Authorities shut down VPN network used for cybercrime

Europol, Eurojust, and law enforcement authorities from several European countries have jointly taken down a criminal VPN network called First VPN.

The virtual private network or VPN service was used to conceal ransomware attacks, data theft, hacking of IT systems, fraud schemes, and other criminal offences.

According to Europol, First VPN was used in almost every major cybercrime investigation supported by the agency. The VPN service promised anonymity, that it wouldn’t store any data, and that it would not cooperate with any judicial authority.

Eurojust first got wind of the criminal operation back in May 2022. A joint investigation team was established in November 2023 to facilitate cooperation and to exchange evidence and information between the international police forces.

On May 19th and 20th, 2026, law enforcement agencies from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom dismantled 33 servers linked to the criminal service in a coordinated operation dubbed Operation Saffron.

On top of that, several domain names, including 1vpns.com, 1vpns.net, and 1vpns.org, have been seized. When users try to log in to the VPN service, a so-called splash page is shown instead, informing them of the shutdown and warning them that they have been identified.

Lastly, police officers conducted a house search in Ukraine and interviewed the alleged administrator.

According to a press release by the Dutch National Police, law enforcement authorities had access to all communications. “These data have not only been used in the research itself, but also shared with other ongoing (inter)national investigations,” the police stated. How the authorities were able to gain access to First VPN’s communication has not been disclosed.

“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Edvardas Šileris, Head of Europol’s European Cybercrime Centre, said in a statement.

Operation Saffron was led by France and the Netherlands, and coordinated by Europol and Eurojust. Cybersecurity firm Bitdefender also helped during the operation.