Authorities across Europe and North America have announced the dismantling of a criminal virtual private network infrastructure known as First VPN Service, which investigators say was widely used by cybercriminals to conceal ransomware attacks, data theft, network scanning, and denial of service operations. The takedown, carried out under an international effort known as Operation Saffron, was led by France and the Netherlands with support from multiple countries involved in the investigation since December 2021. Participating nations included Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. Authorities described the operation as a coordinated effort targeting infrastructure allegedly designed to support criminal anonymity and cyber enabled offenses on a global scale.
According to Europol, First VPN Service marketed itself specifically toward cybercriminal users by offering anonymous payment methods and infrastructure intended to conceal user identities while facilitating ransomware activity, fraud schemes, and data theft. Investigators said the service gained visibility through Russian speaking cybercrime forums including Exploit[.]in and XSS[.]is, where it was promoted as a tool capable of helping users evade law enforcement scrutiny. During operations conducted between May 19 and May 20, authorities carried out multiple simultaneous enforcement actions that included interviewing the service administrator, conducting a house search in Ukraine, dismantling 33 servers, and seizing technical infrastructure reportedly used to support criminal cyber activity internationally. Officials also confiscated domains associated with the service, including 1vpns[.]com, 1vpns[.]net, 1vpns[.]org, as well as related onion domains operating through Tor infrastructure. Eurojust stated that First VPN openly promoted anonymity, claiming it would not cooperate with judicial authorities, store user activity logs, or remain tied to legal jurisdiction.
Europol further revealed that users of the platform have been informed of the service shutdown and warned that authorities may now possess identifying information linked to their activity. Cybersecurity company Bitdefender, which supported the investigation through Europol, reportedly provided intelligence connected to 506 users and stated that disrupting anonymization platforms significantly increases operational costs for cybercriminal ecosystems. According to investigators, while replacement services are expected to emerge due to ongoing demand for anonymous infrastructure, repeated takedowns reduce operational timelines and create greater risk for criminal actors dependent on ready made concealment services. The United States Federal Bureau of Investigation also released details indicating that First VPN had operated since approximately 2014, maintaining 32 exit node servers across 27 countries. Three of those nodes were reportedly based in the United States, while others were distributed across regions including Europe, Asia, Australia, and North America.
Investigators stated that no fewer than 25 ransomware groups, including Avaddon Ransomware, used First VPN infrastructure for reconnaissance operations and network intrusions. Subscription plans reportedly ranged from one day to one year, with pricing between two dollars per day and 483 dollars annually. The platform accepted payments through Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass. FBI reported that the service supported multiple connection protocols such as OpenConnect, WireGuard, Outline, and VLess TCP Reality, alongside encryption technologies including OpenVPN ECC, L2TP IPSec, and PPTP. Technical support was reportedly offered through a self hosted Jabber server and Telegram. Investigators noted that some offered protocols could disguise VPN traffic as standard HTTPS activity to avoid detection. Archived website snapshots reviewed through Internet Archive also showed the service advertising anonymity, stability, and security while claiming it did not retain logs linking user activity to identities, despite also stating in its FAQ that illegal activity on its servers was prohibited.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
