Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Europol seizes First VPN in Saffron raid

3 min read
11:00UTC

Europol's Operation Saffron seized 33 servers across 27 countries hosting First VPN, a service running since 2014 used by at least 25 ransomware gangs including Phobos and Avaddon. The administrator was located in Ukraine.

TechnologyDeveloping
Key takeaway

Europol's Operation Saffron seized First VPN's 33 servers, stripping anonymisation cover from at least 25 ransomware gangs.

Europol announced Operation Saffron on 21 May 2026, seizing 33 servers across 27 countries that hosted First VPN, a criminal anonymisation service running since 2014 1. At least 25 ransomware gangs used it to mask their operations, including Phobos and Avaddon, and the service's administrator was located in Ukraine 2.

First VPN sat in the plumbing of the ransomware economy rather than on its front line. Gangs route command-and-control traffic and victim communications through services like it to break the link between an attack and an identifiable operator, so seizing the hosting strips a layer of operational cover from every crew that depended on it. For investigators, the 33 servers are also an evidence haul: logs that could expose which gangs connected when.

Saffron follows a now-routine takedown shape. When the FBI and Michigan state Police seized the E-Note exchange in April , they pulled a money-laundering channel out from under ransomware crews without eliminating the operators who used it. Saffron repeats the shape at the anonymisation layer: a shared dependency removed, a temporary friction imposed, but no reduction in the affiliate supply that keeps the monthly attack count flat. Crews migrate to the next bulletproof host, and the displacement buys defenders time rather than relief.

Deep Analysis

In plain English

Europol, the European Union's law enforcement agency, announced on 21 May 2026 that it had seized 33 servers belonging to a service called First VPN in a coordinated raid across 27 countries. First VPN was not a legitimate privacy service: it was specifically designed to help criminal ransomware gangs hide their identity and location while attacking victims. At least 25 different ransomware groups had used First VPN since 2014, including gangs called Phobos and Avaddon. Europol named the operation Saffron. While the seizure disrupts these groups immediately, criminal operators typically find alternative anonymisation services within a few weeks, meaning the long-term impact depends on follow-on arrests rather than the server seizures alone.

What could happen next?
  • Consequence

    Phobos and Avaddon affiliates will migrate to alternative criminal anonymisation services within two to four weeks based on prior VPNLab.net reconstitution timelines, restoring operational capacity without significantly reducing attack frequency.

    Short term · Assessed
  • Precedent

    Operation Saffron's 27-country coordination establishes a new geographic breadth record for criminal-infrastructure seizure, creating a framework that Europol may apply to other multi-jurisdictional criminal service providers in the anonymisation and bulletproof-hosting markets.

    Medium term · Suggested
  • Risk

    The absence of a named arrest in the Operation Saffron announcement, despite the administrator being located in Ukraine, leaves the core operator free to reconstitute the service under a different name and infrastructure, as occurred after VPNLab and DoubleVPN.

    Short term · Assessed
First Reported In

Update #6 · The 2024 patch that is breaking now

Help Net Security· 7 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.