European Authorities Dismantle First VPN, Seizing 33 Servers Used in Ransomware and Fraud
Updated
Updated · Computerworld · May 22
European Authorities Dismantle First VPN, Seizing 33 Servers Used in Ransomware and Fraud
8 articles · Updated · Computerworld · May 22
France- and Netherlands-led investigators dismantled First VPN, a service widely advertised in Russia that criminals used to hide identities and infrastructure during ransomware attacks, fraud and data theft.
The operation—backed by Europol and Eurojust—took 33 servers offline, seized three domains and, in earlier disclosures, led to the administrator's arrest in Ukraine.
Investigators said the takedown stripped away a key anonymity layer for cybercriminals and yielded intelligence, including user data, that could support 21 ongoing international inquiries.
The case lands amid a wider political fight over VPNs, as governments weigh internet-access restrictions while providers and groups such as Mozilla argue VPNs remain essential for privacy, open internet access and routine business security.
How was the secret user database of a 'no-logs' VPN service seized?
After a criminal VPN is dismantled, is anyone's online privacy truly safe?
With thousands of cybercriminals now identified, which major crime rings will fall next?
The Fall of First VPN: Operation Saffron’s Global Blow to Criminal Anonymity Services in 2026
Overview
Operation Saffron ended with the dismantling of First VPN on May 21, 2026. First VPN, active since 2014, was a criminal anonymization service that helped over 5,000 accounts hide illegal activities. It falsely promised users a secure way to avoid law enforcement and targeted its marketing directly at the cybercriminal community, advertising on underground forums. The service offered different pricing tiers based on connection complexity. The takedown of First VPN struck a major blow to the cybercriminal underworld, proving that claims of total anonymity are often false and that law enforcement can reach even well-hidden services.