DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ARCHIVE/APT
DMZ INTEL DESK//FILED: 2026-05-25//00:44Z
HIGH#apt

Operation Saffron: First VPN Dismantled — 33 Servers Seized, Ukrainian Admin Arrested, User Database Captured Exposing 25+ Ransomware Groups Including Avaddon and Phobos

On May 19–20, 2026, French and Dutch authorities executed Operation Saffron, dismantling First VPN — a criminal bulletproof anonymization service operational since 2014 and used by at least 25 ransomware groups including Avaddon and Phobos — seizing 33 servers across 27 countries, shutting down 1vpns.com and related onion domains, and arresting the service's administrator in Ukraine. Critically, investigators had covert access to First VPN's infrastructure prior to the takedown, intercepting live criminal traffic and capturing the full user database of over 5,000 criminal accounts who falsely believed the service kept no logs. The seizure of the user database transforms this from a simple infrastructure disruption into a long-running prosecution engine, and every ransomware group now forced to find replacement infrastructure faces an elevated operational security failure window during transition.

This intelligence brief has been compiled from open-source reporting and corroborated across multiple threat intelligence sources. Defenders should treat the high severity rating as a guide to prioritization within their environment.

For the latest indicators of compromise, formatted SIEM queries, and unredacted actor intelligence related to this brief, DMZ Operator subscribers receive automated IOC packages via email the moment new advisories are published.

FILED UNDER:
operation-saffron · first-vpn · europol · law-enforcement-takedown · bulletproof-vpn · ransomware-infrastructure · avaddon · phobos · ukraine-arrest
STAY AHEAD OF THREATS
Daily intel briefs and IOC packages — delivered to your inbox the moment a new advisory drops.
SUBSCRIBE — $29/MO →
SHARE BRIEF:✕ Post on Xin Share on LinkedIn

RELATED ACTORS

ACTOR
FIRST VPN CRIMINAL NETWORK (Operation Saffron Takedown)
CRIMINAL
ACTOR
FIRST VPN (Cybercriminal Infrastructure — Operation Saffron)
CRIMINAL
ACTOR
First VPN Criminal Anonymization Network
CRIMINAL

MORE FROM ARCHIVE

# APT
2026-05-26
Lazarus Group Deploys RemotePE Memory-Only RAT Against Crypto and Financial Firms; $577M Stolen YTD
# APT
2026-05-25
Ghostwriter (UAC-0057 / UNC1151) Deploys Novel OYSTERBLUES Implant Against Ukrainian Government via Prometheus Learning Platform Lures — Active Since Spring 2026
# APT
2026-05-24
Salt Typhoon Expands to 80+ Countries with New TernDoor/PeerTime/BruteEntry Implants; South American Telecoms Now Targeted
# APT
2026-05-24
Ghostwriter/UAC-0057 Resurfaces with OYSTERFRESH/OYSTERBLUES Malware Chain, Abusing Prometheus Learning Platform as Lure Against Ukrainian Government Targets