DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/FIRST VPN (Cybercriminal Infrastructure — Operation Saffron)
TLP:WHITETHREAT ACTOR DOSSIER // OPERATION-SAFFRON-FIRSTPVNFIRST SEEN: JAN 2014

FIRST VPN (Cybercriminal Infrastructure — Operation Saffron)

ALSO KNOWN AS: 1VPNs, FirstVPN, first-vpn criminal service
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Ukraine (operator interviewed during house search; servers across 27 countries)
ATTRIBUTION:ORGANIZED CRIME
STATUS:DORMANT
FIRST OBSERVED:JAN 2014
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL42/100
RESOURCES42/100
PERSISTENCE45/100
STEALTH37/100
IMPACT51/100

SUBJECT PROFILE

First VPN was a criminal VPN service operating since 2014, marketed exclusively on Russian-speaking cybercriminal forums and used by over 5,000 accounts including at least 25 ransomware groups (notably Phobos RaaS affiliates). Taken offline May 19–20, 2026 via Operation Saffron — a joint French/Dutch/Europol/Eurojust action seizing 33 servers across 27 countries and interviewing the Ukrainian operator. Before shutdown, law enforcement gained covert visibility into criminal user traffic; 83 intelligence packages covering 506 identified users were disseminated to partner countries for ongoing ransomware and fraud investigations.

Financial — anonymization-as-a-service marketed exclusively on cybercriminal forums to ransomware operators, fraudsters, and data thieves

OPERATIONAL HISTORY

Anonymization-as-a-service (multi-hop relay tiers), no-log policy claims (contradicted by law enforcement access), dark web (.onion) access portals, tiered pricing based on connection complexity, sole marketing via cybercrime forums (no legitimate customer base)

LAW ENFORCEMENT EVASION INFRASTRUCTURE
RANSOMWARE OPERATOR ANONYMITY
FRAUD ECOSYSTEM SUPPORT

KNOWN INFRASTRUCTURE

33 servers across 27 countries (all seized), domains: 1vpns.com, 1vpns.net, 1vpns.org and associated .onion addresses (all seized/redirected), operator based in Ukraine

ATTRIBUTED CAMPAIGNS

FILE DATE: JAN 2014
Criminal VPN Service Launch
First VPN launched as a dedicated anonymization service for cybercriminals, growing to 5,000+ accounts across 12 years and becoming infrastructure of choice for ransomware groups including Phobos RaaS.
FILE DATE: MAY 2026
Operation Saffron Takedown
French and Dutch authorities with Europol/Eurojust support seized all 33 servers ███████████████████ on May 19–20, 2026, identified 506 users, and disseminated 83 intelligence packages to partner nations for downstream ransomware and fraud investigations.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn