Europol
Europol is the European Union's law enforcement agency headquartered in The Hague, coordinating cross-border criminal investigations and cyber takedowns across EU member states and partner countries.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How many ransomware gangs did Europol expose with the First VPN seizure?
Timeline for Europol
Led Operation Saffron, seizing 33 First VPN servers across 27 countries on 21 May 2026
Cybersecurity: Threats and Defences: Europol seizes First VPN in Saffron raid- What is Europol and what powers does it have?
- Europol is the European Union Agency for Law Enforcement Cooperation, based in The Hague. It coordinates criminal investigations across EU member states and partner countries but has no direct powers of arrest; all enforcement is carried out by national agencies acting on Europol's intelligence and coordination. Its European Cybercrime Centre (EC3) runs major cyber takedowns.Source: EU Regulation 2022/991, Europol official website
- What did Europol do in Operation Saffron?
- In Operation Saffron, announced 21 May 2026, Europol coordinated the seizure of 33 servers across 27 countries that hosted First VPN, a criminal anonymisation service used by at least 25 ransomware gangs including Phobos and Avaddon since 2014. No arrest was announced despite the administrator being located in Ukraine.Source: Europol press release, Help Net Security
- How effective are Europol cyber takedowns at reducing ransomware attacks?
- Research from RUSI and Europol's own IOCTA frames takedowns as disruption operations rather than permanent suppression. After the January 2022 VPNLab.net seizure, ransomware groups migrated to alternative services within two to four weeks and monthly victim counts were statistically unchanged. Operation Saffron removed a shared anonymisation layer but the affiliate supply driving attack volume was unaffected.Source: RUSI Cyber Crime and Policing report 2023, Eurojust 2025
- What is the European Cybercrime Centre (EC3)?
- EC3 is Europol's specialist cybercrime hub, established in 2013. It coordinates takedowns of criminal infrastructure, publishes the annual Internet Organised Crime Threat Assessment (IOCTA), and provides forensic and analytical support to national agencies. Major EC3 operations include LockBit (Cronos), dropper botnets (Endgame) and the First VPN network (Saffron).Source: Europol EC3 mandate documentation
Background
Europol is the European Union Agency for Law Enforcement Cooperation, headquartered in The Hague, Netherlands. Established by the Europol Convention of 1995 and overhauled by successive EU Regulations (most recently 2022/991), it supports criminal investigations in EU member states and partner countries by sharing intelligence, hosting operational coordination centres, and providing forensic and analytical services. It has no direct powers of arrest; all enforcement actions are carried out by national agencies acting on Europol coordination. Its REMIT spans serious organised crime, terrorism, cybercrime, trafficking and financial crime. The European Cybercrime Centre (EC3), established within Europol in 2013, is its specialist cybercrime hub and the body that coordinates high-profile infrastructure takedowns including Operation Cronos (LockBit, 2024), Operation Endgame (dropper botnets, 2024), Operation GoldDust (Sodinokibi/REvil, 2022), and the May 2026 Operation Saffron, which seized 33 servers across 27 countries hosting First VPN, a criminal anonymisation service used by at least 25 ransomware gangs since 2014.
EC3 publishes the annual Internet Organised Crime Threat Assessment (IOCTA), the primary EU-wide baseline for cybercrime trends and the evidence base informing enforcement priorities. Europol works jointly with Eurojust (the EU judicial cooperation agency) and with non-EU partners including the FBI, NCA and Australian AFP under bilateral cooperation agreements. Its operational intelligence sits in the Secure Information Exchange Network Application (SIENA), which allows member-state agencies to share classified case data without routing through unprotected channels. The organisation employs roughly 1,800 staff at The Hague campus, with liaison officers embedded in partner agencies globally.
Europol's cyber-infrastructure takedown operations follow a now-established model: multi-country server seizures coordinated in hours, supported by Eurojust judicial warrants, timed to deny operators recovery time. Operation Saffron's 27-country coordination sets a geographic breadth record for criminal-infrastructure seizure. Critics, including RUSI's Cyber research group, note that takedowns of shared dependencies (VPNs, bulletproof hosts, Cryptocurrency exchanges) redirect affiliates rather than reduce the attack volume, because the ransomware ecosystem's constraint is affiliate supply rather than infrastructure. Europol's own IOCTA framing acknowledges this, positioning takedowns as disruption operations that impose friction and generate forensic intelligence rather than permanent suppression.
