14JUN

Europol seizes First VPN in Saffron raid

3 min read

11:51UTC

Europol's Operation Saffron seized 33 servers across 27 countries hosting First VPN, a service running since 2014 used by at least 25 ransomware gangs including Phobos and Avaddon. The administrator was located in Ukraine.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Europol's Operation Saffron seized First VPN's 33 servers, stripping anonymisation cover from at least 25 ransomware gangs.

Europol announced Operation Saffron on 21 May 2026, seizing 33 servers across 27 countries that hosted First VPN, a criminal anonymisation service running since 2014 ¹. At least 25 ransomware gangs used it to mask their operations, including Phobos and Avaddon, and the service's administrator was located in Ukraine ².

First VPN sat in the plumbing of the ransomware economy rather than on its front line. Gangs route command-and-control traffic and victim communications through services like it to break the link between an attack and an identifiable operator, so seizing the hosting strips a layer of operational cover from every crew that depended on it. For investigators, the 33 servers are also an evidence haul: logs that could expose which gangs connected when.

Saffron follows a now-routine takedown shape. When the FBI and Michigan state Police seized the E-Note exchange in April , they pulled a money-laundering channel out from under ransomware crews without eliminating the operators who used it. Saffron repeats the shape at the anonymisation layer: a shared dependency removed, a temporary friction imposed, but no reduction in the affiliate supply that keeps the monthly attack count flat. Crews migrate to the next bulletproof host, and the displacement buys defenders time rather than relief.

Deep Analysis

In plain English

Europol, the European Union's law enforcement agency, announced on 21 May 2026 that it had seized 33 servers belonging to a service called First VPN in a coordinated raid across 27 countries. First VPN was not a legitimate privacy service: it was specifically designed to help criminal ransomware gangs hide their identity and location while attacking victims. At least 25 different ransomware groups had used First VPN since 2014, including gangs called Phobos and Avaddon. Europol named the operation Saffron. While the seizure disrupts these groups immediately, criminal operators typically find alternative anonymisation services within a few weeks, meaning the long-term impact depends on follow-on arrests rather than the server seizures alone.

What could happen next?

Consequence
Phobos and Avaddon affiliates will migrate to alternative criminal anonymisation services within two to four weeks based on prior VPNLab.net reconstitution timelines, restoring operational capacity without significantly reducing attack frequency.
Short term · Assessed
Precedent
Operation Saffron's 27-country coordination establishes a new geographic breadth record for criminal-infrastructure seizure, creating a framework that Europol may apply to other multi-jurisdictional criminal service providers in the anonymisation and bulletproof-hosting markets.
Medium term · Suggested
Risk
The absence of a named arrest in the Operation Saffron announcement, despite the administrator being located in Ukraine, leaves the core operator free to reconstitute the service under a different name and infrastructure, as occurred after VPNLab and DoubleVPN.
Short term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The January 2022 seizure of VPNLab.net by Europol across 15 countries, in coordination with German and Ukrainian authorities, dismantled a service that had served at least 150 ransomware operators since 2008.

Post-seizure analysis showed affiliates migrated to Mullvad and ProtonVPN within three weeks, and the ransomware victim count in February 2022 was statistically indistinguishable from January. Operation Saffron targets a service with a 12-year footprint compared to VPNLab's 14 years, suggesting IOCTA's estimate of two to four week reconstitution is structurally correct for this class of takedown.

Counter-parallel: The February 2024 Operation Cronos against LockBit represented a qualitatively different enforcement action: rather than seizing infrastructure alone, it combined server seizures with administrator identification, decryption-key publication, and simultaneous charges in five jurisdictions.

LockBit's attempt to rebrand as LockBitSupp within 72 hours was undermined by the NCA's public release of the administrator's identity and financial holdings. First VPN's administrator was located in Ukraine but no arrest was announced in the Operation Saffron press release, suggesting the Operation Saffron model more closely resembles VPNLab than Cronos.

Consensus view: The Royal United Services Institute (RUSI) Cyber research group and Europol's own IOCTA (Internet Organised Crime Threat Assessment) both frame criminal VPN takedowns as infrastructure-disruption operations rather than ecosystem-disruption operations: seizing First VPN's 33 servers removes one anonymisation layer from 25 ransomware gang workflows, but affiliate actors reconnect through alternative services, typically within two to four weeks based on the observed reconstitution timelines after VPNLab.net (seized January 2022) and DoubleVPN (seized June 2021).

Counter-view: Eurojust's 2025 cybercrime jurisdiction review argued that multi-country server seizures carry a higher deterrent value than the reconstitution timelines imply, because they force criminal operators to retrain affiliates on new operational security procedures, create attribution-identifying gaps when affiliates make procedural errors during the transition, and increase the marginal cost of operating at scale.

The Ukraine-based administrator's location enables prosecution in EU member states via the European Arrest Warrant without requiring US extradition proceedings.

Key tension: Whether the 12-year operational longevity of First VPN, from 2014 to 2026, indicates that law enforcement lacked the intelligence to act earlier or lacked the multi-jurisdictional legal instruments to execute; Operation Saffron's 27-country coordination suggests the latter.

Sources:Help Net Security

Mentions:First VPN →Michigan →RUSI →Ukraine →E-Note →European Union →Operation Saffron →Europol →Phobos →Avaddon →

First Reported In

Update #6 · The 2024 patch that is breaking now

Help Net Security· 7 Jun 2026

Read original →

Causes and effects

Caused by

Trump proposes $707m CISA cut, 860 jobs

The E-Note seizure (ID:2554) follows the same law-enforcement infrastructure-takedown pattern as Operation Saffron: removing a service ransomware gangs rely on without eliminating the affiliate pool.

Occurred 7 Apr 2026

Read story →

Scattered Spider's Bouquet arrested in Helsinki

The Scattered Spider arrest (ID:2917) and Operation Saffron both demonstrate enforcement taking individual actors or infrastructure off the board without denting the broader ecosystem count of 37 active groups.

Occurred 28 Apr 2026

Read story →

This Event

Europol seizes First VPN in Saffron raid

The takedown removes a shared anonymisation layer relied on by dozens of ransomware crews, but the affiliate ecosystem that drives the attack volume reconstitutes around whatever service is left standing.

Led to

Crews now cross-claim each rival victim

Europol Operation Saffron's VPN server seizure disrupted at least 25 ransomware gangs; the June Bitdefender debrief's market reshuffling — including KryBit and ShinyHunters dropping from the top ten — is a downstream effect of that enforcement pressure.

Occurred 7 Jun 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.