European law enforcement has shut down First VPN, a virtual private network service that Europol says appeared in almost every major cybercrime investigation it has supported in recent years.
The takedown, codenamed Operation Saffron, ran on 19 and 20 May. Investigators led by France and the Netherlands took 33 servers offline across Europe and seized the service’s domains including 1vpns.com, 1vpns.net and 1vpns.org. Authorities in Ukraine questioned the service’s alleged administrator and searched their home at the request of French investigators. The person has not been named. Europol and Eurojust coordinated the operation, with support from Luxembourg, Switzerland, Romania, Ukraine and the United Kingdom.
First VPN was not a consumer privacy product. It was marketed on Russian-speaking cybercrime forums as a way to reroute connections through third parties and frustrate identification. Europol said the service had become embedded in the criminal ecosystem, used to mask activity behind ransomware operations and fraud schemes.
The Servers Were Not the Prize
Taking 33 servers offline is the visible part of the operation. The lasting damage is the data. Investigators obtained First VPN’s user database and matched VPN connections to suspects already of interest in active cases. According to Help Net Security, authorities have so far shared 83 intelligence packages covering 506 users with partner countries and Europol said the wider dataset exposed thousands of users connected to cybercrime.
That distinction matters. Servers can be rebuilt within weeks on new hosting, in a new jurisdiction, under a new name. A user database that ties real network connections to real criminal investigations cannot be undone. Every operator who trusted First VPN to keep them anonymous is now a lead.
A “No-Logs” Promise That Did Not Hold
Services like First VPN sell one thing, the assurance that nothing is recorded and no connection can be traced back to a customer. That promise is the product. Operation Saffron shows it was not kept. Investigators recovered a user database detailed enough to attribute specific connections to named suspects, which means First VPN either logged the activity it claimed to discard or retained far more than its customers were told.
This is the recurring weakness in the criminal anonymity market. A bulletproof VPN is only as reliable as the operator running it and an operator under pressure from law enforcement has every reason to keep records that can later be traded for leniency. Criminals who route their traffic through these services are extending trust to someone they have never met and cannot hold to account.
First VPN sat in the same layer of the cybercrime supply chain as bulletproof hosting providers, infrastructure sold specifically to keep illegal operations running and investigators locked out. Europol has spent several years going after that layer rather than individual gangs, on the logic that shared infrastructure is a single point of failure for many offenders at once.
Criminal VPN Services Have a Short Half-Life
This is not the first criminal VPN Europol has dismantled and the record from earlier operations is not encouraging. In December 2020, a Europol-coordinated action took down Safe-Inet, a service Europol said had been advertised on cybercrime forums for up to $190 a year and was linked to some of the world’s most active ransomware groups. In January 2022, investigators dismantled VPNLab.net which ran on OpenVPN, sold access for around $60 a year and surfaced repeatedly in investigations into ransomware deployments. That operation took 15 servers offline across several countries.
In each case the gap in the market was filled. The operators who lost access moved to competitors and new services were advertised on the same forums within months. First VPN itself moved into a market that earlier takedowns had cleared.
First VPN’s removal will disrupt the criminals who relied on it. Whether it changes their behaviour beyond a few weeks of inconvenience is a separate question and the honest answer is probably not. The intelligence haul is the part of this operation that will still matter in a year. The 506 users already named in intelligence packages, and the thousands more Europol says appear in the wider dataset, are now investigative leads in their own jurisdictions rather than anonymous forum handles.
Users of the service have been notified that their activity was logged and that their identities are known to investigators.
References
- Europe dismantles VPN service used by cybercriminals to hide activity
- Authorities dismantle First VPN, used by ransomware actors (Operation Saffron)
- European authorities take down prolific cybercrime VPN service
- France, Netherlands dismantle VPN linked to cybercrime
- European law enforcement pulls the plug on First VPN
- Europol Newsroom
This post is also available in:
Svenska
Related News
Shadow AI Now Factors in One in Five Data Breaches
One in five data breaches last year involved AI tools that companies did not know their own staff were using. That figure comes from IBM's…
June 2, 2026 Dutch Police Dismantle 17 Million Device Botnet Tied to ASOCKS Proxy Service
Dutch authorities have dismantled a botnet that had recruited 17 million devices into criminal infrastructure without their owners' knowledge. The operation targeted ASOCKS, a residential…
June 1, 2026 Russian Intelligence Is Targeting Swedish Defense Industry to Beat Sanctions
Russia's intelligence services are running a coordinated campaign to acquire Western technology through fake companies, cyberattacks, and recruited intermediaries, and Sweden's defence industry is explicitly…
June 1, 2026 
GCHQ Chief Warns AI Is Being Weaponised Just Below the War Threshold
Artificial intelligence is being turned into a weapon that operates just below the threshold of open war, the head of GCHQ warned on Wednesday, and…
May 29, 2026