Law enforcement agencies across Europe and North America have dismantled a criminal VPN provider known as First VPN Service, which was allegedly used by ransomware groups and cybercriminals to hide their activities online.
The international operation, called Operation Saffron, involved coordinated action from multiple countries, including France, the Netherlands, the United States, Canada, Germany, Ukraine, and several others. Authorities said the investigation began in late 2021 and focused on infrastructure that helped attackers conceal the origin of ransomware attacks, data theft, network scanning, and denial-of-service operations.
According to investigators, First VPN was designed specifically for criminal use. The service reportedly offered anonymous payments, hidden infrastructure, and privacy-focused features that appealed to cybercriminals looking to evade law enforcement. It was also advertised on Russian-speaking cybercrime forums as a trusted solution for anonymous operations.
During the takedown, authorities seized 33 servers, disrupted associated domains, and conducted searches tied to the investigation. Officials also interviewed the service’s administrator and collected information linked to users of the platform.
Investigators say at least 25 ransomware groups used the VPN infrastructure to support reconnaissance and intrusion activities. The service reportedly operated since around 2014 and provided exit nodes across dozens of countries, allowing users to route traffic through multiple regions to obscure their identity.
The VPN supports protocols such as OpenConnect, WireGuard, Outline, and VLESS TCP Reality, along with various encryption methods. Researchers noted that some features were specifically designed to disguise VPN traffic as normal HTTPS activity, making detection more difficult.
Authorities also stated that users of the platform have been notified that their identities may now be known to investigators. Security experts believe the disruption increases operational pressure on cybercriminal groups that rely on anonymization services to coordinate attacks.
This case highlights how cybercriminal infrastructure often operates like a professional service business, offering subscriptions, support channels, and specialized privacy tools for attackers.
Cybersecurity companies like IntelligenceX help organizations understand and reduce these risks through threat intelligence, ransomware monitoring, infrastructure analysis, and incident response readiness.
For businesses and security teams, the message is clear: ransomware operations rely heavily on hidden infrastructure, and disrupting those support systems can significantly impact cybercriminal activity.
Top comments (0)