7JUN

Europol seizes First VPN in Saffron raid

3 min read

10:08UTC

Europol's Operation Saffron seized 33 servers across 27 countries hosting First VPN, a service running since 2014 used by at least 25 ransomware gangs including Phobos and Avaddon. The administrator was located in Ukraine.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Europol's Operation Saffron seized First VPN's 33 servers, stripping anonymisation cover from at least 25 ransomware gangs.

Europol announced Operation Saffron on 21 May 2026, seizing 33 servers across 27 countries that hosted First VPN, a criminal anonymisation service running since 2014 ¹. At least 25 ransomware gangs used it to mask their operations, including Phobos and Avaddon, and the service's administrator was located in Ukraine ².

First VPN sat in the plumbing of the ransomware economy rather than on its front line. Gangs route command-and-control traffic and victim communications through services like it to break the link between an attack and an identifiable operator, so seizing the hosting strips a layer of operational cover from every crew that depended on it. For investigators, the 33 servers are also an evidence haul: logs that could expose which gangs connected when.

Saffron follows a now-routine takedown shape. When the FBI and Michigan state Police seized the E-Note exchange in April , they pulled a money-laundering channel out from under ransomware crews without eliminating the operators who used it. Saffron repeats the shape at the anonymisation layer: a shared dependency removed, a temporary friction imposed, but no reduction in the affiliate supply that keeps the monthly attack count flat. Crews migrate to the next bulletproof host, and the displacement buys defenders time rather than relief.

Deep Analysis

In plain English

Europol, the European Union's law enforcement agency, announced on 21 May 2026 that it had seized 33 servers belonging to a service called First VPN in a coordinated raid across 27 countries. First VPN was not a legitimate privacy service: it was specifically designed to help criminal ransomware gangs hide their identity and location while attacking victims. At least 25 different ransomware groups had used First VPN since 2014, including gangs called Phobos and Avaddon. Europol named the operation Saffron. While the seizure disrupts these groups immediately, criminal operators typically find alternative anonymisation services within a few weeks, meaning the long-term impact depends on follow-on arrests rather than the server seizures alone.

What could happen next?

Consequence
Phobos and Avaddon affiliates will migrate to alternative criminal anonymisation services within two to four weeks based on prior VPNLab.net reconstitution timelines, restoring operational capacity without significantly reducing attack frequency.
Short term · Assessed
Precedent
Operation Saffron's 27-country coordination establishes a new geographic breadth record for criminal-infrastructure seizure, creating a framework that Europol may apply to other multi-jurisdictional criminal service providers in the anonymisation and bulletproof-hosting markets.
Medium term · Suggested
Risk
The absence of a named arrest in the Operation Saffron announcement, despite the administrator being located in Ukraine, leaves the core operator free to reconstitute the service under a different name and infrastructure, as occurred after VPNLab and DoubleVPN.
Short term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The January 2022 seizure of VPNLab.net by Europol across 15 countries, in coordination with German and Ukrainian authorities, dismantled a service that had served at least 150 ransomware operators since 2008.

Post-seizure analysis showed affiliates migrated to Mullvad and ProtonVPN within three weeks, and the ransomware victim count in February 2022 was statistically indistinguishable from January. Operation Saffron targets a service with a 12-year footprint compared to VPNLab's 14 years, suggesting IOCTA's estimate of two to four week reconstitution is structurally correct for this class of takedown.

Counter-parallel: The February 2024 Operation Cronos against LockBit represented a qualitatively different enforcement action: rather than seizing infrastructure alone, it combined server seizures with administrator identification, decryption-key publication, and simultaneous charges in five jurisdictions.

LockBit's attempt to rebrand as LockBitSupp within 72 hours was undermined by the NCA's public release of the administrator's identity and financial holdings. First VPN's administrator was located in Ukraine but no arrest was announced in the Operation Saffron press release, suggesting the Operation Saffron model more closely resembles VPNLab than Cronos.

Consensus view: The Royal United Services Institute (RUSI) Cyber research group and Europol's own IOCTA (Internet Organised Crime Threat Assessment) both frame criminal VPN takedowns as infrastructure-disruption operations rather than ecosystem-disruption operations: seizing First VPN's 33 servers removes one anonymisation layer from 25 ransomware gang workflows, but affiliate actors reconnect through alternative services, typically within two to four weeks based on the observed reconstitution timelines after VPNLab.net (seized January 2022) and DoubleVPN (seized June 2021).

Counter-view: Eurojust's 2025 cybercrime jurisdiction review argued that multi-country server seizures carry a higher deterrent value than the reconstitution timelines imply, because they force criminal operators to retrain affiliates on new operational security procedures, create attribution-identifying gaps when affiliates make procedural errors during the transition, and increase the marginal cost of operating at scale.

The Ukraine-based administrator's location enables prosecution in EU member states via the European Arrest Warrant without requiring US extradition proceedings.

Key tension: Whether the 12-year operational longevity of First VPN, from 2014 to 2026, indicates that law enforcement lacked the intelligence to act earlier or lacked the multi-jurisdictional legal instruments to execute; Operation Saffron's 27-country coordination suggests the latter.

Sources:Help Net Security

Mentions:First VPN →Michigan →RUSI →Ukraine →E-Note →European Union →Operation Saffron →Europol →Phobos →Avaddon →

First Reported In

Update #6 · The 2024 patch that is breaking now

Help Net Security· 7 Jun 2026

Read original →

Causes and effects

Caused by

Trump proposes $707m CISA cut, 860 jobs

The E-Note seizure (ID:2554) follows the same law-enforcement infrastructure-takedown pattern as Operation Saffron: removing a service ransomware gangs rely on without eliminating the affiliate pool.

Occurred 7 Apr 2026

Read story →

Scattered Spider's Bouquet arrested in Helsinki

The Scattered Spider arrest (ID:2917) and Operation Saffron both demonstrate enforcement taking individual actors or infrastructure off the board without denting the broader ecosystem count of 37 active groups.

Occurred 28 Apr 2026

Read story →

This Event

Europol seizes First VPN in Saffron raid

The takedown removes a shared anonymisation layer relied on by dozens of ransomware crews, but the affiliate ecosystem that drives the attack volume reconstitutes around whatever service is left standing.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.