SUBJECT PROFILE
First VPN — a criminal VPN service operating since 2014 and marketed exclusively on Russian-speaking cybercrime forums — was dismantled May 19–20, 2026 in Operation Saffron, led by French and Dutch authorities with Europol and Eurojust support. The service had over 5,000 accounts, was linked to at least 25 ransomware groups including the Phobos RaaS outfit, and facilitated more than $70M in illicit proceeds laundering. Law enforcement seized 33 servers across 27 countries, shut down domains including 1vpns.com and associated .onion addresses, and generated 83 intelligence packages covering 506 users shared with partner countries. All users were notified their identities are now known to authorities. This represents a significant blow to the anonymization layer of the ransomware supply chain.
Anonymization-as-a-service for ransomware operators, data thieves, and fraud actors; financially motivated infrastructure provider enabling cybercriminal ecosystem anonymity
OPERATIONAL HISTORY
Anonymization-as-a-service for ransomware C2 and exfiltration routing; tiered connection relay pricing for criminal clients; no-log / no-cooperation policy marketed to criminal buyers; infrastructure spanning 27 countries; T1090 Proxy, T1572 Protocol Tunneling
KNOWN INFRASTRUCTURE
33 servers across 27 countries (all seized); domains: 1vpns.com, 1vpns.net, 1vpns.org, and associated .onion domains (all shut down May 19–20, 2026); service operational since 2014; administrator based in Ukraine