of Europol’s European Cybercrime Centre, said, "This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement," framing the takedown as a direct disruption of criminal operations.

CyberInsider

TechRadar reported that "First VPN" explicitly offered a "secure environment to carry out illegal activities," assuring users it kept zero logs, evaded global jurisdiction, and would never cooperate with authorities.

TechRadar also said the shutdown led to users being directly notified by police that their true identities have been compromised, after investigators infiltrated the network and obtained the platform’s heavily guarded user database.

Hackread similarly reported that authorities seized 33 servers, executed a house search and interview of the alleged administrator in Ukraine, and took offline domains including 1vpns.com, 1vpns.net, and 1vpns.org along with associated onion domains used for anonymous access.

Europol said the gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide.

“This site uses cookies”

Europol

At Europol’s level, the operation produced 83 intelligence packages disseminated, information linked to 506 users shared internationally, and 21 Europol-supported investigations advanced through the intelligence obtained.

Computer Weekly reported that Europol’s coordinating Operational Taskforce (OTF) had already disseminated over 80 intelligence packages worldwide and identified 506 known First VPN users, and said the EU agency had been able to support 21 other investigations thanks to this work.

TechCrunch added that investigators obtained the service’s user database and identified VPN connections, which "exposed thousands of users linked to the cybercrime ecosystem," and said the administrator was arrested and dozens of servers "dismantled" with infrastructure disrupted.

Bitdefender, a private sector partner supporting the action, said it was "extremely pleased with the successful takedown of First VPN" and described the operation as exemplifying collaboration between public and private security sectors to dismantle illegal online activities.