Threat Intelligence

‘First VPN’ service used by cybercriminals dismantled in international operation

(Adobe Stock)

French and Dutch authorities, with support from Europol and Eurojust, have shut down First VPN, a service extensively used by cybercriminals to conceal their illicit activities, including ransomware attacks and phishing campaigns. The operation, codenamed Operation Saffron, has also provided investigators with access to user data, potentially identifying individuals linked to criminal operations, as reported by HackRead.

First VPN marketed itself on Russian-speaking cybercrime forums as a reliable tool for anonymity, offering features like anonymous payments and concealed infrastructure to help users evade law enforcement. The service became closely associated with ransomware groups, fraud networks, and data theft campaigns, appearing in numerous major cybercrime cases supported by Europol. The operation, conducted between May 19 and 20, 2026, involved Ukrainian authorities arresting the alleged administrator and seizing 33 servers. Several associated domains and onion domains were also taken offline, displaying a seizure notice to users.

The investigation, which began in December 2021, yielded a user database exposing thousands of connections to cybercrime infrastructure, providing crucial leads for ongoing investigations into ransomware attacks, online fraud, and other serious offenses across multiple countries. This takedown highlights a growing trend of law enforcement targeting the infrastructure that enables cybercrime, not just the perpetrators themselves.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds