CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Authorities Have Taken Down “First VPN” Used in Ransomware Attacks

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation on May 19 and 20, 2026. Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the […] The post Authorities Have Taken Down “First VPN” Used in Ransomware Attacks appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Authorities Have Taken Down “First VPN” Used in Ransomware Attacks By Guru Baran May 21, 2026 In a major international law enforcement success, authorities from seven countries dismantled First VPN, a criminal virtual private network linked to global cybercrime, during a coordinated operation on May 19 and 20, 2026. Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users. First VPN operating primarily through domains containing “1vpns” in the URL, including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains, was no ordinary VPN service. Rather than catering to privacy-conscious consumers, the service explicitly targeted cybercriminals by advertising on well-known underground and Russian-speaking cybercrime forums. The platform openly promised its users that it would not cooperate with any judicial authority, would not store user data, and would not fall under any jurisdiction claims that, as investigators later proved, were entirely false. “First VPN” Taken Down According to Europol, the first VPN appeared in almost every major cybercrime investigation the agency supported, facilitating ransomware attacks, hacking of computer systems, fraud schemes, and account compromises on a global scale. The service provided anonymous payments and hidden infrastructure specifically designed for criminal use, making it a trusted tool for threat actors seeking to evade law enforcement detection. VPN Service Takendown The case originated when Eurojust opened a formal file in May 2022 at the request of French authorities, after the service was identified on known criminal forums. A joint investigation team (JIT) was formally established in November 2023, enabling French and Dutch investigators to pool evidence, share intelligence, and align on a joint prosecutorial strategy. As the investigation expanded, more countries joined, leading to the execution of multiple European Investigation Orders (EIOs) and Mutual Legal Assistance (MLA) requests coordinated through Eurojust. Critically, investigators gained covert access to First VPN’s infrastructure before the service went offline, intercepting live criminal traffic from users who falsely believed their operations were fully encrypted and anonymous. VPN Infra (Source: NYM) An Operational Taskforce (OTF) was established at Europol, bringing together investigators from 16 countries to analyze seized data. The task force produced 83 intelligence packages shared with ongoing international investigations and identified 506 specific users whose data was distributed to partner agencies worldwide. The joint action on May 19–20 produced the following outcomes: 33 servers across 27 countries were seized and dismantled Domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites shut down A suspect, First VPN’s administrator, was questioned in Ukraine at the request of French authorities 65 IP addresses were publicly identified and posted online All identified users formally notified of the shutdown and informed that they had been flagged Participating jurisdictions included France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom, with additional support from Spain, Sweden, Canada, Germany, and the United States. The takedown sends a clear warning to criminal infrastructure providers. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Europol stated. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems Kimsuky Hackers Use LNK and JSE Lures to Target Recruiters, Crypto Users, and Defense Officials Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections First Public macOS Kernel Exploit on Apple M5 Prepared Using Mythos Preview in Five Days Latest News Cyber Security News Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials Cyber Security Flipper Unveils New Flipper One Modular Linux Cyberdeck Cyber Security News P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances Cyber Security GitHub Internal Repositories Breached Via Weaponized VS Code Extension Cyber Security News Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗