Law enforcement agencies from 27 countries have jointly dismantled 1VPNS, commonly known as First VPN Service, ending over a decade of anonymous operations that investigators say actively served cybercriminals worldwide.
The coordinated strike, named Operation Saffron, resulted in the seizure and shutdown of 33 servers tied to the platform. The official website, 1vpns.org, now displays only a law enforcement confiscation banner where its services once stood.
Operation Saffron Pulls in 27 agencies across Europe and beyond
Europol, Eurojust, the UK National Crime Agency, and authorities from France, the Netherlands, Switzerland, Luxembourg, Romania, Sweden, Spain, and Ukraine all participated in the operation.
The agencies confirmed that international law enforcement officers had taken full control of the platform’s infrastructure. A total of 27 separate agencies contributed to the action, making it one of the more expansive coordinated VPN takedowns in recent memory.
According to the seizure notice now displayed on the site, investigators connected the technical infrastructure directly to criminal activity and active cybercrime networks. Authorities have not yet released a detailed press statement covering the full scope of the investigation, and it remains unclear whether law enforcement arrested any suspects tied to the service.
Security researchers had previously flagged 1VPNS in reports linking similar “bulletproof” VPN structures to initial access brokers (criminals who sell stolen login credentials) and active members of the ransomware ecosystem. The platform gave these actors a layer of concealment that made tracing their activity considerably harder for investigators.
1VPNS spent 12 years hiding criminals behind layers of anonymity
The service launched in 2014 and ran without interruption until its seizure. During that time, 1VPNS marketed itself aggressively to users who prioritised staying invisible online.
The platform supported a range of modern protocols including WireGuard, OpenVPN, VLESS/Reality, and Shadowsocks. It also allowed users to route connections through Tor network onion addresses, adding yet another layer of concealment on top of the existing ones.
What separated 1VPNS from legitimate commercial providers was its outright rejection of customer identity verification. The operators accepted cryptocurrency payments and enforced no KYC (Know Your Customer) process, meaning anyone could subscribe without disclosing who they were.
The platform marketed “No Logs” policies, chained VPN configurations through double, triple, and quad-hop routing, and full Tor integration. A substantial portion of the platform’s infrastructure and internal communications also ran in Russian, indicating the service aimed itself strongly at Russian-speaking users.
These features made 1VPNS particularly attractive to threat actors who needed tools that law enforcement could not easily trace back to them. Unlike standard VPN providers that cooperate with legal data requests, 1VPNS constructed its entire business model around staying beyond reach.
Law enforcement is simultaneously targeting fake dark web sites. Operation Alice shut down 373,000 fraudulent sites, another example of the coordinated fight against criminal infrastructure.
Ransomware networks and credential sellers lose a key shield
The takedown removes a resource that bad actors had relied on for years. Ransomware operators and credential sellers regularly use services like 1VPNS to mask their locations and cover their tracks during attacks.
Stripping them of that infrastructure disrupts active operations and forces criminal networks to locate and vet replacement tools, a process that costs them both time and operational security.
Operation Saffron fits into a growing pattern of international law enforcement actions targeting services that knowingly cater to cybercriminals. Authorities across Europe and beyond have shown increasing willingness to pursue coordinated takedowns rather than allow these platforms to continue operating in legal grey zones.
The 1VPNS seizure delivers a pointed message to similar services: providing blanket anonymity to paying customers, without checks and without accountability, carries serious legal consequences.
Authorities have not confirmed any arrests. A formal press release detailing the full scope of Operation Saffron remains pending.
