Authorities Have Taken Down “First VPN” Used in Ransomware Attacks
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation on May 19 and 20, 2026. Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the […] The post Authorities Have Taken Down “First VPN” Used in Ransomware Attacks appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Authorities Have Taken Down “First VPN” Used in Ransomware Attacks
By Guru Baran
May 21, 2026
In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation on May 19 and 20, 2026.
Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users.
First VPN operating primarily through domains containing “1vpns” in the URL, including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains, was no ordinary VPN service.
Rather than catering to privacy-conscious consumers, the service explicitly targeted cybercriminals by advertising on well-known underground and Russian-speaking cybercrime forums.
The platform openly promised its users that it would not cooperate with any judicial authority, would not store user data, and would not fall under any jurisdiction claims that, as investigators later proved, were entirely false.
“First VPN” Taken Down
According to Europol, the first VPN appeared in almost every major cybercrime investigation the agency supported, facilitating ransomware attacks, hacking of computer systems, fraud schemes, and account compromises on a global scale.
The service provided anonymous payments and hidden infrastructure specifically designed for criminal use, making it a trusted tool for threat actors seeking to evade law enforcement detection.
VPN Service Takendown
The case originated when Eurojust opened a formal file in May 2022 at the request of French authorities, after the service was identified on known criminal forums.
A joint investigation team (JIT) was formally established in November 2023, enabling French and Dutch investigators to pool evidence, share intelligence, and align on a joint prosecutorial strategy.
As the investigation expanded, more countries joined, leading to the execution of multiple European Investigation Orders (EIOs) and Mutual Legal Assistance (MLA) requests coordinated through Eurojust.
Critically, investigators gained covert access to First VPN’s infrastructure before the service went offline, intercepting live criminal traffic from users who falsely believed their operations were fully encrypted and anonymous.
VPN Infra (Source: NYM)
An Operational Taskforce (OTF) was established at Europol, bringing together investigators from 16 countries to analyze seized data.
The task force produced 83 intelligence packages shared with ongoing international investigations and identified 506 specific users whose data was distributed to partner agencies worldwide.
The joint action on May 19–20 produced the following outcomes:
33 servers across 27 countries were seized and dismantled
Domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites shut down
A suspect, First VPN’s administrator, was questioned in Ukraine at the request of French authorities
65 IP addresses were publicly identified and posted online
All identified users formally notified of the shutdown and informed that they had been flagged
Participating jurisdictions included France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom, with additional support from Spain, Sweden, Canada, Germany, and the United States.
The takedown sends a clear warning to criminal infrastructure providers. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Europol stated.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems
Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days
Latest News
Cyber Security News
Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials
Cyber Security
Flipper Unveils New Flipper One Modular Linux Cyberdeck
Cyber Security News
P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
Cyber Security
GitHub Internal Repositories Breached Via Weaponized VS Code Extension
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys