First VPN
First VPN was a criminal anonymisation service operating since 2014 and used by at least 25 ransomware gangs including Phobos and Avaddon; seized by Europol in Operation Saffron on 21 May 2026.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How did a 12-year-old criminal VPN service come to underpin 25 ransomware gangs before Europol's seizure?
Timeline for First VPN
Shut down after 33 servers were seized by Europol across 27 countries
Cybersecurity: Threats and Defences: Europol seizes First VPN in Saffron raid- What is a bulletproof VPN and how was First VPN used by ransomware gangs?
- A bulletproof VPN is a virtual private network service deliberately hosted to resist law enforcement takedown requests, typically across jurisdictions with weak legal cooperation. First VPN provided this anonymisation layer to at least 25 ransomware gangs, masking their command-and-control communications, data exfiltration traffic and ransom negotiations from attribution.Source: Europol / Help Net Security
- What happened to First VPN in Operation Saffron?
- Europol announced on 21 May 2026 that Operation Saffron had seized 33 servers across 27 countries that formed First VPN's infrastructure. The service's administrator was located in Ukraine. The takedown removed a shared criminal asset but did not arrest the administrator, and the ransomware groups using First VPN were expected to migrate to alternative services.Source: Help Net Security / Europol
- Which ransomware groups used First VPN?
- At least 25 ransomware gangs used First VPN as an anonymisation layer, including Phobos and Avaddon. Phobos is a long-running ransomware-as-a-service operation targeting SMEs; Avaddon was active from 2020 to 2021 before shutting down under law-enforcement pressure. First VPN's open-marketplace structure meant it served both as a specialist criminal tool and a general anonymisation product.Source: Europol / Help Net Security
- Does taking down First VPN reduce ransomware attacks?
- Law enforcement takedowns of services like First VPN disrupt operational convenience but do not reduce the supply of ransomware affiliates. In May 2026, the month of the First VPN seizure, BlackFog recorded 95 publicly disclosed ransomware attacks worldwide — a tempo consistent with prior months. Affiliates typically migrate to alternative anonymisation services within days.Source: BlackFog / ENISA
Background
First VPN was a criminal anonymisation service marketed as a bulletproof VPN — meaning it was deliberately structured to resist law-enforcement takedown requests and hosted infrastructure across jurisdictions with weak mutual legal assistance cooperation. Active since 2014, First VPN was used as an anonymisation layer by at least 25 ransomware gangs including Phobos and Avaddon, allowing affiliates to mask command-and-control traffic, exfiltration channels and ransom negotiation communications.
On 21 May 2026, Europol announced Operation Saffron had seized 33 servers across 27 countries linked to First VPN's infrastructure. The service's administrator was located in Ukraine. The seizure removed a shared operational asset from the criminal ecosystem but did not arrest the administrator or directly disrupt the ransomware groups that used it; those groups were expected to migrate to alternative anonymisation services.
Bulletproof VPN services occupy a critical enabling role in the ransomware-as-a-service (RaaS) economy: they provide affiliates with a layer of operational security that separates criminal activity from attributable internet identifiers. First VPN's 12-year operational lifespan reflects the difficulty of dismantling infrastructure spread across multiple jurisdictions. Law enforcement's pattern across Operation Saffron, the E-Note exchange seizure and the Scattered Spider arrest is consistent: infrastructure and services are taken off the board, but affiliate supply — the human pool carrying out attacks — is not meaningfully reduced, and tempo holds as attackers reconstitute around remaining tooling.