惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

大猫的无限游戏
大猫的无限游戏
博客园 - 【当耐特】
Cloudbric
Cloudbric
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Attack and Defense Labs
Attack and Defense Labs
爱范儿
爱范儿
The Cloudflare Blog
腾讯CDC
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
云风的 BLOG
云风的 BLOG
Recent Announcements
Recent Announcements
C
Check Point Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
J
Java Code Geeks
B
Blog RSS Feed
Cisco Talos Blog
Cisco Talos Blog
Vercel News
Vercel News
Stack Overflow Blog
Stack Overflow Blog
博客园_首页
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
About on SuperTechFans
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Google DeepMind News
Google DeepMind News
阮一峰的网络日志
阮一峰的网络日志
罗磊的独立博客
A
Arctic Wolf
S
Secure Thoughts
P
Palo Alto Networks Blog
The Last Watchdog
The Last Watchdog
SecWiki News
SecWiki News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
U
Unit 42
I
InfoQ
D
DataBreaches.Net
P
Privacy International News Feed
T
Troy Hunt's Blog
博客园 - 叶小钗
T
Threatpost
博客园 - Franky
K
Kaspersky official blog
Hugging Face - Blog
Hugging Face - Blog
IT之家
IT之家
www.infosecurity-magazine.com
www.infosecurity-magazine.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
Cisco Blogs

Business Insights

Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime Your AI SOC Won’t Catch Ransomware by Itself 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing Your Last Red Team Tested the Wrong Attack MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test FamousSparrow APT Targets Azerbaijani Oil and Gas Industry Bitdefender Threat Debrief | May 2026
Operation Saffron: Bitdefender Joins “First VPN” Takedown
Bitdefender Enterprise · 2026-05-22 · via Business Insights

An international law enforcement operation led by France and the Netherlands dismantled First VPN, a cybercriminal anonymization service used by ransomware actors, fraudsters, and data thieves across every major cybercrime investigation Europol has supported in recent years. Bitdefender supported the investigation through Europol, helping generate intelligence that exposed hundreds of individuals linked to cybercrime. This is the first VPN-category takedown in the history of Bitdefender’s law enforcement collaboration program, extending a research-led crime prevention strategy.

What First VPN Was

Ransomware actors need three things to operate at scale: command infrastructure they can hide, ransom payment flows they can obscure, and attribution barriers that keep investigators at arm’s length. First VPN provided all three. The service was promoted on Russian-speaking cybercrime forums as a tool for “remaining beyond the reach of law enforcement,” offering anonymous payments, hidden infrastructure, and features designed specifically for criminal use.

The operation dismantled 33 servers, seized the service’s primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated onion sites, and led to the arrest of the service’s administrator in Ukraine. French and Dutch investigators gained access to the service, obtained its user database, and identified VPN connections used by cybercriminals to hide ransomware attacks, large-scale fraud, and data theft. Europol disseminated 83 intelligence packages internationally. Information linked to 506 users was shared across participating jurisdictions. Twenty-one Europol-supported investigations advanced through the intelligence obtained.

The operation involved 18 countries: Canada, Denmark, Estonia, France, Germany, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Ukraine, the United Kingdom, and the United States. Eurojust hosted 16 coordination meetings. A Joint Investigation Team - a Eurojust legal framework that lets countries share evidence and coordinate prosecutions across borders - was established in November 2023 and enabled French and Dutch authorities to coordinate prosecutorial strategy across jurisdictions. The investigation launched in December 2021. The action days were May 19-20, 2026. The announcement came May 21, 2026.

Why Anonymization Infrastructure Matters

Edvardas Šileris, Head of Europol’s European Cybercrime Centre, framed it directly: “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.

Cybercriminal anonymization services are the connective tissue of the ransomware economy. A ransomware group can develop custom malware, recruit affiliates, and plan operations, but without a way to hide command-and-control infrastructure and payment flows, the operation collapses under investigative pressure within weeks. First VPN solved that problem for its customers. Europol describes the service as appearing “in almost every major Europol-supported cybercrime investigation” in recent years.

The service appeared in investigations because it worked. Actors used it to obscure lateral movement during intrusions, to hide the origin of phishing campaigns, and to route ransom negotiation traffic through infrastructure investigators couldn’t trace back to physical locations.

Disrupting anonymization services raises the cost of operation across the ecosystem. Every ransomware group that relied on First VPN now needs to find an alternative, evaluate whether it provides equivalent protections, and rebuild operational security around a new service. Some will succeed. Many will make mistakes during the transition, creating investigative opportunities that didn’t exist when First VPN was operational. The takedown doesn’t end the category of anonymization services, but it shortens the operational window of the next one and raises the barrier to entry for actors who depended on turnkey solutions.

How This Fits the Draco Team’s Work

Bitdefender’s law enforcement collaboration program, the Draco Team, is a virtual unit composed of Bitdefender Labs researchers. The team was founded in 2015, and its work follows the same research-led prevention we apply to endpoint defense: predict which attacks are coming, understand the infrastructure they depend on, and disrupt it before the next wave launches.

The First VPN takedown is the first VPN-category disruption for the Draco Team, but it follows a decade-long arc. We supported the Hansa dark-web marketplace takedown in 2017. We developed decryptors for GandCrab (2018, helping over 500,000 victims), LockerGoga (2022), and MegaCortex (2023). We contributed investigative intelligence to the Sodinokibi / REvil operation in 2021, to the PIILOPUOTI marketplace case in 2023, and to Operation Endgame in 2024, the largest botnet takedown to date. Each operation targeted a different layer of the cybercrime economy: marketplaces where tools are sold, ransomware campaigns that rely on those tools, botnets that provide attacker infrastructure, and now the anonymization services that tie it all together.

The guiding principle for us remains the same: research leads to prediction, prediction leads to prevention, and prevention works better when it happens before exploitation rather than after.

What Happens Next

The seized infrastructure will be analyzed. The 506 users whose information was shared internationally represent a subset of the service’s customer base, and ongoing investigations will determine which of those connections map to active criminal operations. Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed.

New anonymization services will appear. The economic demand hasn’t changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions. First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists.

We will continue supporting law enforcement operations through Europol. The methodology behind our intelligence contributions remains confidential, but the outcome is public: infrastructure dismantled, users exposed, investigations advanced. Updates on Bitdefender’s law enforcement collaboration work are available at the Defeat Cybercrime page.