On Point: European and North American authorities have shut down First VPN Service, a criminal anonymization service used by 25 ransomware groups for cyberattacks and data theft. Operation Saffron resulted in the takedown of 33 servers and identified 506 users.
In a coordinated international operation, authorities from Europe and North America have shut down a criminal VPN service that was used by at least 25 ransomware groups to conceal cyberattacks. The so-called Operation Saffron, led by France and the Netherlands, demonstrated that even allegedly secure anonymization services do not provide protection from law enforcement.
Authorities announced the successful takedown of First VPN Service, a service specifically developed for criminal purposes that had been in operation since around 2014. The raid took place on May 19 and 20 and resulted from a coordinated investigative effort that began in December 2021 and involved 16 countries, including Luxembourg, Romania, Switzerland, Ukraine, the United Kingdom, Canada, Germany, the United States, Spain, Sweden, Denmark, Estonia, Latvia, Lithuania, Poland, and Portugal.
First VPN advertised that it would not cooperate with law enforcement authorities, would not store data, and would not be subject to any legal jurisdiction. The service accepted Bitcoin, Perfect Money, Webmoney, and other cryptocurrencies as payment methods. Subscription periods ranged from one day ($2) to one year ($483).
As part of the operation, 33 servers were shut down, the websites 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org were seized, and associated Tor addresses were taken offline. The service had 32 exit servers in 27 countries, three of which were located in the United States. At least 25 ransomware groups, including the Avaddon gang, used First VPN’s infrastructure for network reconnaissance and intrusion attempts. Cybersecurity company Bitdefender, which supported the investigation, identified 506 users of the service. These users have since been informed of the shutdown and warned that their identities are now known to authorities.