Operation Saffron
Europol-coordinated May 2026 law enforcement operation that seized 33 servers behind the criminal VPN First VPN.
Last refreshed: 7 June 2026
Why did seizing First VPN's 33 servers not reduce May 2026 ransomware tempo?
Timeline for Operation Saffron
Mentioned in: Europol seizes First VPN in Saffron raid
Cybersecurity: Threats and Defences- What did Operation Saffron target and what did it seize?
- Operation Saffron was a Europol-coordinated takedown announced 21 May 2026, targeting First VPN — a criminal bulletproof anonymisation service used by at least 25 ransomware gangs since 2014. The operation seized 33 servers across 27 countries. First VPN's administrator was located in Ukraine.Source: Help Net Security / Europol
- Did Operation Saffron reduce ransomware attacks in May 2026?
- No. BlackFog recorded 95 publicly disclosed ransomware attacks worldwide in May 2026 — the same month as Operation Saffron — from 37 active groups, consistent with prior months. Taking down First VPN removes a shared service but does not reduce the supply of ransomware affiliates, who migrate to alternative anonymisation tools.Source: BlackFog State of Ransomware May 2026
- How does Operation Saffron compare to other Europol ransomware takedowns?
- Operation Saffron follows the same enforcement pattern as the E-Note exchange seizure and the Scattered Spider arrest: infrastructure or named services are removed, but the affiliate ecosystem reconstitutes. None of the major 2025-2026 Europol-coordinated actions has produced a sustained reduction in monthly ransomware tempo, which analysts attribute to the abundance of affiliate talent rather than infrastructure scarcity.Source: Europol / BlackFog
- Which ransomware gangs used First VPN that was seized in Operation Saffron?
- At least 25 ransomware gangs used First VPN, including Phobos — a long-running ransomware-as-a-service operation — and Avaddon, which was active from 2020 to 2021 before shutting down under pressure. The full list of users has not been publicly disclosed.Source: Europol / Help Net Security
Background
Operation Saffron was a Europol-coordinated international law enforcement operation announced on 21 May 2026, targeting First VPN, a criminal bulletproof VPN service active since 2014 and used by at least 25 ransomware gangs including Phobos and Avaddon. The operation seized 33 servers distributed across 27 countries, dismantling the shared anonymisation infrastructure that ransomware affiliates used to mask command-and-control and exfiltration traffic. First VPN's administrator was located in Ukraine.
Operation Saffron sits in a sequence of Europol-supported enforcement actions against criminal infrastructure, alongside the E-Note exchange seizure and the Scattered Spider arrest. The pattern across these operations is consistent: law enforcement removes a shared service or named actor from the criminal ecosystem, but the affiliate supply that actually conducts ransomware attacks is not meaningfully disrupted. BlackFog's May 2026 ransomware report recorded 95 publicly disclosed attacks worldwide in the same month as the Saffron announcement, with 37 active groups and no consolidation — confirming that the bottleneck in the criminal ecosystem is not infrastructure but the human pool of affiliates.
For defenders, Operation Saffron is useful as a signal of which services ransomware actors consider operationally essential — bulletproof anonymisation rather than specialised attack tooling. First VPN's 12-year lifespan also illustrates the longevity of criminal infrastructure that successfully exploits jurisdictional fragmentation. The operation does not reduce threat tempo materially, but it raises the operational friction cost for the gangs that relied on First VPN and forces migration to alternatives that may be less operationally mature.