Operation Saffron: Europol Seizes First VPN Used by 25+ Ransomware Groups, Captures Full User Database of 5,000+ Criminal Accounts After Covert Traffic Interception

French and Dutch authorities, supported by 18 nations and Europol, dismantled First VPN (1vpns.com/net/org) on May 19–20, 2026 under Operation Saffron — seizing 33 servers across 27 countries, interviewing the Ukrainian operator, and shutting all associated onion domains. Critically, investigators gained covert access to the service's infrastructure before the takedown, intercepting live criminal traffic and capturing the complete user database of over 5,000 accounts; the FBI confirmed the service was used by at least 25 distinct ransomware groups, including Avaddon, and appeared in nearly every major cybercrime investigation Europol has supported in recent years. The seized database transforms the operation into a long-running prosecution engine — every ransomware operator who relied on First VPN for C2 anonymization should assume identification is now possible, and law enforcement has signaled this is part of a deliberate strategy of targeting shared criminal infrastructure rather than individual affiliates.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.