Avaddon
Avaddon was a ransomware group active 2020-2021 that shut down operations and released decryption keys; its infrastructure connections to First VPN were exposed in Operation Saffron.
Last refreshed: 7 June 2026 · Appears in 1 active topic
Why did a defunct ransomware group appear in Europol's First VPN seizure five years after it shut down?
Timeline for Avaddon
Used First VPN to anonymise ransomware gang operations before the takedown
Cybersecurity: Threats and Defences: Europol seizes First VPN in Saffron raid- What was the Avaddon ransomware and why did it shut down?
- Avaddon was a ransomware-as-a-service group active from June 2020 to June 2021 that encrypted victims' data, exfiltrated files, and used DDoS attacks as additional leverage. In June 2021 the group voluntarily shut down and provided 2,934 decryption keys to Bleeping Computer. The exact reason for shutdown was never confirmed; law-enforcement pressure following the Colonial Pipeline attack is the most widely cited factor.Source: Bleeping Computer, Emsisoft decryptor release announcement, June 2021
- Can Avaddon ransomware victims still recover their files?
- Yes. Emsisoft released a free decryptor in June 2021 using the 2,934 keys Avaddon provided to Bleeping Computer when the group shut down. Victims who have not yet used the tool can download it from Emsisoft's website. For victims who already paid a ransom, the keys are also valid for recovery.Source: Emsisoft decryptor release, Bleeping Computer June 2021
- Why was Avaddon mentioned in Europol's 2026 First VPN seizure?
- Europol named Avaddon as one of at least 25 ransomware gangs that had used First VPN as an anonymisation service. Despite Avaddon shutting down in 2021, First VPN's server logs retained historical connection data linking the group to the service. The logs seized in Operation Saffron (May 2026) provided forensic evidence of Avaddon's infrastructure even five years after the group dissolved.Source: Europol Operation Saffron press release, May 2026
Background
Avaddon was a ransomware group active from June 2020 to June 2021, operating on a ransomware-as-a-service model. It was known for a distinctive spam campaign distributing the ransomware via a "winking face" emoji lure and for conducting distributed denial-of-service (DDoS) attacks against victims as additional leverage alongside encryption and data exfiltration. Avaddon ran a public leak site called the "Avaddon Info" blog where it posted stolen data from non-paying victims. The group targeted organisations across the United States, Australia, Asia and Europe in sectors including manufacturing, healthcare and professional services.
In June 2021, Avaddon unexpectedly shut down, providing 2,934 decryption keys to Bleeping Computer and security firm Emsisoft, enabling victims to recover their data without paying. The motivation for the shutdown was not publicly explained; speculation ranged from law-enforcement pressure following the Colonial Pipeline attack (which had intensified US scrutiny of ransomware operations) to an operator decision to exit the market voluntarily. Emsisoft confirmed the keys were valid and released a free decryptor tool. Avaddon's infrastructure connections to First VPN were exposed in Europol's Operation Saffron on 21 May 2026, five years after the group ceased operations, indicating that First VPN's logs provided historical evidence of Avaddon's operational-security infrastructure even post-shutdown.
Avaddon's appearance in the Operation Saffron context illustrates how criminal VPN services create historical forensic trails: even groups that voluntarily dissolved leave infrastructure footprints in logs that law enforcement can exploit years later. The disclosure also raises the possibility that First VPN's logs may reveal historical attribution data for other ransomware campaigns linked to groups using the service.