Europol takes down VPN service

According to the police, it was the VPN service of choice for many cybercriminals: First VPN had been part of every major cybercrime investigation by the European police organization Europol in recent years, and now authorities from several European countries have taken action against the provider.

In the operation, codenamed “Operation Saffron” on May 19 and 20, a house search was conducted in Ukraine, and Europol also shut down 33 of the provider's servers and disabled further infrastructure, according to its own statements. Several domains in the clear web and deep web went offline. The administrator of the service was arrested and questioned; he is currently in custody.

According to Europol, “investigators gained access to the service, secured its user database, and identified VPN connections used by cybercriminals to conceal their activities.” The IT security company Bit Defender also supported this.

On its website, First VPN advertised according to the Dutch police that any cooperation with judicial authorities would be refused, the service was not subject to any jurisdiction, and no user data would be stored.

Investigators ultimately identified 506 users of the service, whose information Europol is now sharing internationally with other authorities. Affected users are now being informed that Europol was able to unmask them, the police organization writes. French police estimate the total number of users to be up to 5000.

Numerous cybercrime groups were customers

In response to the Europol operation, the US federal police Federal Bureau of Investigation (FBI) published a warning message about First VPN on Friday. At least 25 ransomware groups, including Avaddon Ransomware, have reportedly used the infrastructure of First VPN Service to conduct network reconnaissance and penetrate systems. The service was recommended by users in various Russian-speaking cybercrime forums, according to Europol and the FBI.

According to the FBI, IP addresses from First VPN Service were used for scanning activities, botnets, denial-of-service attacks, fraud attempts, and hacking attacks. The FBI also provides a list of all First VPN IPs known in May 2026 and prior. However, such malicious infrastructures can also be hosted on virtualised or cloud platforms, whereby IP addresses are assigned dynamically or temporarily. The FBI also qualifies: An address appearing on the list may have been used for criminal activities in the past, at the time of observation by investigators, but may currently be used for non-malicious activities. For more insight, interested parties should consult network telemetry data and other information sources.

Support also from Germany

The operation took place in Luxembourg, Switzerland, Romania, Ukraine, and Great Britain. Police forces from France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and Great Britain were involved in the operation. Investigations were also supported by police authorities in Canada, Romania, the USA, and Germany. According to a Europol spokesperson, French and Dutch authorities led the operation.

(nen)