First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
Operation Saffron: a Europol-led coalition across 17 countries dismantled First VPN, a criminal anonymization service used by 25 ransomware groups, seizing 33 servers and 5,000 criminal accounts.
Law enforcement agencies across 17 countries have dismantled First VPN, a criminal virtual private network service that provided anonymization infrastructure to at least 25 ransomware groups — including Avaddon Ransomware. The coordinated operation, codenamed Operation Saffron, marks one of the most significant takedowns of criminal internet infrastructure in recent years.
The Operation
The two-day action, conducted on May 19 and 20, 2026, was led by France and the Netherlands and supported by authorities in Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. The result:
- 33 servers seized across 27 countries
- Primary domains shut down
- A Ukrainian administrator arrested
- The complete user database — over 5,000 criminal accounts — handed to investigators
Europol and Eurojust jointly announced the operation, noting that investigators had been building the case since December 2021.
What First VPN Offered Criminals
First VPN was not a consumer anonymity product — it was purpose-built for criminal use. The service offered anonymous payment methods, hidden infrastructure, and a no-logs policy specifically designed to help paying customers evade law enforcement while conducting:
- Ransomware attacks and network reconnaissance
- Large-scale fraud operations
- Data theft campaigns
- Denial-of-service attacks
- Network scanning and target identification
Europol noted that at least 25 ransomware groups relied on First VPN’s infrastructure to obscure their identities and routing during intrusions.
The User Database: A Law Enforcement Windfall
Perhaps the most consequential outcome of Operation Saffron is the complete user database now in investigators’ hands. More than 5,000 criminal accounts believed themselves protected by First VPN’s assurances of anonymity — a false sense of security that may now expose them to prosecution across multiple jurisdictions.
Europol described this database as a significant intelligence asset that will feed ongoing and future investigations into ransomware operators, fraud networks, and other cybercriminal actors.
Broader Context
The First VPN takedown follows a pattern of law enforcement increasingly targeting criminal infrastructure enablers — not just the end attackers. By dismantling the anonymization layer that dozens of threat groups depended on, Operation Saffron disrupts operational security for a wide swath of cybercriminal activity simultaneously.
For enterprise security teams, the operation is a reminder that threat actors relying on specific anonymization infrastructure may now be exposed or forced to regroup — creating a short-term window of disruption in ransomware operations that relied on First VPN.
Source: The Hacker News | Help Net Security | SC Media
