What Happened
On May 19 and 20, 2026, French and Dutch authorities — coordinated by Europol and Eurojust — seized 33 servers and four domains connected to First VPN as part of Operation Saffron. The service’s operator was located and interviewed in Ukraine.
First VPN was openly marketed on Russian-speaking cybercrime forums as a secure platform for criminal activity. It promised anonymous payments, concealed infrastructure, and a strict no-cooperation policy with law enforcement. The service operated across 27 countries and became the most widely used VPN service in the cybercriminal underground, appearing in nearly every major Europol-supported cybercrime investigation.
Before taking the service offline, authorities gained access to the network’s traffic. Every identified user received a notification confirming they had been identified. Investigators compiled 83 intelligence packages covering 506 users and shared them with partner countries. The operation also produced leads directly relevant to Phobos ransomware-as-a-service investigations.
Seized domains included 1vpns.com, 1vpns.net, 1vpns.org, and associated .onion addresses. The investigation launched in 2021 and ran for five years before the coordinated takedown.
Why This Matters for Canadian Organizations
First VPN was infrastructure — not a threat actor. Its dismantlement is significant for organizations and incident responders because the service provided anonymization and attribution evasion for a wide range of criminal operations, including ransomware delivery, credential theft, and data extortion campaigns.
Canadian organizations with ransomware incidents or data theft attacks in recent years where the initial access vector was never fully attributed will want to watch for new attribution disclosures as Europol and partner agencies work through the 83 intelligence packages distributed to 27 countries. The Royal Canadian Mounted Police’s National Cybercrime Coordination Centre (NC3) is among the partner agencies aligned with Europol intelligence-sharing frameworks.
The Phobos ransomware angle is notable. Phobos operates as a RaaS platform with a large affiliate base targeting small-to-medium businesses, healthcare providers, and government contractors — sector categories prevalent across Canada. Any Canadian organization with a Phobos-linked incident and open questions on actor attribution should be aware this operation produced leads.
The takedown confirms criminal operational security does not guarantee long-term anonymity. Law enforcement access to First VPN’s traffic prior to the seizure means historical activity logs are now in investigative hands. Organizations tracking threat intelligence and sharing indicators with their sector ISAC or the CCCS should flag this development to incident response teams with open ransomware cases.
What to Do
If your organization is investigating or has investigated a ransomware or data theft incident where attribution was unclear, note this development and consider reporting to the Canadian Centre for Cyber Security or the RCMP NC3, where newly available intelligence could support attribution efforts. Reporting incidents also ensures Canadian organizations contribute to the intelligence picture that enables operations like Saffron.
Monitor your threat intelligence feeds for new indicators of compromise tied to Phobos affiliates over the coming weeks, as law enforcement actions against criminal infrastructure frequently produce a wave of new IOC disclosures.
Source: BleepingComputer | Europol | CyberScoop
