In a significant victory for international law enforcement, authorities from seven countries have successfully dismantled a criminal virtual private network known as ‘First VPN’. This network, linked to various global cybercrimes, was taken down in a coordinated operation conducted on May 19 and 20, 2026.
Operation Saffron: A Coordinated Effort
The operation, termed Operation Saffron, was spearheaded by French and Dutch authorities with support from Europol and Eurojust. The joint effort led to the seizure of 33 servers, the closure of numerous domains, and the identification of thousands of cybercriminal users. This operation marks a significant blow against cybercrime infrastructure.
First VPN operated primarily through domains containing ‘1vpns’ in their URLs, such as 1vpns.com, 1vpns.net, and 1vpns.org, as well as associated onion sites. Unlike typical VPN services that cater to privacy-focused individuals, this service specifically targeted cybercriminals by promoting itself on underground and Russian-speaking cybercrime forums.
Implications for Cybercriminal Activity
The VPN service promised anonymity and non-cooperation with judicial authorities, claims that were later proven false by investigators. Europol revealed that First VPN was involved in nearly every major cybercrime investigation they supported. It facilitated ransomware attacks, system hacks, fraud, and global account compromises by offering anonymous payments and hidden infrastructures.
The case began when Eurojust initiated a formal investigation in May 2022, following the service’s identification on criminal forums. By November 2023, a joint investigation team was formed, enabling French and Dutch investigators to collaborate closely and share intelligence.
Outcomes and Future Implications
As the investigation progressed, several countries joined the effort, leading to the execution of multiple European Investigation Orders and Mutual Legal Assistance requests. Investigators gained covert access to First VPN’s infrastructure, intercepting live criminal traffic, which demonstrated the service’s vulnerability.
An operational task force was established at Europol, involving investigators from 16 countries to analyze seized data. The task force shared 83 intelligence packages and identified 506 specific users whose data was distributed to partner agencies worldwide. The joint action resulted in significant outcomes, including the seizure of servers, domain shutdowns, and the public identification of IP addresses.
The successful takedown, which included questioning a suspect in Ukraine, delivers a strong message to criminal infrastructure providers. Europol emphasizes that removing such services eliminates a critical layer of protection for criminals, disrupting their operations and communication.
The operation underscores the importance of international collaboration in combating cybercrime and highlights the ongoing efforts to dismantle criminal networks. This achievement serves as a warning to those who exploit technology for illegal activities, reinforcing the commitment of global law enforcement agencies to securing cyberspace.
