Executive Summary
Between May 19 and 20, 2026, an international law enforcement operation codenamed Operation Saffron dismantled First VPN, a virtual private network service that had been operational since 2014 and was widely used by cybercriminals, including at least 25 ransomware groups such as Avaddon and Phobos. The takedown was led by French and Dutch authorities with support from Europol, Eurojust, and agencies from over a dozen countries. Authorities seized 33 servers, took down multiple domains (including 1vpns.com, 1vpns.net, 1vpns.org, and related Tor onion domains), and arrested the service administrator in Ukraine. Law enforcement obtained the user database and criminal traffic logs, exposing thousands of users linked to cybercrime. The operation has disrupted a critical anonymization layer for ransomware, fraud, and data theft operations, and has generated actionable intelligence for ongoing investigations. All information in this summary is directly supported by primary sources (The Hacker News, TechCrunch, Help Net Security).
Technical Information
First VPN was a criminally marketed VPN service that provided anonymization infrastructure to cybercriminals since 2014. The service was promoted on Russian-speaking cybercrime forums such as Exploit[.]in and XSS[.]is, and was specifically designed to facilitate anonymous payments, hidden infrastructure, and user identity obfuscation for malicious activities. The VPN supported multiple connection protocols, including OpenConnect, WireGuard, Outline, VLess TCP Reality, OpenVPN ECC, L2TP/IPSec, and PPtP. Notably, the VLESS and Reality protocols allowed VPN traffic to be disguised as HTTPS over commonly used web ports, further complicating detection and attribution (The Hacker News).
The service operated 32 exit node servers across 27 countries, including the U.S., Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K. Three U.S.-based exit nodes were specifically identified: 2.223.66[.]103, 5.181.234[.]59, and 92.38.148[.]58 (The Hacker News).
First VPN accepted payments via Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass, with subscription durations ranging from one day ($2) to one year ($483). Technical support was provided through a self-hosted Jabber server and encrypted Telegram messaging (The Hacker News).
The service claimed a strict no-logs policy, stating that only email and username were stored, and that it was impossible to connect user activity to a specific individual. However, law enforcement was able to obtain the user database and access criminal traffic, demonstrating that the anonymity guarantees were not absolute (TechCrunch, Help Net Security).
Attack Vectors Enabled by First VPN: First VPN was used to obscure the origins of malicious traffic during network reconnaissance, exploitation, lateral movement, and data exfiltration. Ransomware groups leveraged the VPN to mask their IP addresses during phishing campaigns (MITRE ATT&CK T1566), exploitation of public-facing applications (T1190), and brute-force attacks (T1110). The VPN infrastructure also enabled encrypted command and control (C2) channels (T1090, T1573), defense evasion (T1070, T1562), and exfiltration of stolen data (T1041). These vectors are directly cited in primary sources and align with known ransomware tactics, techniques, and procedures (The Hacker News, TechCrunch).
Ransomware and Malware Usage: At least 25 ransomware groups, including Avaddon and Phobos, used First VPN for network reconnaissance, intrusions, and attacks. Avaddon is known for phishing-based delivery and double extortion, while Phobos operates as a Ransomware-as-a-Service (RaaS) and is often delivered via RDP brute force and phishing (The Hacker News, Help Net Security).
Sector-Specific Targeting: First VPN was used in attacks against critical infrastructure, healthcare, education, and finance sectors, as evidenced by the activities of Avaddon and Phobos. The VPN also facilitated large-scale fraud, data theft, and distributed denial-of-service (DDoS) attacks, impacting both public and private sector organizations (Help Net Security, TechCrunch).
Technical Mapping to MITRE ATT&CK: - Initial Access: T1566 (Phishing), T1190 (Exploit Public-Facing Application), T1110 (Brute Force) - Execution: T1059 (Command and Scripting Interpreter) - Persistence: T1547 (Boot or Logon Autostart Execution) - Defense Evasion: T1070 (Indicator Removal on Host), T1562 (Impair Defenses) - Credential Access: T1003 (OS Credential Dumping) - Discovery: T1087 (Account Discovery), T1046 (Network Service Scanning) - Lateral Movement: T1021 (Remote Services) - Command and Control: T1090 (Proxy), T1573 (Encrypted Channel) - Exfiltration: T1041 (Exfiltration Over C2 Channel) - Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)
Attribution and Evidence: The attribution of First VPN’s use by ransomware groups is supported by the seizure of 33 servers, the user database, and criminal traffic logs. The service’s exclusive marketing on cybercrime forums and its no-logs policy claims were contradicted by law enforcement’s ability to identify users. These findings are corroborated by direct law enforcement and security vendor reporting (The Hacker News, TechCrunch, Help Net Security).
Affected Versions & Timeline
First VPN was operational from 2014 until its takedown in May 2026. The service was continuously updated and marketed on cybercrime forums throughout its lifespan. The international investigation began in December 2021, following repeated use of the VPN in crimes affecting French victims. Operation Saffron was executed on May 19-20, 2026, resulting in the dismantling of 33 servers, seizure of domains, and arrest of the administrator. Public disclosure occurred on May 21-22, 2026 (The Hacker News, TechCrunch, Help Net Security).
Threat Activity
First VPN was deeply embedded in the cybercrime ecosystem, appearing in almost every major cybercrime investigation supported by Europol in recent years. At least 25 ransomware groups, including Avaddon and Phobos, used the service for network reconnaissance, intrusions, and attacks. The VPN was also used for large-scale fraud, data theft, DDoS attacks, and running botnets. The service’s infrastructure enabled cybercriminals to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, and other serious offenses. Law enforcement’s seizure of the user database and criminal traffic exposed thousands of users linked to the cybercrime ecosystem and generated operational leads for ongoing investigations (The Hacker News, TechCrunch, Help Net Security).
Mitigation & Workarounds
Critical: Organizations should immediately review network logs for historical connections to the following First VPN exit node IP addresses and domains: 2.223.66[.]103, 5.181.234[.]59, 92.38.148[.]58, 1vpns.com, 1vpns.net, 1vpns.org, and related Tor onion domains. Any evidence of such connections should be treated as a potential indicator of compromise and investigated thoroughly (The Hacker News).
High: Update and enforce network security controls to block known malicious VPN exit nodes and anonymization services. Implement strict egress filtering and monitor for unusual outbound VPN traffic, especially to countries or IP ranges not required for business operations.
High: Conduct retrospective threat hunting for MITRE ATT&CK techniques associated with ransomware and anonymization services, including T1090 (Proxy), T1573 (Encrypted Channel), T1041 (Exfiltration Over C2 Channel), and T1566 (Phishing).
Medium: Educate users and IT staff about the risks of anonymization services and the importance of reporting suspicious network activity. Ensure that incident response plans include procedures for identifying and responding to the use of anonymization infrastructure.
Medium: Collaborate with law enforcement and threat intelligence providers to receive updates on newly identified anonymization services and associated indicators of compromise.
Low: Review and update acceptable use policies to prohibit the use of unauthorized VPN and anonymization services within the organization.
References
https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html (May 22, 2026)
https://techcrunch.com/2026/05/21/law-enforcement-shuts-down-vpn-service-used-by-two-dozen-ransomware-gangs/ (May 21, 2026)
https://www.helpnetsecurity.com/2026/05/21/operation-saffron-first-vpn-takedown/ (May 21, 2026)
About Rescana
Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and supply chain partners. Our platform supports the identification of high-risk connections, detection of anomalous network activity, and integration of threat intelligence feeds relevant to anonymization services and ransomware infrastructure. For questions or further information, please contact us at ops@rescana.com.
