By rssfeeds-admin 
Dubbed Operation Saffron, the joint action was led by French and Dutch authorities and supported by Europol and Eurojust, resulting in the seizure of 33 servers, the shutdown of multiple domains, and the identification of thousands of cybercriminal users.
First VPN operating primarily through domains containing “1vpns” in the URL, including 1vpns.com, 1vpns.net, 1vpns.org, and associated onion domains, was no ordinary VPN service.
Rather than catering to privacy-conscious consumers, the service explicitly targeted cybercriminals by advertising on well-known underground and Russian-speaking cybercrime forums.
The platform openly promised its users that it would not cooperate with any judicial authority, would not store user data, and would not fall under any jurisdiction claims that, as investigators later proved, were entirely false.
“First VPN” Taken Down
According to Europol, the first VPN appeared in almost every major cybercrime investigation the agency supported, facilitating ransomware attacks, hacking of computer systems, fraud schemes, and account compromises on a global scale.
The service provided anonymous payments and hidden infrastructure specifically designed for criminal use, making it a trusted tool for threat actors seeking to evade law enforcement detection.
The case originated when Eurojust opened a formal file in May 2022 at the request of French authorities, after the service was identified on known criminal forums.
A joint investigation team (JIT) was formally established in November 2023, enabling French and Dutch investigators to pool evidence, share intelligence, and align on a joint prosecutorial strategy.
As the investigation expanded, more countries joined, leading to the execution of multiple European Investigation Orders (EIOs) and Mutual Legal Assistance (MLA) requests coordinated through Eurojust.
Critically, investigators gained covert access to First VPN’s infrastructure before the service went offline, intercepting live criminal traffic from users who falsely believed their operations were fully encrypted and anonymous.
An Operational Taskforce (OTF) was established at Europol, bringing together investigators from 16 countries to analyze seized data.
The task force produced 83 intelligence packages shared with ongoing international investigations and identified 506 specific users whose data was distributed to partner agencies worldwide.
The joint action on May 19–20 produced the following outcomes:
- 33 servers across 27 countries were seized and dismantled
- Domains 1vpns.com, 1vpns.net, 1vpns.org, and associated onion sites shut down
- A suspect, First VPN’s administrator, was questioned in Ukraine at the request of French authorities
- 65 IP addresses were publicly identified and posted online
- All identified users formally notified of the shutdown and informed that they had been flagged
Participating jurisdictions included France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom, with additional support from Spain, Sweden, Canada, Germany, and the United States.
The takedown sends a clear warning to criminal infrastructure providers. “Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Europol stated.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Authorities Have Taken Down “First VPN” Used in Ransomware Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.