French and Dutch authorities, with support from Europol and Eurojust, have shut down First VPN, a service extensively used by cybercriminals to conceal their illicit activities, including ransomware attacks and phishing campaigns. The operation, codenamed Operation Saffron, has also provided investigators with access to user data, potentially identifying individuals linked to criminal operations, as first reported by HackRead.
First VPN marketed itself on Russian-speaking cybercrime forums as a reliable tool for anonymity, offering features like anonymous payments and concealed infrastructure to help users evade law enforcement. The service became closely associated with ransomware groups, fraud networks, and data theft campaigns, appearing in numerous major cybercrime cases supported by Europol.
The operation, conducted between May 19 and 20, 2026, involved Ukrainian authorities arresting the alleged administrator and seizing 33 servers. Several associated domains and onion domains were also taken offline, displaying a seizure notice to users.
The investigation, which began in December 2021, yielded a user database exposing thousands of connections to cybercrime infrastructure, providing crucial leads for ongoing investigations into ransomware attacks, online fraud, and other serious offenses across multiple countries. This takedown highlights a growing trend of law enforcement targeting the infrastructure that enables cybercrime, not just the perpetrators themselves.
Source: HackRead
Kelley Damore is Chief Content Officer at CyberRisk Alliance, where she leads content strategy across the company’s digital brands, research, communities and live events serving CISOs and security practitioners. At CyberRisk Alliance, she is focused on delivering 365-day engagement, trusted journalism and actionable insights to help security leaders navigate an increasingly complex threat landscape.
Kelley Damore is Chief Content Officer at CyberRisk Alliance, where she leads content strategy across the company’s digital brands, research, communities and live events serving CISOs and security practitioners. At CyberRisk Alliance, she is focused on delivering 365-day engagement, trusted journalism and actionable insights to help security leaders navigate an increasingly complex threat landscape.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
