Authorities Shut Down First VPN, a Ransomware Haven
▼ Summary
– First VPN, a service marketed to cybercriminals for anonymity, was taken offline on May 19–20, 2025, through Operation Saffron.
– French and Dutch authorities, with Europol and Eurojust, dismantled 33 servers and interviewed the operator in Ukraine.
– The VPN, operating since 2014 with over 5,000 accounts, was advertised exclusively on cybercriminal forums and offered tiered pricing.
– Law enforcement gained access to user traffic before the shutdown, and all users received messages that they had been identified.
– The investigation, starting in December 2021, produced intelligence on 506 users linked to ransomware, fraud, and other crimes, shared with partner countries.
Authorities have taken down First VPN, a virtual private network service that marketed itself as a safe haven for cybercriminals, during a coordinated international crackdown known as Operation Saffron. The takedown occurred on May 19 and 20.
French and Dutch law enforcement, backed by Europol and Eurojust, dismantled 33 servers linked to the service and interviewed the operator in Ukraine. Through cross-border judicial and police cooperation, the targeted domain names were seized, including 1vpns.com, 1vpns.net, 1vpns.org, and associated .onion addresses.
“Before the service went offline, the police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe,” the Dutch Police stated. “All users of this service have received a message stating that the VPN service has been taken offline and they have been identified as the user of the service.”
First VPN was designed to help users conceal their identities and hide online activities linked to cybercrime, authorities allege. The operator publicly claimed they would not cooperate with judicial authorities, asserted the service was not subject to any jurisdiction, and insisted they did not store user data.
Investigators revealed the platform had been operating since 2014 and served more than 5,000 accounts. The French Public Prosecutor noted that First VPN advertised exclusively on cybercriminal forums and offered different pricing tiers based on the complexity of its connection relays.
The investigation started in December 2021 after authorities repeatedly identified the VPN as a tool used in crimes affecting French victims. “The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide,” Europol said.
Law enforcement shared 83 intelligence packages concerning 506 users with partner countries. Investigators confirmed the operation produced information relevant to ransomware probes, including cases tied to the Phobos RaaS outfit.
Edvardas Šileris, Head of Europol’s European Cybercrime Centre, underscored the operation’s significance. “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.”
(Source: Help Net Security)
