Operation Saffron Takes Down First VPN Used by 25 Ransomware Groups

Authorities in Europe and North America have successfully dismantled First VPN, a criminal VPN service specifically designed to anonymize ransomware operations and other cyberattacks. Coordinated as Operation Saffron and led by France and the Netherlands, the international operation took place on May 19-20, resulting in 33 servers being seized and infrastructure supporting global cybercriminal activity being disrupted. The investigation, supported by 17 countries including the U.S., Germany, Ukraine, Canada, and the U.K., began in December 2021 and uncovered that First VPN had been operating since approximately 2014, operating 32 exit node servers across 27 countries—including three located in the United States at IP addresses 2.223.66[.]103, 5.181.234[.]59, and 92.38.148[.]58. Seized domains include 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org, along with related Tor hidden services.

First VPN actively marketed itself on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is, explicitly promising users that it would not cooperate with any judicial authority, would not store data, and would not be subject to any jurisdiction. Eurojust reported that the service offered anonymous payment options and hidden infrastructure specifically tailored for criminal use, enabling customers to obscure their identities while conducting ransomware attacks, large-scale fraud, data theft, scanning operations, and denial-of-service attacks. Romanian cybersecurity firm Bitdefender supported the investigation through Europol, sharing information linked to 506 users of the service. If you suspect your credentials may have been compromised through such services, you can use our email breach checker to verify whether your accounts have appeared in known data leaks.

The FBI issued a coordinated flash alert notifying First VPN users that their identities are now known to authorities following the shutdown. Bitdefender emphasized that while disrupting anonymization services raises operational costs across the cybercriminal ecosystem, new services will inevitably emerge to fill the void. "Each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions," the company stated. "First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement's reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists." Organizations concerned about their exposure to such threats can assess their security posture with our comprehensive privacy checkup and evaluate their network configuration using our DNS leak test to ensure their connections remain truly anonymous.