Europol-Led Operation Shuts Down ‘First VPN’ Used by Cybercriminal Networks
Published
Key Takeaways
- First VPN Takedown: Europol-led operation seized 33 servers and exposed hundreds of suspected cybercriminal users globally.
- International Investigation: Authorities from seven countries coordinated Operation Saffron after investigating the VPN network since 2021.
- Seized Data Impact: Intelligence gathered from seized infrastructure is supporting 21 ongoing cybercrime investigations across multiple countries.
A major international law enforcement operation has dismantled ‘First VPN,’ a VPN service allegedly used by ransomware gangs and cybercriminals to hide their online activities. The crackdown, carried out under “Operation Saffron,” was coordinated by Europol and Eurojust with support from authorities across seven countries.
The operation resulted in the seizure of 33 servers and the shutdown of several domains linked to the service, including 1vpns.com, 1vpns.net, 1vpns.org, and related onion websites. Authorities also conducted a house search and questioned a key suspect in Ukraine between May 19 and 20.
According to Eurojust, the platform openly promoted itself as a secure service for illegal activities. It reportedly promised users complete anonymity by claiming it kept no logs, operated outside international jurisdiction, and would never cooperate with law enforcement agencies.
VPN services are commonly used by regular internet users for online privacy, secure browsing on public Wi-Fi, or accessing geo-restricted content. However, investigators say ‘First VPN’ was designed specifically to support criminal operations, including ransomware attacks, online fraud, and data theft.
Operation Saffron Exposed Thousands of Users
Authorities say the VPN service was heavily promoted on Russian-speaking cybercrime forums and had become widely used within the cybercriminal ecosystem. Europol noted that the platform appeared in several major cybercrime investigations it had supported in recent years.
The investigation into the network began in December 2021. A Joint Investigation Team was later established by Eurojust in November 2023 to coordinate efforts among participating countries. Agencies involved included the Paris Prosecution Office in France, the Dutch National High Tech Crime Unit, and the UK’s National Crime Agency.
Eurojust stated that it organized 16 coordination meetings to help prepare the multinational operation and manage the legal complexities involved in the investigation.
Investigators were eventually able to infiltrate the VPN network and gain access to its user database. As a result, many individuals who believed they were operating anonymously through the service have reportedly been identified and directly contacted by law enforcement agencies.
Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said cybercriminals had long viewed the service as a safe way to avoid detection. He added that the takedown removed a key layer of protection relied upon by criminal groups to communicate and operate online.
Seized Data Now Supporting Ongoing Investigations
The impact of the operation is expected to continue as investigators review the large amount of traffic and infrastructure data seized during the raid. Cybersecurity company Bitdefender also assisted authorities during the investigation.
Europol confirmed that the seized information has already led to the creation of 83 intelligence packages and helped identify 506 users across different countries. The data has also contributed to 21 active cybercrime investigations currently supported by Europol.
Michael Jepson, Head of Penetration Testing at cybersecurity consulting firm CybaVerse, said the intelligence gathered from the operation could help authorities track additional criminal infrastructure and launch further investigations linked to activities carried out through the VPN service.
The operation also highlights the growing focus of international law enforcement agencies on services that provide anonymity to cybercriminals. While VPN technology remains an important tool for online privacy and security, authorities continue to target platforms they believe are being used to support illegal activities.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular