A joint law enforcement operation dismantled First VPN (also known as 1VPN), a criminal anonymization service that had operated since 2014 and been marketed exclusively on Russian-speaking cybercrime forums as a tool to evade investigators. Executed on May 19–20, 2026 under the codename Operation Saffron, the action was led by French and Dutch authorities with Europol, Eurojust, and 18 participating countries. Authorities seized 33 servers distributed across 27 countries, took down primary domains including 1vpns.com, 1vpns.net, and 1vpns.org as well as associated Tor onion addresses, and arrested the service’s administrator following a house search in Ukraine. Critically, investigators obtained the complete user database and criminal traffic logs, exposing more than 5,000 accounts; 83 intelligence packages covering 506 individual users have been shared with partner jurisdictions for follow-on prosecutions.
Europol described First VPN as appearing in “almost every major cybercrime investigation” it has supported in recent years. The FBI confirmed that at least 25 distinct ransomware groups — including Avaddon and Phobos — relied on it to conceal reconnaissance, intrusions, and command-and-control traffic. The investigation traces back to December 2021, when repeated use in attacks against French victims prompted authorities to seek access to the service’s infrastructure; a formal Joint Investigation Team was established under the Eurojust framework in November 2023. Europol’s European Cybercrime Centre head Edvardas Šileris said criminals “believed it would keep them beyond the reach of law enforcement” and the operation “proves them wrong.” Bitdefender’s Draco Team contributed intelligence throughout, marking its first participation in a VPN-category takedown.