CONTACT AN EXPERT
BD_Operation_Saffron2-2
#Cybersecurity Awareness #Threat Intelligence
By Bitdefender Enterprise / May 21, 2026

Operation Saffron: Bitdefender Joins “First VPN” Takedown

Share this Share on email Share on twitter Share on linkedin Share on facebook

An international law enforcement operation led by France and the Netherlands dismantled First VPN, a cybercriminal anonymization service used by ransomware actors, fraudsters, and data thieves across every major cybercrime investigation Europol has supported in recent years. Bitdefender supported the investigation through Europol, helping generate intelligence that exposed hundreds of individuals linked to cybercrime. This is the first VPN-category takedown in the history of Bitdefender’s law enforcement collaboration program, extending a research-led crime prevention strategy.

What First VPN Was

Ransomware actors need three things to operate at scale: command infrastructure they can hide, ransom payment flows they can obscure, and attribution barriers that keep investigators at arm’s length. First VPN provided all three. The service was promoted on Russian-speaking cybercrime forums as a tool for “remaining beyond the reach of law enforcement,” offering anonymous payments, hidden infrastructure, and features designed specifically for criminal use.

The operation dismantled 33 servers, seized the service’s primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated onion sites, and led to the arrest of the service’s administrator in Ukraine. French and Dutch investigators gained access to the service, obtained its user database, and identified VPN connections used by cybercriminals to hide ransomware attacks, large-scale fraud, and data theft. Europol disseminated 83 intelligence packages internationally. Information linked to 506 users was shared across participating jurisdictions. Twenty-one Europol-supported investigations advanced through the intelligence obtained.

The operation involved 18 countries: Canada, Denmark, Estonia, France, Germany, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Ukraine, the United Kingdom, and the United States. Eurojust hosted 16 coordination meetings. A Joint Investigation Team - a Eurojust legal framework that lets countries share evidence and coordinate prosecutions across borders - was established in November 2023 and enabled French and Dutch authorities to coordinate prosecutorial strategy across jurisdictions. The investigation launched in December 2021. The action days were May 19-20, 2026. The announcement came May 21, 2026.

Why Anonymization Infrastructure Matters

Edvardas Šileris, Head of Europol’s European Cybercrime Centre, framed it directly: “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.

Cybercriminal anonymization services are the connective tissue of the ransomware economy. A ransomware group can develop custom malware, recruit affiliates, and plan operations, but without a way to hide command-and-control infrastructure and payment flows, the operation collapses under investigative pressure within weeks. First VPN solved that problem for its customers. Europol describes the service as appearing “in almost every major Europol-supported cybercrime investigation” in recent years.

The service appeared in investigations because it worked. Actors used it to obscure lateral movement during intrusions, to hide the origin of phishing campaigns, and to route ransom negotiation traffic through infrastructure investigators couldn’t trace back to physical locations.

Disrupting anonymization services raises the cost of operation across the ecosystem. Every ransomware group that relied on First VPN now needs to find an alternative, evaluate whether it provides equivalent protections, and rebuild operational security around a new service. Some will succeed. Many will make mistakes during the transition, creating investigative opportunities that didn’t exist when First VPN was operational. The takedown doesn’t end the category of anonymization services, but it shortens the operational window of the next one and raises the barrier to entry for actors who depended on turnkey solutions.

How This Fits the Draco Team’s Work

Bitdefender’s law enforcement collaboration program, the Draco Team, is a virtual unit composed of Bitdefender Labs researchers. The team was founded in 2015, and its work follows the same research-led prevention we apply to endpoint defense: predict which attacks are coming, understand the infrastructure they depend on, and disrupt it before the next wave launches.

The First VPN takedown is the first VPN-category disruption for the Draco Team, but it follows a decade-long arc. We supported the Hansa dark-web marketplace takedown in 2017. We developed decryptors for GandCrab (2018, helping over 500,000 victims), LockerGoga (2022), and MegaCortex (2023). We contributed investigative intelligence to the Sodinokibi / REvil operation in 2021, to the PIILOPUOTI marketplace case in 2023, and to Operation Endgame in 2024, the largest botnet takedown to date. Each operation targeted a different layer of the cybercrime economy: marketplaces where tools are sold, ransomware campaigns that rely on those tools, botnets that provide attacker infrastructure, and now the anonymization services that tie it all together.

The guiding principle for us remains the same: research leads to prediction, prediction leads to prevention, and prevention works better when it happens before exploitation rather than after.

What Happens Next

The seized infrastructure will be analyzed. The 506 users whose information was shared internationally represent a subset of the service’s customer base, and ongoing investigations will determine which of those connections map to active criminal operations. Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed.

New anonymization services will appear. The economic demand hasn’t changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions. First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists.

We will continue supporting law enforcement operations through Europol. The methodology behind our intelligence contributions remains confidential, but the outcome is public: infrastructure dismantled, users exposed, investigations advanced. Updates on Bitdefender’s law enforcement collaboration work are available at the Defeat Cybercrime page.

Explore More Topics

See all topics

Subscribe to Blog Updates

bitdefender
  • https://twitter.com/Bitdefender_Ent
  • Linkedin-icon-300x300

Copyright © 1997-2023 Bitdefender All rights reserved.