Operation Saffron Dismantles VPN Used by 25 Ransomware Gangs

Law enforcement agencies from 15 countries dismantled First VPN, a bulletproof VPN service marketed specifically to cybercriminals and used by at least 25 ransomware gangs, during a coordinated operation on May 19-20.

Dubbed Operation Saffron, the joint action resulted in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users. The service had operated since approximately 2014, offering anonymous infrastructure across 27 countries.

Scope of the Operation

French and Dutch authorities led the operation with support from Europol and Eurojust. Participating nations included Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.

According to the FBI, First VPN was "so popular that at least 25 ransomware gangs used the service to hide their malicious activity." The service's infrastructure included 32 exit nodes distributed across the globe.

Seized domains include 1vpns.com, 1vpns.net, 1vpns.org, and related .onion addresses on the Tor network. Authorities interviewed the operator during a house search in Ukraine.

Criminal Services Offered

First VPN wasn't just providing privacy—it was explicitly designed for criminal operations:

• Anonymous payments via cryptocurrency and alternative methods
• Hidden infrastructure for command-and-control servers
• No cooperation guarantee promising non-compliance with any judicial authority
• No logging claims assuring users their activities wouldn't be recorded
• Multiple protocols including OpenVPN, WireGuard, and VLESS

Pricing ranged from $2 daily to $483 annually, making it accessible to ransomware affiliates and small-time operators alike.

Criminal Activities Supported

Europol confirmed the VPN was used for ransomware operations, botnet management, distributed denial-of-service attacks, and various fraud schemes. The service was marketed on Russian-language cybercrime forums, explicitly positioning itself as a tool for evading law enforcement.

This takedown follows a pattern of international cooperation against ransomware infrastructure. The arrest of the KimWolf DDoS operator in Canada earlier this month demonstrated similar cross-border coordination, and the FBI's warning about Kali365 PhaaS shows ongoing efforts to disrupt criminal services.

Why This Matters

Bulletproof hosting and VPN services represent critical infrastructure for ransomware operations. Without reliable anonymity, ransomware gangs face significantly higher operational risk. Every server seized and every user identified provides intelligence for future investigations.

The operational data recovered from First VPN servers could have downstream effects for months. Law enforcement now has access to connection logs, payment records, and infrastructure details that may link to ongoing ransomware investigations.

For defenders, this is a reminder that the threat landscape isn't static. When criminal infrastructure goes down, operators migrate to alternatives—sometimes with improved operational security, sometimes sloppier. The transition period creates opportunities for detection.

The Broader Ransomware Context

First VPN's takedown comes as ransomware groups continue adapting their tactics. The shift toward encryptionless extortion—stealing data without deploying ransomware—has accelerated as victims increasingly refuse to pay ransoms. Groups like ShinyHunters have perfected this model, recently targeting Instructure's Canvas platform affecting 275 million users.

Organizations concerned about ransomware should review their exposure to common initial access vectors. For an overview of how ransomware gangs operate and defend against them, see our ransomware defense guide.

The 15-nation coordination behind Operation Saffron also reflects the maturation of international cybercrime response. These operations now happen regularly rather than as exceptional events, though the challenge remains that new bulletproof services emerge as quickly as old ones are shut down.

Avaddon, one of the ransomware groups confirmed to have used First VPN, previously made headlines before shutting down in 2021 and releasing decryption keys. The fact that groups like Avaddon were using First VPN underscores how long these criminal infrastructure providers operate before facing enforcement action—in this case, roughly a decade.

For organizations tracking ransomware threat intelligence, the First VPN user list—if eventually disclosed through indictments or further enforcement actions—could provide valuable attribution data connecting previously unlinked campaigns.