### International Operation Targets Criminal VPN Authorities across Europe and North America have announced the disruption of **First VPN Service**, a criminal VPN used to conceal the source of ransomware attacks, data breaches, scanning activities, and denial-of-service attacks. The operation, codenamed Operation Saffron, was spearheaded by France and the Netherlands, with support from numerous other countries since December 2021. Participating nations included Luxembourg, Romania, Switzerland, Ukraine, the U.K., Canada, Germany, the U.S., Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal. ### First VPN: Anonymity for Cybercrime According to **Europol**, First VPN offered services specifically tailored for criminal use. This included anonymous payments and a hidden infrastructure designed to help customers conceal their identities while conducting ransomware attacks, large-scale fraud, and data theft. The service was actively promoted on Russian-speaking cybercrime forums like Exploit[.]in and XSS[.]is as a tool for evading law enforcement. ### Takedown Details The international operation took place between May 19 and 20. Authorities interviewed the service's administrator, conducted a house search in Ukraine, shut down 33 servers, and seized infrastructure worldwide. The confiscated domains include: * 1vpns[.]com * 1vpns[.]net * 1vpns[.]org * Related onion domains operating on the Tor network "First VPN's website promoted itself by emphasizing anonymity, promising its users that it would not cooperate with any judicial authority, that it would not store data, and that the service would not be subject to any jurisdiction," **Eurojust** stated. ### User Data Compromised Europol has notified First VPN's users that their identities are now known to authorities. **Bitdefender**, which assisted the investigation by sharing information on 506 users, emphasized that disrupting anonymization services increases the cost of operations for cybercriminals. Bitdefender stated, "New anonymization services will appear. The economic demand hasn't changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions. First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement's reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists." ### FBI Flash Alert The **U.S. Federal Bureau of Investigation (FBI)** issued a coordinated flash alert, noting that the service had been active since approximately 2014, operating 32 exit node servers in 27 countries. Three of these exit nodes were located in the U.S.: * 2.223.66[.]103 * 5.181.234[.]59 * 92.38.148[.]58 Other exit nodes were located in various countries, including Australia, Austria, Belgium, Canada, Cyprus, Finland, France, Germany, Hong Kong, Italy, Latvia, Luxembourg, Moldova, the Netherlands, Panama, Poland, Romania, Russia, Serbia, Singapore, Spain, Sweden, Switzerland, Turkey, Ukraine, and the U.K. ### Ransomware Connection At least 25 ransomware groups, including **Avaddon Ransomware**, reportedly utilized First VPN infrastructure for network reconnaissance and intrusions. Subscription durations ranged from one day to one year, with prices varying from $2 for a single day to $483 for a full year. Payments were accepted via Bitcoin, Perfect Money, Webmoney, EgoPay, and InterKass. ### Technical Details "First VPN Service offered several connection protocols, including OpenConnect, WireGuard, Outline, and VLess TCP Reality, and multiple encryption options including OpenVPN ECC, L2TP/IPSec, and PPtP," the FBI stated. "Technical support was also offered to users via a self-hosted Jabber server and Telegram encrypted messaging service. Among the VPN protocol options, First VPN Service offered 'VLESS' and 'Reality' which provides the ability to disguise VPN Internet traffic as HTTPS traffic over ports which are commonly used to connect to websites." ### False Promises of Anonymity According to snapshots captured on the Internet Archive, First VPN advertised "Anonymity, Stability, Security," claiming, "We do not store any logs that would allow us or third parties to associate an IP address in a specific period of time with the user of our service." The service also stated, "The only data we store is e-mail and username, but it's impossible to connect the user's activity on the Internet with a specific user of our service." To mitigate liability, First VPN stated in its FAQ that it "strictly" prohibited the use of its servers for illicit activities. "This facilitates the receipt of complaints about our servers, and as a result, they will be disabled," the FAQ read.