European police say they turned First VPN from a shield for cybercriminals into an intelligence source, identifying users before seizing its domains and arresting its administrator.
The takedown matters most to ransomware crews, fraud operators, and the brokers that sell them “safe” infrastructure. This was not just a website seizure. Investigators “gained access to the service,” obtained its user database, and identified VPN connections tied to cybercrime, according to Ars Technica.
The core of the case is blunt: users who bought anonymity allegedly became identifiable.
Criminal users face the real hit: the privacy product became the weak point
Authorities did not frame First VPN as an ordinary mainstream privacy service that merely happened to attract bad users. Europol said the service was promoted on Russian-speaking cybercrime forums as a trusted way to stay outside law enforcement’s reach.
Its own archived marketing leaned into the same pitch: hidden IP addresses, encrypted communications, and no logs.
The website reportedly claimed:
“All of our servers, meet high security requirements and do not keep logs, are set up by specialists with vast experience in this field. Big Brother is watching you, we are not!”
That claim now looks like the operational trap. Europol said investigators obtained the user database and identified VPN connections used by cybercriminals. The available public reporting describes First VPN as a service favored by cybercrime actors, including ransomware-linked users, rather than a safe haven beyond investigative reach.
The question for users: what exactly did police see?
Authorities have not disclosed the technical path. They have said enough to show the risk: if investigators gain access to the provider, the user’s threat model changes instantly.
A VPN can hide traffic from an ISP. It cannot guarantee safety if the provider’s infrastructure, backend systems, operator, user records, or connection data become visible to investigators. That distinction is where many criminal users appear to have mispriced the risk.
For context, MLXIO has covered how enforcement pressure increasingly targets the operational layer around attacks, not just the malware itself, as in Kimwolf Botmaster ‘Dort’ Arrested After Record IoT Attacks.
Investigators targeted infrastructure, not just suspects
The confirmed sequence is unusually revealing. The investigation began in December 2021, and Eurojust supported the cross-border case alongside Europol and national authorities.
The direct actions happened on May 19 and May 20. Authorities interviewed the administrator, conducted a house search in Ukraine, dismantled 33 servers, and seized domains including 1vpns.com, 1vpns.net, 1vpns.org, plus associated onion domains.
Computer Weekly identified the case as Operation Saffron, a Franco-Dutch-led operation supported by Europol, Eurojust, the UK’s National Crime Agency, and private-sector partner Bitdefender.
The numbers that show the scale
| Confirmed figure | Source-backed detail |
|---|---|
| 33 servers dismantled | Europol figure from the takedown |
| 83 intelligence packages | Europol figure from the operation |
| 506 users | Information shared internationally, according to Europol |
| 21 investigations | Europol-supported investigations advanced so far |
Which number matters most? Not the domains. Domains are replaceable. The more consequential figures are the 506 users identified, the 83 intelligence packages, and the leads now available to investigators pursuing serious cybercrime cases.
The unresolved issue is the depth of access. Authorities said they obtained the user database and identified VPN connections used by cybercriminals. They have not publicly detailed how long that access lasted, what traffic or metadata was visible, or what data existed before police got inside the system.
VPN builders get a warning: “no logs” is only as strong as the operator and infrastructure
For VPN operators, First VPN is a reputational case study in reverse. The service advertised “no logs” and non-cooperation with judicial authorities. Eurojust said the website promised users it would not cooperate with any judicial authority, would not store data, and would not be subject to any jurisdiction.
Authorities say that posture did not protect users. It may have made the service more attractive to the exact audience police wanted to map.
Where the technical risk likely sits
MLXIO analysis: based on the official descriptions, this case appears less about breaking VPN encryption in the abstract and more about compromising or accessing the service layer around it.
That layer can include:
- User databases: account records, identifiers, access credentials, or subscription data.
- Connection records: timing, source and exit-node relationships, or session metadata if available.
- Server infrastructure: systems that may be used to route or conceal cybercrime activity.
- Administrative systems: panels or backend tools that reveal how the service is run.
- Domains and onion services: control points that can be seized or redirected after judicial orders.
The sources do not say which of these paths gave investigators access. But they do show that the provider became the investigative chokepoint.
That is the sharper lesson for infrastructure builders. A privacy claim is not just a slogan. It is an operational burden. If the service attracts criminal dependency and centralizes trust in one operator, that operator becomes the target.
Victims and enterprises get better leads, but not instant closure
For organizations hit by ransomware or intrusion attempts, the takedown could matter because access infrastructure is often what connects otherwise separate incidents. If investigators can tie users, timestamps, domains, and servers together, they can turn a privacy service into a map of activity.
That gives defenders something concrete: infrastructure links can connect separate incidents that otherwise look unrelated.
But this does not mean every First VPN user was a confirmed ransomware operator. Europol said users of the criminal service were notified of the shutdown and informed that they had been identified. The next phase depends on how investigators connect specific users, timestamps, infrastructure, and alleged activity.
The useful takeaway for enterprises is narrower and more practical: access infrastructure is often part of the attack chain. Corporate defenders should treat suspicious VPN activity as one signal among others, not as proof by itself.
Law enforcement’s market signal: go after the services criminals trust
Europol framed the operation as a strike against a tool “designed specifically for criminal use.” Edvardas Šileris, head of Europol’s European Cybercrime Centre, told Computer Weekly:
“For years, cyber criminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong.”
That is the strategic message. Police do not need to weaken every VPN protocol or crack every encrypted session if they can compromise the commercial infrastructure criminals rely on.
The likely target set is not ordinary VPN use. The source material points to niche services advertised in criminal forums, promising hidden infrastructure, anonymous payments, refusal to cooperate with courts, and immunity from jurisdiction. Those claims are now a liability for both sides: they attract criminal users, and they mark the service as high-value infrastructure for police.
The evidence that would strengthen this thesis is follow-on action: more arrests, more named ransomware cases, or additional infrastructure seizures tied to the 83 intelligence packages already generated. The evidence that would weaken it is thinner prosecutorial output after a loud takedown.
For now, First VPN shows that misplaced trust can be more fragile than encryption. The next cybercrime fight may turn less on cracking code and more on finding the business operators criminals believed would never betray them.
Impact Analysis
- The operation shows that criminal-focused VPN services can become intelligence sources if law enforcement gains provider-level access.
- Users who relied on First VPN’s no-logs and anonymity claims may now face identification through seized databases and connection records.
- The takedown raises broader trust questions for privacy tools marketed as safe infrastructure for high-risk or illicit activity.
