(Credit: Europol)
A VPN that was reportedly extremely popular among organized criminal groups has been taken down and seized following a collaborative investigation led by France and the Netherlands, dubbed “Operation Saffron.” It was supported by European Union anti-crime agencies Europol and Eurojust.
The service, known as ‘First VPN,’ had reportedly been “deeply embedded” in the cybercrime ecosystem and appeared in “almost every major cybercrime investigation” supported by Europol in recent years. First VPN was promoted on Russian-speaking cybercrime forums as a tool to evade law enforcement and enabled anonymous payments, among other features designed specifically for criminal use.
The agencies have now dismantled 33 servers linked to the criminal service in 27 countries. As a result of the takedown, investigators across multiple jurisdictions are now using the intelligence gathered to further their investigations. The operation revealed information linked to 506 users worldwide, as well as 21 ongoing Europol-supported investigations. The agencies didn’t reveal the identity of those behind the service, but said they interviewed the administrator and conducted a house search in Ukraine.
Though FirstVPN explicitly marketed its services toward criminals, we’ve also seen the founders and executives of some mainstream VPN companies face legal scrutiny from European authorities in recent years as a result of allegations that their services were used in criminal activity.
The founder of Windscribe VPN, Yegor Sak, was personally hit with criminal charges in 2022 by Greek prosecutors after Windscribe VPN was allegedly used in an attack on a server in Greece, though he was later acquitted in early 2025.
Recommended by Our Editors
Meanwhile, the offices of Mullvad VPN in Gothenburg, Sweden, were visited by police in 2023 with a search warrant intended to seize computers containing customer data. However, Mullvad said police left empty-handed because the company did not store customer activity logs.
Dutch police explained that First VPN was classified as a criminal service because it “mainly advertised on the cybercriminal forums known to the police and thus expressly approached cybercriminals as potential clients.”
They also pointed out how the now-archived website said “cooperation with the judiciary would be denied,” claimed the service was not subject to any jurisdiction, and stated that no data on users was stored.
An FBI report said that “at least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure to perform network reconnaissance and intrusions.” The infrastructure was also allegedly used for scanning activity, botnets, denial-of-service (DDoS) attacks, scams, and hacking.