A virtual private network (VPN) favoured by cyber criminals to mask data exfiltration, fraud ransomware attacks and other criminality has been dismantled in Operation Saffron, a Franco-Dutch led action supported by Europol and other agencies, including the UK’s National Crime Agency (NCA), and private sector partner Bitdefender.
The First VPN service was heavily used among Russian-speaking threat actors, and according to Europol, was used in “almost every” major cyber investigation it has undertaken in the past few years. Besides obscuring malicious traffic from law enforcement surveillance, First VPN’s operators are also known to have offered services such as anonymised payments and hidden infrastructure.
“For years, cyber criminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement,” said Edvardas Šileris, head of the European Cybercrime Centre at Europol.
A spokesperson for Bitdefender added: “We are extremely pleased with the successful takedown of First VPN, and congratulate global law enforcement, and all those involved.
“Operation Saffron exemplifies the power of collaboration between the public and private security sector in dismantling illegal online activities, in this case, a VPN service designed to conceal attacks. It also serves a message to criminals who believe the dark web covers their actions and guarantees their anonymity. If they become the target of an international effort, they can’t hide.”
Operation Saffron marks the first time Bitdefender Labs’ virtual Draco Team unit has worked on a counter-VPN action, having previously been involved in a number of other operations including stings on the Hansa dark web marketplace, 2024’s Operation Endgame targeting botnets, and actions against ransomware gangs including GandCrab and its successor REvil.
Multi-year operation
The takedown operation itself – which took place on 19 and 20 May – saw First VPN’s administrator arrested and interviewed, and their home in Ukraine searched, 33 servers dismantled, and wider infrastructure disrupted. Multiple domain names have been shut down and seized, including 1vpns.com, 1vpns.net, 1vpns.org, and some associated Onion domains.
These actions marked the culmination of a four-and-a-half year investigation dating back to December 2021. During the course of this work, investigators were able to gain access to the First VPN service, obtain a copy its user database, and identify the VPN connections used specifically by cyber criminals.
This trove of intelligence has both exposed individual users linked to cyber criminality, and generated operational leads connected to past cyber attacks and other digital offences.
Indeed, Europol’s coordinating Operational Taskforce (OTF) has already disseminated over 80 intelligence packages worldwide and identified 506 known First VPN users. The EU agency said it has already been able to support 21 other investigations thanks to this work.
Industry reaction
Responding to the takedown, John Watters, CEO of iCounter – a threat intelligence platform, said: “This case demonstrates that cyber crime is ultimately an ecosystem problem, not just a malware problem. The infrastructure layer that supports ransomware and fraud operations has become highly commercialised, with threat actors relying on shared services that promise anonymity, resiliency, and protection from law enforcement scrutiny.
“When investigators successfully penetrate those ecosystems, they gain an opportunity to map relationships, operational dependencies, and repeat offender activity across multiple criminal campaigns simultaneously. The operationalisation of that intelligence is critical because it allows defenders and governments to move beyond reactive incident response and toward proactive disruption of adversary infrastructure.
Watters added: “These services are often some of the limited ways that law enforcement can impact threat actors who are in countries outside their reach. We should expect continued pressure on the enabling services that underpin cybercrime economies globally.”
“Targeting not only individual criminals and groups but also their infrastructure is becoming one of the most vital fronts in the international battle against cyber crime,” said CybaVerse head of penetration testing, Michael Jepson.
“Services like First VPN, alongside similar criminal-friendly VPNs and hosting providers, give threat actors the fundamental scaffolding to launch attacks. These services are often difficult to target because they resist legal complaints and court orders, and typically operate from permissive jurisdictions that rarely cooperate with foreign law enforcement.
“Pursuing individual criminals and groups becomes far harder when their activity is obfuscated and protected by these services,” added Jepson, “[so] shutting down these illicit hosts and VPNs is effective because it disrupts entire networks, and creates a knock-on effect where further criminal groups are disrupted as threat actors have to migrate their operations and reorient in the face of potential exposure.”
