A rack of servers in a dimly lit server room

TL;DR:

  • The takedown: On May 19–20, 2026, Europol’s Operation Saffron seized 33 servers across 27 countries and took down First VPN, a bulletproof VPN service used by at least 25 ransomware groups since 2014. [1][2][3]
  • The investigation: French and Dutch authorities opened the probe in December 2021, formed a joint investigation team in November 2023, and quietly infiltrated the infrastructure before striking. Four years of surveillance before two days of action. [1][2]
  • Who got caught: A Ukrainian administrator was identified and questioned. 506 criminal users were identified and their data shared internationally. 83 intelligence packages were generated for ongoing investigations. [1][2][3]
  • Why it matters: First VPN’s name “came up in almost every major cybercrime investigation” Europol supported. Dismantling the infrastructure doesn’t just catch users: it strips the anonymity layer from active ransomware operations. [1]
  • The pattern: This follows the playbook Europol used against EncroChat, Sky ECC, and ANOM: infiltrate criminal infrastructure, watch, collect evidence, then shut it all down at once.

A VPN Built for Criminals, Priced Like a Streaming Service

First VPN wasn’t hiding what it was. The service advertised on Russian-speaking cybercrime forums. It accepted Bitcoin, Perfect Money, Webmoney, and other payment methods favored by people who don’t want their name on a transaction. Subscriptions started at $2 per day and went up to $483 per year. [2][3]

The sales pitch was simple: we don’t log your data. We don’t cooperate with law enforcement. We ignore legal requests. Europol’s summary put it bluntly: the service “promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority.” [3]

The technical setup was serious. First VPN offered OpenVPN, WireGuard, L2TP/IPSec, and more exotic options like VLESS TCP Reality, a protocol that disguises VPN traffic as ordinary HTTPS browsing. Exit nodes spread across 27 countries. Customer support ran through a self-hosted Jabber server and Telegram. The domains: 1vpns.com, 1vpns.net, 1vpns.org, plus Tor onion addresses for extra anonymity. [3]

Operational since around 2014. That’s a decade of providing cover for ransomware crews, data thieves, and fraud rings.

25 Ransomware Groups. One VPN.

At least 25 ransomware groups used First VPN for network reconnaissance, intrusions, and data exfiltration. That includes Avaddon Ransomware, among others. [3]

Europol didn’t mince words: First VPN’s name “came up in almost every major cybercrime investigation the agency supported.” [1]

That sentence deserves a second read. Not “some investigations.” Not “a few cases.” Almost every major one. A single VPN provider was the anonymity layer for a significant chunk of Europe’s serious cybercrime.

The user base extended beyond ransomware. Europol identified “thousands of users linked to the cybercrime ecosystem”: fraud schemes, data theft, and what the agency called “serious offenses worldwide.” 506 specific users were identified by name, with their information shared across international law enforcement agencies. 83 intelligence packages were generated for ongoing investigations in multiple countries. [1][2]

Four Years of Watching

The investigation started in December 2021. French and Dutch authorities led the initial probe through Europol’s European Cybercrime Centre (EC3). [1][2]

In November 2023, they formalized a joint investigation team. Then they infiltrated the VPN infrastructure. [1]

Think about what that means. For potentially years, law enforcement had access to a service whose entire selling point was that law enforcement couldn’t touch it. Every user who routed traffic through First VPN during that period may have been watched by the exact people they were trying to hide from.

This is the same playbook that took down EncroChat in 2020 (intercepting 100 million encrypted messages from organized crime networks), Sky ECC in 2021 (500 million messages, leading to 1,800+ arrests), and Operation Trojan Shield/ANOM in 2021 (the FBI literally ran an encrypted phone company for criminals). Infiltrate first. Collect everything. Then shut it down and let the arrests cascade.

The strike came on May 19–20, 2026. Sixteen countries participated. 33 servers seized. Domains taken offline. A Ukrainian administrator identified and questioned at his residence. [1][2][3]

The Surveillance Lesson Nobody Wants to Hear

Here’s the uncomfortable part for privacy advocates: this operation is a surveillance success story. Law enforcement spent years inside a criminal network’s infrastructure, collected data on hundreds of users, and used that access to build cases across dozens of countries.

That’s exactly the kind of capability that privacy groups fight when it’s aimed at ordinary people. Mass interception. Infiltration of communications infrastructure. Years-long data collection without targets knowing they’re being watched.

The difference (the critical, load-bearing difference) is that First VPN catered specifically to criminals. Its users weren’t journalists or activists or people living under authoritarian regimes. They were ransomware operators using a service that explicitly advertised its refusal to cooperate with law enforcement.

But the technical capabilities don’t care about intent. The same infiltration methods that compromise a criminal VPN can compromise a legitimate one. Every time Europol demonstrates it can quietly sit inside encrypted infrastructure for years, the question gets louder: where else are they sitting?

The Bulletproof Hosting Problem

First VPN was one node in a larger ecosystem. “Bulletproof” hosting and VPN services are a category: providers who guarantee they won’t respond to takedown requests, law enforcement queries, or abuse complaints. They exist because there’s demand. Ransomware operations need infrastructure that won’t disappear when a victim complains.

Taking down one service doesn’t end the market. Cybercriminals will migrate to alternatives. But each takedown does three things:

  • Disrupts active operations. Ransomware crews who relied on First VPN for ongoing campaigns just lost their anonymity layer mid-operation.
  • Creates intelligence. Those 83 intelligence packages and 506 identified users are leads into other investigations. The network effects ripple outward.
  • Erodes trust. Every bulletproof service that turns out to have been compromised makes criminals wonder about the next one. Paranoia is a force multiplier for law enforcement.

As cybersecurity expert Michael Jepson put it: “Targeting not only individual criminals and groups but also their infrastructure is becoming one of the most vital fronts in the international battle against cybercrime.” [2]

What Comes Next

The arrests haven’t started yet, not in bulk. The Ukrainian administrator was questioned, not charged (publicly, at least). But 506 identified users across multiple countries, 83 intelligence packages distributed to law enforcement agencies worldwide: those are the seeds of future operations. [1][2]

Watch for:

  • Cascading arrests. The EncroChat takedown led to 6,500+ arrests over the following years. Operation Saffron’s 506 identified users will generate their own wave.
  • Ransomware group disruption. Groups that relied on First VPN may scramble to rebuild their infrastructure. Some will make mistakes during the transition.
  • More infrastructure takedowns. Europol has signaled this is a strategic priority. First VPN won’t be the last bulletproof service to fall.
  • The VPN trust question. Legitimate VPN users should be asking hard questions about their own providers. If a VPN can be infiltrated for four years without its operator knowing, what guarantees does “no-logs” actually provide?

The Bottom Line

Operation Saffron is a textbook infrastructure takedown. Patient, methodical, and designed to maximize intelligence collection before the lights go out. Four years of surveillance. Two days of action. 33 servers down. 506 users exposed.

For the ransomware ecosystem, it’s a significant blow to the trust model that makes criminal operations possible. For the rest of us, it’s a reminder that “no-logs” is a promise, not a guarantee, and that law enforcement can sit inside the infrastructure you trust for years before you find out.

Related: VPN Crackdown: When Privacy Tools Become the Target

Sources

  1. BleepingComputer: Police Seize First VPN Service Used in Ransomware, Data Theft Attacks (May 2026)
  2. Hackread: Europol Seizes First VPN, Ransomware Administrator Arrest (May 2026)
  3. The Hacker News: First VPN Dismantled in Global Takedown (May 2026)
  4. Tom’s Hardware: Europol’s Operation Saffron Takes Down First VPN Service (May 2026)