Over the weekend of May 19–20, 2026, a coordinated international law enforcement operation shut down First VPN — a virtual private network service that wasn’t marketed to privacy-conscious consumers but to criminals who needed to hide ransomware deployments, botnet infrastructure, and fraud operations. The action, named Operation Saffron, dismantled 33 servers spread across 27 countries and generated intelligence packages on over 500 users that are now flowing to law enforcement agencies worldwide.
The scale of First VPN’s criminal clientele tells its own story. The FBI confirmed that at least 25 ransomware gangs used the service to conceal their activity. That isn’t an estimate — it’s a documented minimum derived from intelligence collected during the operation.
What First VPN Actually Offered
First VPN was explicitly marketed to cybercriminals. It wasn’t a service that was incidentally misused; its product offering was designed for criminal purposes from the ground up. Europol described the platform as providing anonymous payments (accepting cryptocurrency with no KYC requirements), hidden infrastructure, and “other services specifically marketed for criminal hackers.”
That infrastructure served a range of malicious purposes beyond ransomware: scanning the internet for vulnerable systems, running botnets, launching distributed denial-of-service attacks, and operating fraud and scam networks. The service covered 27 countries’ worth of server infrastructure, making traffic routing through it genuinely difficult to trace without law enforcement cooperation across multiple jurisdictions.
The model isn’t unique. Criminal VPN services — sometimes called “bulletproof” VPNs — have been a recurring enforcement target in recent years. Operation Ramz earlier this month disrupted similar infrastructure across the MENA region. First VPN was a different tier: purpose-built infrastructure explicitly for ransomware gang operational security.
Seven Countries, One Weekend
The operation was led by French and Dutch authorities, with support from Europol and Eurojust, and coordination across seven countries. The raids on May 19–20 simultaneously hit data centers and the operator’s location.
The operator — described by authorities as the service’s administrator — was located in Ukraine and interviewed by law enforcement. Notably, no arrest was announced for the operator. The interview could reflect cooperation, legal complexity around an active conflict zone, or ongoing investigation. Authorities have not elaborated.
What authorities did announce: 83 intelligence packages covering 506 First VPN users have been prepared and shared with partner countries. Those packages are the downstream consequence of the takedown — each one initiates a separate investigation into a criminal actor who believed their activity was masked.
The Covert Access Window
The most significant operational detail in Europol’s disclosure is that law enforcement had covert access to the criminal traffic of First VPN users before the service went offline. Users of the service — including the ransomware gang operators — believed their communications and routing were private. They weren’t.
The duration and scope of that covert access hasn’t been disclosed, but the phrase “before the service went offline” implies a period of passive surveillance during which criminal activity was being logged and attributed. That intelligence almost certainly informed the 83 packages now in partner agencies’ hands.
This is the same playbook used in previous infrastructure takedowns: gain access, collect intelligence, then execute the public action at a moment of maximum intelligence yield. The targets lose their operational security while the investigating agencies gain attribution data that might take years to surface in prosecutions.
What Comes Next
The immediate effect of Operation Saffron is disruption. Twenty-five or more ransomware gangs need to find alternative routing. That operational friction is real — rebuilding anonymization infrastructure takes time and creates exposure during the transition.
The longer-term effect is in the 83 intelligence packages. These aren’t press releases — they’re investigation files being handed to law enforcement agencies with jurisdiction over specific users. Some of those users will be prosecuted. Some will be arrested in countries that have extradition treaties. Some will be beyond reach for now but will find their operational environment increasingly constrained.
The ransomware gang takedown cycle of the last several years — LockBit, BlackCat, Hive, Karakurt — has repeatedly demonstrated that arresting the technical operators is difficult but arresting the human infrastructure around them is increasingly achievable. Operation Saffron targets a different layer: the anonymization infrastructure that all of these groups depend on.
