Operation Saffron Dismantles First VPN, Exposing 25 Ransomware Groups

Operation Saffron, a major international law enforcement effort conducted between May 19 and 20, 2026, has successfully dismantled First VPN. Led by French and Dutch authorities with Europol coordination, the operation took down a criminal anonymization service that had been active since 2014. Linked to at least 25 ransomware groups, the platform served as a primary tool for masking cyberattacks, financial fraud, and data exfiltration. The arrest of the service administrator in Ukraine and the seizure of 33 servers across 27 countries have provided authorities with a massive database of users and traffic logs, fueling 21 active investigations supported by Europol.

Inside the Architecture of a Criminal Infrastructure

First VPN was not a compromised legitimate service, but a purpose-built infrastructure designed for cybercrime. The service aggressively marketed its reliability on prominent Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is, promising total anonymity, non-cooperation with law enforcement, and immunity from legal jurisdictions. Authorities have since proven these promises hollow by recovering the service's entire user database.

The technical architecture was highly sophisticated, offering multiple protocols including OpenConnect, WireGuard, Outline, OpenVPN ECC, L2TP/IPSec, PPtP, and VLESS TCP Reality. The latter was specifically designed to mask VPN traffic as standard HTTPS, making detection difficult for corporate network monitoring systems and ISPs. The network spanned 32 exit node servers in 27 countries, including three specific IP addresses in the United States: 2.223.66[.]103, 5.181.234[.]59, and 92.38.148[.]58.

The commercial model was both accessible and scalable, with subscriptions ranging from $2 per day to $483 per year. Payments were accepted via Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKassa. The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and their associated Tor onion domains have been dismantled. This low-cost structure allowed the service to attract a broad user base beyond ransomware operators, including those involved in financial fraud and large-scale data theft.

The User Database: A Trove of Investigative Leads

The most damaging blow to the criminal ecosystem is not the loss of the servers themselves, but the nature of the data recovered. First VPN explicitly claimed to maintain a "no-logs" policy—a promise that served as a trust mechanism for users who had no way to verify it. Law enforcement has demonstrated the opposite, seizing a database that TechTimes, citing Europol and Eurojust, reports to contain more than 5,000 criminal accounts. Bitdefender contributed to the effort by sharing information linked to 506 specific users.

"For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement." — Edvardas Šileris, Head of Europol's European Cybercrime Centre

According to The Hacker News, users of the service have been directly notified that First VPN was seized and that their identities have been established. This tactic transforms the compromised infrastructure from a simple operational loss into a psychological and investigative tool, undermining the trust between criminal actors and third-party service providers.

Disrupting the Anonymization-as-a-Service Market

Operation Saffron reflects a strategic shift in international law enforcement: moving from hunting individual ransomware groups to targeting the shared infrastructures that lower operational costs for diverse threat actors. First VPN functioned as a "trust anchor" for the ecosystem—a centralized point of trust that, once compromised, retroactively exposes the entire network of dependencies. The 83 intelligence packages disseminated by Europol and the 21 advanced investigations provide a tangible measure of this operation's success.

Bitdefender framed the impact as follows: "New anonymization services will appear. The economic demand hasn't changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions." Each dismantling increases the cost of transit, pushing criminals toward more expensive self-managed infrastructures or less reliable services with shorter track records.

Michael Jepson, Head of Penetration Testing at CybaVerse, noted via TechTimes that "targeting not only individual criminals and groups but also their infrastructure is becoming one of the most vital fronts in the international battle against cybercrime." The destruction of First VPN confirms that criminal-facing public services have become priority targets.

Defense Priorities and Strategic Remediation

For security organizations, this takedown necessitates specific priority actions:

• Re-evaluate Historical Indicators: Network logs showing connections to or from First VPN's exit node IPs—including the three known U.S. IPs—are now verifiable indicators of compromise (IoCs) and should be subject to retroactive threat hunting.
• Correlate with Known Ransomware Campaigns: Attacks attributed to groups like Avaddon and others identified by the FBI should be re-analyzed for potential entry points or lateral movement mediated by First VPN, especially where C2 infrastructure was previously unmapped.
• Update Threat Intelligence Feeds: The seized domains (1vpns.com, 1vpns.net, 1vpns.org) and their Tor counterparts must be integrated into detection and blocking systems to ensure they are not impersonated or reactivated on alternative infrastructures.
• Strengthen Egress Filtering Policies: The use of VLESS/Reality to mask VPN traffic as HTTPS highlights the limitations of port-based inspection. Organizations should strengthen behavioral traffic analysis and TLS fingerprinting to identify anomalous tunneling patterns.

The Collapse of the "Bulletproof" Hosting Myth

The narrative surrounding criminal anonymization services relied on a facade of structural immunity: non-cooperative jurisdictions, sophisticated evasion, and the absence of logs. Operation Saffron demonstrates that this immunity was temporary, depending entirely on the time required for international investigators to coordinate. The investigation began in December 2021; a Joint Investigation Team was established in November 2023; and the final takedown occurred in May 2026. Cooperation between 18 countries and 16 coordination meetings hosted by Eurojust made this result possible.

For the enterprise cybersecurity sector, the implication is clear: the disruption of shared criminal infrastructure should be treated as a tier-one intelligence event. Every log entry containing traces of First VPN is now potentially actionable. As Bitdefender summarized: "First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement's reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists."

Information has been verified against cited sources and is current as of publication.

Sources

• https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html
• https://www.rescana.com/post/first-vpn-takedown-operation-saffron-dismantles-criminal-vpn-used-by-25-ransomware-groups-2014-2026
• https://www.bitdefender.com/en-us/blog/businessinsights/operation-saffron-bitdefender-joins-first-vpn-takedown
• https://www.techtimes.com/articles/316981/20260521/europol-seizes-first-vpn-user-database-putting-5000-criminal-accounts-risk.htm
• https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/
• https://www.helpnetsecurity.com/2026/05/25/dutch-seize-800-servers-russian-linked-infrastructure/