An international law enforcement action codenamed Operation Saffron has dismantled "First VPN," a bulletproof anonymization service used by at least 25 ransomware groups since approximately 2014. Led by authorities in France and the Netherlands, the operation resulted in the seizure of 33 servers and domains spanning 27 countries, exposing thousands of users to potential identification and prosecution.
What Happened
Coordinated raids targeted the infrastructure of First VPN, a service openly marketed on Russian-speaking underground forums as a secure, anonymous gateway for cybercriminal activity. Investigators from French and Dutch agencies, supported by the FBI and partners across 27 jurisdictions, executed simultaneous seizures of servers, clearnet domains, and hidden Tor onion services. Confiscated assets include the domains 1vpns.com, 1vpns.net, and 1vpns.org. Authorities have begun notifying subscribers that their identities may now be exposed following the capture of supporting infrastructure and logs.
What Was Taken
Law enforcement seized the operational backbone of the service, including 33 servers hosting customer routing infrastructure, authentication systems, and payment records. Critically, despite the provider's marketing claims of a strict "no logs" policy, investigators recovered supporting logs and metadata sufficient to identify users. Cryptocurrency payment records, subscription histories ranging from daily to annual packages, and connection metadata linking criminal infrastructure to real-world operators are now in law enforcement custody.
Why It Matters
Anonymization services like First VPN function as critical enablers of the ransomware economy, allowing affiliates to conduct reconnaissance, infiltration, and data exfiltration while masking their true locations. With at least 25 ransomware groups confirmed as customers, the takedown represents a strategic disruption to the operational tradecraft of a significant portion of the active extortion ecosystem. The case also dismantles the marketing myth of jurisdictional immunity: coordinated cross-border action proved that "no logs" claims from bulletproof providers cannot be trusted, and that subscribers face genuine attribution risk regardless of payment in Bitcoin or other cryptocurrencies.
The Attack Technique
First VPN itself was the technique, sold as a service. The platform supported multiple tunneling protocols including OpenVPN, WireGuard, and other advanced systems, layered to frustrate traffic analysis. Affiliates used the service to mask command-and-control communications, stage reconnaissance against victim networks, deliver ransomware payloads, and exfiltrate stolen data without revealing originating infrastructure. Cryptocurrency-only billing and aggressive promotion on Russian-language cybercrime forums kept the customer base concentrated among financially motivated threat actors seeking operational security.
What Organizations Should Do
- Hunt retroactively for inbound connections from known First VPN exit ranges and the 1vpns.com / .net / .org infrastructure across the last 24 months of available logs.
- Treat any historical authentication, RDP, or VPN access attempts from commercial VPN exit nodes as elevated-risk indicators warranting investigation.
- Reassess detection coverage for living-off-the-land reconnaissance and data staging behavior, since anonymized C2 will resurface on successor services.
- Block or alert on traffic to and from low-reputation commercial VPN providers at the egress and ingress perimeter, particularly those advertised on cybercrime forums.
- Validate that EDR telemetry captures process-to-network correlation, so exfiltration through tunneled protocols is detectable even when destination IPs are obscured.
- Monitor threat intelligence feeds for the inevitable successor bulletproof VPN services and update blocklists as they are identified.
Sources: Global Operation Saffron Disrupts Major Ransomware VPN Network