In a landmark international law enforcement operation, authorities from seven countries dismantled “First VPN” — a criminal virtual private network explicitly designed for cybercriminals and linked to ransomware attacks, fraud, and hacking campaigns worldwide. The coordinated action, dubbed Operation Saffron, took place on May 19 and 20, 2026, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of criminal users.
What Was First VPN?
First VPN — operating primarily through domains containing “1vpns” in the URL, including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion (dark web) domains — was no ordinary VPN service. Rather than catering to privacy-conscious consumers, the service explicitly targeted cybercriminals by advertising on well-known underground and Russian-speaking cybercrime forums.
The platform openly promised its users that it would not cooperate with any judicial authority, would not store user data, and would not fall under any jurisdiction — claims that, as investigators later proved, were entirely false. According to Europol, First VPN appeared in almost every major cybercrime investigation the agency supported, facilitating ransomware attacks, hacking of computer systems, fraud schemes, and account compromises on a global scale.
The service provided anonymous payment options and hidden infrastructure specifically designed for criminal use, making it a trusted tool for threat actors seeking to evade law enforcement detection. By masking their true IP addresses and routing malicious traffic through its servers, criminals used First VPN as a critical shield for operations that caused significant harm to victims worldwide.
Operation Saffron: How the Takedown Unfolded
The case originated when Eurojust opened a formal file in May 2022 at the request of French authorities, after the service was identified on known criminal forums. The investigation developed steadily over three years before culminating in the May 2026 takedown.
A joint investigation team (JIT) was formally established in November 2023, enabling French and Dutch investigators to pool evidence, share intelligence, and align on a joint prosecutorial strategy. As the investigation expanded, more countries joined, leading to the execution of multiple European Investigation Orders (EIOs) and Mutual Legal Assistance (MLA) requests coordinated through Eurojust.
Crucially, investigators gained covert access to First VPN’s infrastructure before the service went offline, intercepting live criminal traffic from users who falsely believed their operations were fully encrypted and anonymous. This intelligence-gathering phase allowed authorities to build comprehensive dossiers on the service’s users before executing the final takedown.
Results of the Joint Action
The joint action on May 19 and 20, 2026 produced significant results across multiple fronts:
- 33 servers across 27 countries were seized and dismantled
- Domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites were shut down
- First VPN’s administrator was questioned in Ukraine at the request of French authorities
- 65 IP addresses were publicly identified and posted online as part of a broader warning effort
- 506 specific users were identified, with intelligence packages distributed to partner agencies worldwide
- 83 intelligence packages were produced and shared with ongoing international investigations
- All identified users were formally notified that the VPN had been shut down and that they had been flagged
International Coordination
An Operational Taskforce (OTF) was established at Europol, bringing together investigators from 16 countries to analyze seized data and coordinate response. The countries directly participating in the joint action included France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom. Additional support was provided by Spain, Sweden, Canada, Germany, and the United States.
The joint action was led by French and Dutch authorities and supported by both Europol and Eurojust, showcasing the increasingly sophisticated international collaboration that has enabled a string of high-profile cybercrime takedowns in recent years.
Why This Takedown Matters
Criminal VPN services represent a critical layer of the cybercriminal infrastructure ecosystem. By providing anonymity and jurisdictional ambiguity, they enable ransomware operators, hackers, and fraudsters to operate with significantly reduced risk of attribution. Taking down First VPN removes a tool that was deeply embedded in multiple active criminal operations.
The operation also sends a clear warning to other criminal infrastructure providers. As Europol noted, “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement.” Unlike consumer VPN providers, services that explicitly refuse judicial cooperation and advertise on criminal forums are increasingly being treated as criminal enterprises in their own right.
For cybersecurity defenders, the takedown also highlights the value of intelligence sharing across borders. The covert access gained to First VPN’s infrastructure before the takedown provided investigators with months of criminal traffic data, enabling them to build cases against hundreds of users — not just the service operators. Organizations that may have been targeted by criminals using First VPN should review their logs from the period and consult with threat intelligence providers for indicators of compromise associated with the service.