Europol and Eurojust announced Thursday the dismantling of First VPN, a criminal anonymization service that appeared in almost every major cybercrime investigation Europol has supported in recent years — and, more critically, handed investigators the complete user database of a service that more than 5,000 criminal accounts believed was beyond law enforcement's reach. The coordinated operation, codenamed Operation Saffron, was executed over two days on May 19 and 20, 2026, by authorities across seven countries, resulting in the seizure of 33 servers distributed across 27 countries, the shutdown of the service's primary domains, and the arrest of a Ukrainian administrator.
The FBI confirmed in a flash alert published the same day that at least 25 distinct ransomware groups — including Avaddon — used First VPN to hide reconnaissance, intrusions, and command-and-control infrastructure from investigators. Europol's Operational Taskforce has already distributed 83 intelligence packages to partner agencies and shared data on 506 identified users internationally, advancing 21 active Europol-supported investigations. Dutch police said all users of the service had been directly notified that the platform was seized and that they had been identified.
What First VPN Was Built to Do
Unlike legitimate VPN providers, First VPN was openly marketed on Russian-language cybercrime forums — specifically Exploit.in and XSS.is, two of the most prominent underground marketplaces for stolen credentials, hacking tools, and unauthorized system access. The service promised anonymous payments, hidden infrastructure, and servers specifically configured to evade law enforcement scrutiny. Its website stated explicitly that it would not cooperate with any judicial authority, would not store user data, and was not subject to any jurisdiction — claims investigators would spend years disproving.
The FBI's flash alert indicates the service had been operating since approximately 2014. Over more than a decade, it became the anonymization layer for a broad cross-section of the cybercrime economy: ransomware groups used it to obscure command-and-control servers, fraud networks used it to hide exfiltration pipelines, and individual threat actors used it to conduct scanning activity, run botnets, launch denial-of-service attacks, and execute phishing campaigns. Europol said the service's reach was so extensive that it appeared in nearly every major investigation the agency has supported in recent years.
Four-and-a-Half Years to Get Inside
The investigation that ended in this week's takedown began in December 2021, when law enforcement began working with Europol's European Cybercrime Centre to gain access to the VPN service internally. French authorities formally discovered the service advertised on known criminal forums; Eurojust opened a case in May 2022. In November 2023, France and the Netherlands established a Joint Investigation Team — a Eurojust legal mechanism that lets countries pool evidence and coordinate prosecution strategy across borders in real time. Eurojust hosted 16 coordination meetings during the life of the case, and national teams executed multiple European Investigation Orders and Mutual Legal Assistance requests to access the service's traffic data and backend systems.
The result was that when First VPN went offline on May 19–20, investigators already had a copy of its user database and had been monitoring traffic running through the service. Edvardas Šileris, head of Europol's European Cybercrime Centre, said: "For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement."
User Database as Prosecution Engine
The seizure of First VPN's user database transforms what might otherwise be an infrastructure disruption into a long-running prosecution engine. Europol said the intelligence exposed thousands of users connected to the cybercrime ecosystem and generated operational leads tied to ransomware attacks, fraud schemes, and other serious offenses. Of those, data on 506 specific users has already been shared with international law enforcement partners, and 83 intelligence packages have been disseminated globally.
Michael Jepson, Head of Penetration Testing at CybaVerse, said agencies are increasingly prioritizing the infrastructure layer over individual operators. "Targeting not only individual criminals and groups but also their infrastructure is becoming one of the most vital fronts in the international battle against cybercrime," Jepson said, noting that providers operating in permissive jurisdictions can be difficult to investigate when they refuse to cooperate with foreign legal requests. He added that the data seizure multiplied the operation's impact far beyond the service itself: "These operations often contain large amounts of data on thousands of criminals and threat actors, which authorities can leverage for further investigation and prosecution."
The Dutch National Police confirmed that all users of the service had been sent a notification informing them the VPN had been seized and that investigators had identified them — a deliberate deterrence signal designed to destabilize the criminal community that relied on the service.
7 Countries, 16-Nation Task Force
The joint action was executed by authorities in France, Luxembourg, the Netherlands, Romania, Switzerland, Ukraine, and the United Kingdom. France's Paris Prosecution Office and Cybercrime Unit (BL2C), the Netherlands' Team High Tech Crime, the United Kingdom's National Crime Agency, Ukraine's Security Service Cyber Department, and law enforcement agencies from Luxembourg, Romania, and Switzerland all contributed to the joint action days. An Operational Taskforce established at Europol drew in investigators from 16 countries to analyze seized data and coordinate intelligence sharing, with broader international partners including Canada and the United States providing additional support.
Bitdefender's Draco Team — a virtual unit of Bitdefender Labs researchers that has collaborated on law enforcement operations since 2015 — contributed intelligence through Europol that helped expose hundreds of individuals linked to criminal activity. This marks the first VPN-category takedown in Bitdefender's law enforcement collaboration history, extending a track record that includes the Hansa dark-web marketplace operation in 2017, GandCrab decryptors in 2018, and the 2024 Operation Endgame botnet disruption.
Targeting the Supply Chain, Not Just Operators
Operation Saffron is part of a deliberate shift in how law enforcement approaches the ransomware ecosystem. Rather than pursuing individual affiliates — who can be replaced within days — investigators are increasingly targeting the shared services that make ransomware operations viable at scale: bulletproof hosting, cryptocurrency mixers, initial access brokers, and criminal anonymization infrastructure. The January 2026 Black Axe arrests, the March 2026 LeakBase seizure, and April 2026's Operation PowerOFF against distributed denial-of-service-for-hire platforms all follow the same strategic logic.
For cybersecurity practitioners, the takedown delivers two near-term implications. The 25 or more ransomware groups that used First VPN must now find alternative anonymization infrastructure and rebuild operational security around a new provider — a transition that creates detection and attribution opportunities that did not exist when a trusted service was in place. And the seized traffic database means investigators can now trace historical attacks that previously lacked identifiable infrastructure back to specific accounts.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
