French and Dutch authorities have shut down First VPN, a service widely used by cybercriminals to hide their activity during ransomware attacks, phishing campaigns, and other illegal operations. Subsequently, Europol announced the takedown on May 21, 2026.
The operation, dubbed Operation Saffron, ran with support from Europol and Eurojust. Beyond seizing infrastructure, it gave investigators access to user data that could now identify people linked to criminal activity.
First VPN built its reputation in the underworld. It promoted itself on Russian-speaking cybercrime forums as a reliable way to stay anonymous. The service offered anonymous payments and concealed infrastructure designed to dodge law enforcement. Over time, it became heavily linked to ransomware groups, fraud networks, and data theft campaigns.
The coordinated action took place between May 19 and 20, 2026. Authorities in Ukraine interviewed the alleged administrator and searched his house. Investigators seized 33 servers and took several domains offline, including 1vpns.com and associated dark web addresses. Users who tried to access the service saw a notice that investigators had identified them.
The investigation began in December 2021, when authorities started working with Europol’s European Cybercrime Centre. Investigators later obtained the user database and traced connections used to hide cybercrime. Europol said the intelligence exposed thousands of users and generated leads tied to ransomware, fraud, and other offenses.
The operation involved law enforcement from 16 countries, including France, the Netherlands, Ukraine, Germany, and the United States. It follows other recent Europol actions, including the seizure of cybercrime forum LeakBase in March and Operation PowerOFF in April.
Cybercriminals have a knack for shifting their operations from one server to another or hopping between VPN providers whenever a service is compromised. However, if investigators manage to access First VPN’s user database, it could spell trouble for those who relied on the platform to mask their ransomware activities, fraud schemes, and other illicit actions. With that information in hand, authorities can pinpoint suspects, link activities to specific users, and bolster future arrests.
