Europol Took Down the VPN That Showed Up in Nearly Every Major Cybercrime Case

Key Takeaways

• Europol-led Operation Saffron dismantled First VPN on May 19–20, seizing 33 servers, shutting down its primary domains, and arresting the alleged administrator in Ukraine.
• First VPN was openly marketed on Russian-language cybercrime forums and appeared in almost every major Europol-supported cybercrime investigation in recent years.
• Investigators seized the full user database, generating 83 intelligence packages, identifying 506 users internationally, and advancing 21 ongoing investigations.
• Unlike legitimate VPN providers, First VPN explicitly marketed itself as a safe environment for illegal activity and guaranteed it would never cooperate with authorities.

Operation Saffron Leaves Thousands of Cybercriminals Identified

The coordinated action against ransomware groups’ favorite First VPN ran across May 19 and 20, led by France and the Netherlands, with Europol, Eurojust, and investigators from Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom all participating. The investigation behind it started in December 2021, with a Joint Investigation Team formally established through Eurojust in November 2023 and 16 coordination meetings held to prepare for the action days.

The results were significant. Thirty-three servers were dismantled. The primary domains, including 1vpns.com, 1vpns.net, and 1vpns.org, along with associated onion sites, were seized and shut down. The alleged administrator was interviewed, and their residence in Ukraine searched.

Most consequentially, investigators gained access to First VPN's user database. The gathered intelligence generated 83 intelligence packages, with information on 506 specific users shared internationally, and 21 Europol-supported investigations advanced. Every user who believed they had purchased anonymity has now been notified by authorities that their identity is known. Naturally, that is exactly what they paid to avoid.

Edvardas Šileris, Head of Europol's European Cybercrime Centre, said that for years cybercriminals saw this service as a gateway to anonymity, believing it would keep them beyond the reach of law enforcement, and that the operation proved them wrong.

A VPN Built for the Criminal Underground, Not Your Privacy

Not every VPN takedown is a reason to worry about internet freedom. This one is genuinely worth celebrating.

First VPN was not a legitimate privacy tool that happened to attract bad actors. It was a service built from the ground up for the criminal ecosystem, promoted on Russian-speaking cybercrime forums, offering anonymous payments, hidden infrastructure, and services designed specifically for criminal use. It promised operation beyond global jurisdiction and guaranteed it would never cooperate with law enforcement. It was not a VPN in any meaningful sense of the word. It was criminal infrastructure wearing a VPN's name.

Europol confirmed it appeared in almost every major cybercrime investigation it supported in recent years, with criminals using it to conceal their identities while carrying out ransomware attacks, large-scale fraud, and data theft. This is worth keeping in mind when anyone tries to frame this takedown as a blow against online privacy.

It represents exactly what free and shady VPN services routinely do: exploit the category's reputation for privacy to do the opposite. Whether that means selling your traffic, monetizing your data, or in this case actively facilitating ransomware operators, the pattern is the same. The name "VPN" is doing marketing work while the service does something else entirely.

What This Takedown Should and Should Not Mean for VPN Users

The risk now is that governments and regulators do what they always do with a story like this: point at a criminal VPN service as justification for restricting legitimate ones. It is a reliable move, and, as usual, it is completely backwards.

First VPN was a criminal operation that borrowed the VPN label. The lesson from its takedown is not that VPNs are dangerous. The lesson is that there is a real difference between services built for transparency, with audited no-log policies and legal accountability, and services that explicitly promise to help you commit crimes. Efforts to use operations like this to justify nationwide VPN bans collapse that distinction deliberately.

Ultimately, how much damage the intelligence haul does to cybercriminal networks remains to be seen. But at the very least this particular one is gone for good.

And at the same time, if you care about your privacy online and want a VPN that actually does what the name promises without supporting cybercrime, a virtual private network from a provider with a verified no-log policy is the answer, and you can get Mysterium VPN with 82% off right now.