DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/First VPN Criminal Anonymization Network
TLP:WHITETHREAT ACTOR DOSSIER // FIRST-VPN-CRIMINAL-NETWORKFIRST SEEN: 2014

First VPN Criminal Anonymization Network

ALSO KNOWN AS: 1VPNs, firstvpn (operator interviewed in Ukraine)
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Ukraine (operator); infrastructure across 27 countries
ATTRIBUTION:ORGANIZED CRIME
STATUS:DORMANT
FIRST OBSERVED:2014
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL42/100
RESOURCES42/100
PERSISTENCE45/100
STEALTH37/100
IMPACT51/100

SUBJECT PROFILE

First VPN was a cybercriminal-market VPN service operating since 2014, dismantled May 19–20, 2026 in Operation Saffron by French and Dutch authorities with Europol/Eurojust support. The service had over 5,000 accounts and was confirmed used by at least 25 ransomware groups, including Phobos RaaS affiliates. Europol seized 33 servers across 27 countries and generated 83 intelligence packages covering 506 identified users, enabling downstream ransomware and fraud investigations across multiple countries. All active users were notified their identities are known to law enforcement.

Criminal infrastructure-as-a-service; provided anonymization to ransomware operators, fraud actors, and cybercriminals; advertised exclusively on Russian-speaking cybercriminal forums with a no-logs, no-jurisdiction promise

OPERATIONAL HISTORY

No-log VPN marketed on darknet forums, multi-hop connection relays for criminal anonymization, tiered pricing for relay complexity, .onion-hosted access portal; user base included ransomware operators, fraud actors

CRIMINAL SUPPORT INFRASTRUCTURE — RANSOMWARE GROUPS, FRAUD SCHEMES, CYBERCRIME ECOSYSTEM BROADLY

KNOWN INFRASTRUCTURE

33 servers seized across 27 countries; domains 1vpns.com, 1vpns.net, 1vpns.org and associated .onion domains taken down; operator hardware searched in Ukraine; Bitdefender supported investigation via Europol

ATTRIBUTED CAMPAIGNS

FILE DATE: 2014
Criminal VPN Service Launch
First VPN launched and began advertising exclusively on Russian-language cybercriminal forums, promising no cooperation with judicial authorities and no data retention.
FILE DATE: MAY 2026
Operation Saffron — Europol Takedown
French and Dutch authorities dismantled First VPN May 19–20, 2026; 33 ██████████████████████ interviewed in Ukraine, 506 users identified, intelligence packages shared with partner nations covering Phobos RaaS and other ransomware links.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn