European law enforcement forces pull the plug on this free VPN in massive cybercrime crackdown —here's all we know

News
By published

A joint operation led by Europol and Eurojust has targeted First VPN, taking 33 servers offline and seizing key domain names

This photograph shows a laptop screen displaying the website of Europol featuring the First VPN service website with a message reading, "This service has been seized"
(Image credit: Photo by Fred TANNEAU / AFP via Getty Images)
  • Authorities from seven countries took down 'First VPN,' seizing 33 servers
  • The VPN was heavily marketed as a safe haven for ransomware operators
  • The takedown led to thousands of cybercriminals being exposed

A coalition of European law enforcement agencies has successfully taken down a massive virtual private network (VPN) that allegedly functioned as a digital shield for ransomware gangs and cybercriminals. The joint operation, coordinated by Europol and Eurojust, saw the dismantling of the criminal service known as 'First VPN.'

While everyday consumers use the VPN services to protect their privacy on public Wi-Fi or safely stream their favorite geo-blocked content, 'First VPN' seems to have been custom-built for the criminal underworld. The platform explicitly offered a "secure environment to carry out illegal activities," according to Eurojust, assuring its users that it kept zero logs, evaded global jurisdiction, and would never cooperate with authorities.

That promise collapsed between May 19 and 20. In a coordinated strike dubbed "Operation Saffron," police from seven countries seized 33 servers, shut down the platform's primary web domains (including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites), and executed a house search and interview of a key suspect in Ukraine.

TechRadar has contacted Europol and Eurojust for further comments, a spokeswoman said that they were "not able to provide any further details at this point in time since the investigations are currently ongoing."

For everyday users, the takedown of this rogue provider is a massive win. Cybercriminals heavily relied on 'First VPN' to mask their true locations while launching crippling ransomware attacks, stealing consumer data, and orchestrating large-scale fraud schemes.

Stripping away this layer of anonymity leaves these bad actors exposed, making the digital landscape significantly safer for the general public.

Unmasking the criminal underworld

Screenshot of law enforcement agencies involved in Operation Saffron (May 2026)

(Image credit: Future)

Marketed heavily on Russian-speaking cybercrime forums, 'First VPN' had become a staple tool for digital thieves. It was so deeply embedded in the malicious ecosystem that, according to Europol, the service was "appearing in almost every major cybercrime investigation supported by Europol in recent years."

The operation to dismantle the network began gathering steam back in December 2021. By pooling resources across a Joint Investigation Team established by Eurojust in November 2023, and involving heavy hitters like the French Paris Prosecution Office, the Dutch National High Tech Crime Unit, and the UK's National Crime Agency, authorities successfully infiltrated the network before pulling the plug.

Eurojust played a critical role in navigating the complex legal landscape, hosting 16 coordination meetings to prepare for the sting — the organization explains in an official statement.

This stealthy, multi-national infiltration allowed investigators to obtain the platform’s heavily guarded user database. As a result, users of the criminal service who thought they were browsing anonymously have now been directly notified by police that their true identities have been compromised.

"For years, cybercriminals saw this VPN service as a gateway to anonymity," said Edvardas Šileris, Head of Europol’s European Cybercrime Centre. "They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement."

A goldmine of cybercrime intelligence

The fallout from Operation Saffron is only just beginning. With the infrastructure dead and the suspected administrator facing questioning, authorities across multiple jurisdictions are now sifting through a mountain of seized traffic data. The operation also received crucial assistance from cybersecurity firm Bitdefender.

The intelligence haul has been monumental. Europol confirmed that the gathered data has already generated 83 intelligence packages and unmasked 506 specific users internationally. Furthermore, this treasure trove of traffic logs has actively advanced 21 ongoing Europol-supported cybercrime investigations.

Michael Jepson, Head of Penetration Testing at cybersecurity consulting firm CybaVerse, told TechRadar that the data gathered from this takedown "will fuel follow-on investigations into activity conducted via First VPN and help target further illicit infrastructure."

The takedown also serves as a stark reminder that while VPN technology is vital for legitimate online privacy and security, criminal networks attempting to misuse the technology to harbor illegal activities remain firmly in the crosshairs of global law enforcement.

Rene Millman
Rene Millman
Contributing Writer

Rene Millman is a seasoned technology journalist whose work has appeared in The Guardian, the Financial Times, Computer Weekly, and IT Pro. With over two decades of experience as a reporter and editor, he specializes in making complex topics like cybersecurity, VPNs, and enterprise software accessible and engaging.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.