Authorities Have Taken Down “First VPN” Used in Ransomware Attacks

An international law enforcement operation spanning seven countries has successfully dismantled First VPN, a criminal virtual private network used by cybercriminals globally. The coordinated action took place on May 19 and 20, 2026.

Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users.

First VPN operating primarily through domains containing “1vpns” in the URL, including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains, was no ordinary VPN service.

Rather than catering to privacy-conscious consumers, the service explicitly targeted cybercriminals by advertising on well-known underground and Russian-speaking cybercrime forums.

The platform openly promised its users that it would not cooperate with any judicial authority, would not store user data, and would not fall under any jurisdiction claims that, as investigators later proved, were entirely false.

“First VPN” Taken Down

According to Europol, the first VPN appeared in almost every major cybercrime investigation the agency supported, facilitating ransomware attacks, hacking of computer systems, fraud schemes, and account compromises on a global scale.

The service provided anonymous payments and hidden infrastructure specifically designed for criminal use, making it a trusted tool for threat actors seeking to evade law enforcement detection.

The case originated when Eurojust opened a formal file in May 2022 at the request of French authorities, after the service was identified on known criminal forums.

A joint investigation team (JIT) was formally established in November 2023, enabling French and Dutch investigators to pool evidence, share intelligence, and align on a joint prosecutorial strategy.

As the investigation expanded, more countries joined, leading to the execution of multiple European Investigation Orders (EIOs) and Mutual Legal Assistance (MLA) requests coordinated through Eurojust.

Critically, investigators gained covert access to First VPN’s infrastructure before the service went offline, intercepting live criminal traffic from users who falsely believed their operations were fully encrypted and anonymous.

An Operational Taskforce (OTF) was established at Europol, bringing together investigators from 16 countries to analyze seized data.

The task force produced 83 intelligence packages shared with ongoing international investigations and identified 506 specific users whose data was distributed to partner agencies worldwide.

The joint action on May 19–20 produced the following outcomes:

• 33 servers across 27 countries were seized and dismantled
• Domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites shut down
• A suspect, First VPN’s administrator, was questioned in Ukraine at the request of French authorities
• 65 IP addresses were publicly identified and posted online
• All identified users formally notified of the shutdown and informed that they had been flagged

Participating jurisdictions included France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom, with additional support from Spain, Sweden, Canada, Germany, and the United States.

The takedown sends a clear warning to criminal infrastructure providers. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Europol stated.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.