A major international cybercrime enforcement operation has successfully dismantled a criminal virtual private network (VPN) service known as “First VPN,” which was widely used by ransomware groups and cybercriminal networks to hide their identities and conduct attacks across the globe.
Operation Saffron and core findings
The coordinated action, codenamed “Operation Saffron,” was led by law enforcement agencies from France and the Netherlands, with support from multiple countries across Europe and North America. The operation targeted infrastructure used for ransomware deployment, data theft, reconnaissance activities, and distributed denial-of-service (DDoS) attacks.
Authorities confirmed that the VPN service had been active since around 2014 and had built a reputation within cybercriminal communities for providing anonymized access to the internet. It was allegedly promoted on underground Russian-speaking cybercrime forums and designed specifically to bypass law enforcement tracking.
FCRF’s Flagship Cyber Law Certification Returns With a New Four-Week Cohort
Technical features and criminal usage
The service offered multiple VPN protocols, including OpenVPN, WireGuard, and other advanced tunneling systems, along with payment options through cryptocurrencies and digital payment services. Investigators said the platform allowed users to conceal their identities while carrying out ransomware operations and large-scale fraud campaigns.
According to European law enforcement agencies, the VPN infrastructure was used by at least 25 ransomware groups, including well-known cybercriminal organizations involved in global attacks targeting businesses, government systems, and individuals. The service reportedly operated a network of 32 exit nodes across 27 countries, enabling users to route malicious traffic through multiple jurisdictions.
Seizures, domains and user exposure
As part of the takedown, authorities seized 33 servers, interviewed key operators, and dismantled domains associated with the service. Confiscated domains included 1vpns.com, 1vpns.net, and 1vpns.org, along with hidden onion services operating on the Tor network.
Officials stated that users of the service have been notified that their identities may now be exposed following the seizure of infrastructure and supporting logs. Investigators also revealed that thousands of users may be linked to criminal activities through data collected during the operation.
Expert analysis and cybercrime impact
Cybersecurity experts say the disruption represents a significant setback for cybercriminal ecosystems that rely heavily on anonymization tools. However, they also caution that similar services are likely to emerge again due to persistent demand from ransomware operators.
A cybersecurity analysis shared by Bitdefender, which assisted in the investigation, noted that dismantling anonymization infrastructure increases operational risk and costs for cybercriminals. The company emphasized that while new VPN services may replace the takedown, each disruption reduces the operational window available to attackers.
Law enforcement agencies, including the FBI, stated that the VPN service enabled attackers to carry out reconnaissance, infiltration, and data exfiltration while masking their locations. The FBI noted that subscription plans ranged from daily access to annual packages, with payments accepted in Bitcoin and other digital currencies.
The investigation also revealed that the VPN provider claimed “no logs” policies and promoted itself as completely anonymous and beyond jurisdictional reach. However, authorities say the operation proved that such claims can be misleading when cross-border investigations and coordinated enforcement actions are executed effectively.
Ongoing risks and global cooperation
Security researchers warn that anonymization services like these are often a critical backbone of ransomware operations, enabling threat actors to scale attacks globally without immediate detection. The dismantling of First VPN is therefore seen as a strategic disruption rather than a complete solution to cybercrime.
A cybersecurity researcher at Algoritha Security explained that while VPN takedowns disrupt existing criminal infrastructure, they do not eliminate underlying demand. According to the expert, cybercriminal ecosystems tend to quickly adapt by shifting to alternative anonymization tools, proxy networks, or encrypted communication systems.
Authorities emphasized that the operation demonstrates growing international cooperation in combating cybercrime. Agencies from over a dozen countries participated, including technical support teams, forensic investigators, and intelligence units working together to map the VPN’s infrastructure.
Experts believe the takedown will temporarily reduce the anonymity available to ransomware groups, increasing their exposure and making it easier to track malicious activity. However, they also stress the need for continuous monitoring and proactive defense strategies to counter evolving cyber threats.
The operation is being described as a major milestone in global cybersecurity enforcement efforts, signaling that even long-running anonymization networks are not beyond the reach of coordinated international action.
