Europol, in conjunction with Eurojust (the European Union Agency for Criminal Justice Cooperation) and various European authorities, has dismantled First VPN. According to investigators, the shutdown occurred because this VPN service was not aimed at ordinary users seeking to bypass internet blocks. Instead, it is believed that the VPN served as an anonymization infrastructure designed for cybercriminals.
The operation, codenamed “Operation Saffron,” was carried out between May 19th and 20th, 2026, resulting in the platform’s shutdown, the seizure of domains, and the dismantling of servers located in multiple countries. Reports indicate that First VPN appeared in virtually all major cybercrime investigations supported by Europol in recent years. The VPN was advertised on Russian-speaking cybercrime forums as a way to evade authorities, offering anonymous payments, hidden infrastructure, and a guarantee of no judicial cooperation.
First VPN Falls After Operation Led by France and the Netherlands, with Support from Europol and Eurojust
Dutch authorities revealed that prior to shutting down the service, they had already gained access to the criminal traffic of users who believed they were protected. This means the operation did not stop at closing servers; it also yielded intelligence on connections, users, and operations linked to ransomware, fraud, data theft, and attacks against computer systems.
During the operation, 33 servers associated with First VPN were dismantled, located in 27 countries. Domains such as 1vpns.com, 1vpns.net, 1vpns.org, and related domains on the Tor network were seized. Furthermore, all identified users received a notification indicating that the service had been disconnected and that they had been identified as users of the platform.
For context, a standard VPN can be used to protect connections on public Wi-Fi, work remotely, access region-locked content, or enhance privacy. First VPN, according to authorities, went much further: it advertised on criminal forums, claimed to be outside any jurisdiction, promised non-cooperation with justice, and offered infrastructure concealment for illegal activities. This is why authorities treated it as part of the cybercrime supply chain, not as a conventional VPN provider.
Investigations Began in 2021
According to the report, the investigation officially commenced in December 2021. It was initiated after authorities detected that this VPN was repeatedly used in crimes affecting French victims. In November 2023, a joint investigation team was formed between France and the Netherlands, with judicial coordination from Eurojust. Bitdefender, which collaborated with Europol, stated that 18 countries participated, including Spain, the United States, the United Kingdom, Germany, France, the Netherlands, Ukraine, Switzerland, Canada, and several other European nations.
This operation has also generated material for future investigations. Europol reportedly distributed 83 intelligence packages and shared information linked to 506 users among participating jurisdictions. Moreover, the obtained intelligence allowed progress in 21 investigations supported by Europol. This does not necessarily mean all identified users will be convicted or prosecuted. However, authorities have acquired sufficient operational data to cross-reference with cases of ransomware, fraud, and information theft. Several sources mention that First VPN may have had over 5,000 accounts since its initial activity. The confirmed operational figure is 506 users whose information was shared.
These types of operations raise questions about the extent to which authorities should go in pursuing anonymization infrastructures. In this specific case, First VPN’s criminal profile was quite clear due to its advertising, its promises of non-judicial cooperation, and its consistent presence in ransomware investigations. Closing a VPN designed for criminals is one thing; pressuring legitimate privacy services that do not log data by design is quite another. This is precisely what is beginning to happen with VPNs in Europe. In summary, VPNs can be problematic, as they allow minors to bypass restrictions to access social networks.
