Operation Saffron and the End of First VPN: Pre-Positioning Was the Whole Move

By AutoCypher · 1 day ago 22 May 2026

The seizure notice on 1vpns.com went up on May 20. The administrator was sitting in a house in Ukraine, being questioned, the same day. Thirty-three servers across twenty-seven countries went dark over a 48-hour window. The press release framing — Operation Saffron, led by France and the Netherlands, supported by Europol and Eurojust, sixteen nations contributing investigators — reads like a dozen previous criminal-VPN takedowns. Safe-Inet in 2020. DoubleVPN in 2021. VPNLab.net in 2022. Same shape, same agencies, same beats.

It isn’t the same operation. The line in the Europol statement that the other outlets buried, and that defenders should not bury, is this: before the service went offline, the police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe. That’s pre-positioning. That’s the law-enforcement equivalent of having a foothold inside the target environment before you decide it’s time to make noise. The seizure was the noise. The intelligence was already collected — 506 user dossiers shared internationally, 83 intelligence packages distributed to partner countries, the full user database in evidence storage.

The customer-side mitigation for this isn’t a control change. It’s the realization that “no logs” was never the threat model.

What First VPN actually was

The brand was “First VPN,” the primary domains were 1vpns[.]com, 1vpns[.]net, 1vpns[.]org, plus a handful of onion mirrors on the Tor network. The service launched in 2014 and ran for twelve years. Over its lifetime it accumulated more than 5,000 paid accounts. The exit-node footprint at takedown was 32 nodes across 27 countries — small by commercial-VPN standards, normal by bulletproof-VPN standards, because the point was jurisdictional shopping not throughput.

Pricing was aggressively cheap relative to the value proposition. $2 for a single-day pass at the low end, $483 for a year of full access at the top end, with the usual ladder in between. Payments accepted in Bitcoin (standard), Perfect Money (the carding-forum staple), WebMoney (Russian-speaking ecosystem), EgoPay (long-tail), and InterKass. The InterKass and EgoPay options matter because they signal something about the customer base: this service was not optimizing for first-time buyers with technical sophistication. It was optimizing for accessibility to operators who already had infrastructure in those payment rails.

The protocol stack is the part worth slowing down on. First VPN offered:

OpenConnect (the Cisco AnyConnect-compatible protocol, runs over TLS, looks like HTTPS to anything not doing deep inspection)
WireGuard (modern, UDP, easy to fingerprint at the network layer if you have NetFlow with UDP/51820 visibility — though the port is configurable)
Outline (Jigsaw’s Shadowsocks distribution, designed to evade nation-state DPI, payload looks like random bytes)
VLess + Reality (this is the one)
OpenVPN ECC (legacy, fingerprints cleanly with Suricata or Zeek)
L2TP/IPSec (legacy, UDP/500 + UDP/4500, fingerprints trivially)
PPTP (legacy, broken, listed presumably for compatibility with very old client configs)

Reality is the protocol that earns its own paragraph. VLess + Reality, originating in the V2Ray/Xray ecosystem, performs a TLS handshake against a real third-party domain — typically something high-volume like www.microsoft.com or apple.com — and steals the server’s actual TLS certificate chain for the handshake the client sees. From a passive observer’s perspective, the connection is indistinguishable from a normal HTTPS session to that third-party domain: same JA3, same SNI, same ALPN, same cert. The actual VPN traffic gets multiplexed inside after the handshake completes. There is no client-side cert pin you can use, no SNI mismatch to catch, no JA3 fingerprint that flags the protocol — by design, the fingerprint is whatever the impersonated upstream’s fingerprint is. This is not a research curiosity. This was the protocol First VPN customers were actively using through the takedown, and it is the reason a flat “block bulletproof VPN protocols” rule does not generalize.

Operation Saffron’s actual shape

The investigation opened in December 2021. The Joint Investigation Team formed in November 2023. The takedown executed on May 19-20, 2026. That’s a four-and-a-half-year buildup against a single twelve-year-old service. The agencies involved at the operational level were French and Dutch national police (lead), with sixteen nations contributing investigators through Europol’s Operational Taskforce. The administrative coordination ran through Europol’s European Cybercrime Centre (EC3) and Eurojust on the prosecutorial side. The administrator arrest happened in Ukraine; the suspect was interviewed rather than immediately extradited, which suggests either a cooperation arrangement or jurisdictional negotiation still in progress.

The numbers worth pinning:

33 servers seized across the infrastructure
27 countries with exit-node presence at takedown
5,000+ historical user accounts
506 users had identification packages shared with partner LE
83 intelligence packages distributed
25+ ransomware groups named as having used the service, with Avaddon and Phobos cited explicitly
The Europol head of EC3 said First VPN’s name “came up in almost every major cybercrime investigation” the agency supported

The 506 figure relative to the 5,000+ historical accounts is the number to stare at. Even with full database access, even with traffic visibility before the takedown, the cohort that got identification packages built against them is roughly 10% of the historical user base. That’s not because the rest are clean. That’s because building an attributable case against an individual user takes correlation work that doesn’t scale linearly with the size of the dump, and law enforcement prioritized the cohort with the highest-value enabling activity (ransomware operators, MageCart skimmers, account takeover crews). The remaining 90% are not safe — they are deferred. The data is in evidence storage. The correlation work continues.

The pre-positioning move

Strip away the press-release language and the substance is: law enforcement was inside the First VPN environment, observing customer traffic, before the public takedown. The phrasing in the Europol statement is deliberately vague about how — whether through compromised infrastructure, an informant inside the operator’s organization, a court-ordered lawful intercept order against the hosting provider, or some combination — but the operational consequence is the same. The user database the takedown surfaced was not extracted from disk during the seizure. It was already in LE hands. The seizure was confirmation, not collection.

This is the move that matters for the threat model around every successor service still operating in May 2026. The historical bulletproof-VPN customer assumption was that the worst-case outcome of a takedown was loss of service. You’d lose your tunnel, you’d have to migrate to a competitor, and as long as the operator’s no-logs claim was structurally true (no disk writes), the historical data was unrecoverable. The Safe-Inet takedown in 2020 partly reinforced that assumption — investigators got the infrastructure but the post-takedown reporting was vague about how much usable historical attribution came out of it.

Operation Saffron breaks that assumption. The worst-case outcome of a takedown is now retroactive identification of every connection you made through the service in the months or years before the seizure. The “no logs on disk” claim is irrelevant when LE is sitting on a tap upstream of the disk-write decision. Anything you did through that tunnel, while the tap was in place, is attributable. The customer never knew the tap was there. The operator may not have known either.

Apply that forward. Any criminal-marketed VPN service operating today should be assumed to be either already compromised by LE pre-positioning, or one Joint Investigation Team away from being so. The structural advantage that bulletproof VPNs sold for a decade — “we don’t keep logs, so a takedown is survivable” — is no longer the dominant threat model. The dominant threat model is “we don’t keep logs, but the FBI does.”

What this means for defenders looking at their own logs

Five things are worth doing this week if you have not done them already.

One: pull historical DNS and proxy logs for the seized domains. 1vpns.com, 1vpns.net, 1vpns.org, and the onion mirrors. Retention budget allowing, go back twelve months minimum, three years if you can. Any host on your network that resolved or connected to one of those domains is a host you should be looking at, and the question to answer is not “did this user violate AUP” — it’s “is this host compromised and the attacker was egressing through First VPN.” Insider misuse and external compromise look identical at the DNS layer; the disposition changes downstream.

Two: enrich your SIEM with the 33 seized server IPs as an IOC list. Europol has not published the full IP list as of this writing, but the partial list is circulating through MISP-equivalent sharing channels and the major commercial threat-intel feeds will have it integrated within the week if they don’t already. Once you have the list, run it against historical NetFlow and firewall connection logs. A First VPN exit-node IP showing up as the source of an inbound RDP or SSH connection attempt in the last twelve months is a finding, not a curiosity. So is the same IP showing up as the destination of unexpected outbound traffic from an internal host — that’s the egress side of the same compromise.

Three: think about Reality detection as a structural gap. I said above that VLess + Reality fingerprints as whatever the impersonated domain fingerprints as. That’s true at the protocol layer. At the connection pattern layer, Reality still leaves behavioral signal: long-lived connections to high-volume TLS endpoints from hosts that do not normally talk to those endpoints, with traffic volumes inconsistent with the impersonated service. A workstation that holds a 6-hour TLS connection to www.apple.com and pushes a hundred megabytes outbound is not doing what Apple intended. The detection is heuristic, the false-positive rate is non-zero, and the tuning is going to involve carving out genuine update traffic and the long-poll connections of some chat applications. But it exists, and most SOCs are not running it. If you have Zeek conn.log retention or the equivalent in Splunk Stream / Elastic Packetbeat, the data to build the detection is already on disk.

Four: review your egress posture, not just your detection content. This is the boring one and the one that matters most. A workstation running an unauthorized VPN client to a bulletproof provider should not have working egress to that provider in the first place. The architectural answer is allowlist-based egress from user endpoints to the named services they actually need (corporate proxy, SaaS apps, dev tooling), with everything else denied by default. The cultural answer is that this fight is unwinnable in shops that haven’t already had the political conversation about deny-by-default egress. Have the conversation; the next post-Saffron service is being rebranded as you read this.

Five: if you find a hit, treat it as a starting point, not a finding. First VPN was the tunnel. The activity on either end of the tunnel is the actual incident. If an internal host was egressing through First VPN, that’s a compromise to scope. If an external First VPN exit hit your perimeter, that’s reconnaissance or attempted intrusion to map back to whatever they tried. The takedown’s value to defenders is that it converts previously unattributable traffic into a starting question; the answer still requires the normal IR sequence.

The dissolution and what fills the vacuum

First VPN’s dissolution is real in a way Safe-Inet’s wasn’t quite. The administrator is in custody (interviewed, not yet charged at the time of writing). The user database is in evidence. The brand is burned in a way that means a “First VPN 2.0” relaunch under the same operator would be operationally suicidal. The infrastructure across 27 countries is offline. This is, for a brief window, a genuine gap in the bulletproof-VPN market.

It will not stay a gap. The historical pattern across the four major takedowns is clear: Safe-Inet in December 2020, DoubleVPN in June 2021 (six months later), VPNLab.net in January 2022 (seven months later), and now First VPN in May 2026. Each takedown removed roughly one major player. Each takedown was followed by visible customer migration to the next service in the queue within weeks. The market for bulletproof VPN access is demand-driven; supply reconstitutes from whoever has the operational stomach to run the service through the inevitable LE investigation cycle.

The likely shape of the successor service is worth flagging because it will affect defender detection content within months. Three observations:

The successor will probably default to Reality or an equivalent steganographic transport, because First VPN’s customer base just learned in public that the legacy protocols (OpenVPN, IPSec, WireGuard on default ports) fingerprint. The detection content that worked against First VPN’s protocol traffic will be progressively less useful against the next service.

The successor will probably move payment off the Russian-speaking-ecosystem rails (Perfect Money, WebMoney) and toward more thoroughly mixed cryptocurrency flows, because Operation Saffron’s user identification almost certainly traced some accounts through payment rather than traffic. Monero adoption in this space has been slowed historically by user inconvenience; that calculus changes after a major takedown.

The successor will probably operate with smaller account counts and higher prices, because the 5,000-account model is a target-rich operating posture from an LE investigation standpoint. A bulletproof service with 500 accounts at ten times the price is harder to infiltrate as a customer (the social engineering cost is higher) and produces a smaller intelligence haul if seized. That model is worse for the market but better for the operator’s survival horizon.

None of that is reason to relax detection content for the legacy patterns. Existing actors will continue to use the legacy protocols on existing infrastructure during the migration window. The detection content earns its keep across the transition, not just against the now-defunct service.

The shape of the problem

The bulletproof-VPN business model assumed law enforcement could only act after a service was taken down. Operation Saffron is a public demonstration that law enforcement can act before. The “no logs” promise was always somewhere between technically true and operationally meaningless — disk-write semantics are not a defense against an upstream tap — but it took a four-and-a-half-year investigation with a JIT, sixteen nations contributing investigators, and an administrator arrest to make that visible to the customer base. The visibility is now general. Every operator in the space has read the same press release. The customers have read it too.

For defenders, the takeaway is narrower and more actionable. First VPN’s seized domains, exit-node IPs, and protocol stack are concrete IOCs to run against historical logs this week. The Reality detection gap is a structural project worth scoping now, not after the successor service is operational. The egress-allowlist conversation is the one that converts this from a one-time hunt into a permanent posture change. The first two are tactical wins; the third is the only durable answer.

The next twelve years of bulletproof hosting will look different from the last twelve. Whether your detection content looks different is up to you.