惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
S
Security @ Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
人人都是产品经理
人人都是产品经理
The Hacker News
The Hacker News
W
WeLiveSecurity
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
博客园 - 司徒正美
雷峰网
雷峰网
L
LINUX DO - 最新话题
博客园 - 叶小钗
云风的 BLOG
云风的 BLOG
The Last Watchdog
The Last Watchdog
V2EX - 技术
V2EX - 技术
S
Security Affairs
有赞技术团队
有赞技术团队
月光博客
月光博客
T
Threatpost
T
Tor Project blog
O
OpenAI News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
V2EX
Know Your Adversary
Know Your Adversary
Project Zero
Project Zero
博客园 - 三生石上(FineUI控件)
D
Docker
AWS News Blog
AWS News Blog
AI
AI
P
Proofpoint News Feed
K
Kaspersky official blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
D
Darknet – Hacking Tools, Hacker News & Cyber Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Securelist
F
Fortinet All Blogs
F
Full Disclosure
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
P
Palo Alto Networks Blog
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
美团技术团队
N
News | PayPal Newsroom
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog

Business Insights

What’s New in GravityZone July 2026 (v 6.75) Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime Your AI SOC Won’t Catch Ransomware by Itself 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing Your Last Red Team Tested the Wrong Attack MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test FamousSparrow APT Targets Azerbaijani Oil and Gas Industry Bitdefender Threat Debrief | May 2026
Operation Saffron: Bitdefender Joins “First VPN” Takedown
Bitdefender Enterprise · 2026-05-22 · via Business Insights

An international law enforcement operation led by France and the Netherlands dismantled First VPN, a cybercriminal anonymization service used by ransomware actors, fraudsters, and data thieves across every major cybercrime investigation Europol has supported in recent years. Bitdefender supported the investigation through Europol, helping generate intelligence that exposed hundreds of individuals linked to cybercrime. This is the first VPN-category takedown in the history of Bitdefender’s law enforcement collaboration program, extending a research-led crime prevention strategy.

What First VPN Was

Ransomware actors need three things to operate at scale: command infrastructure they can hide, ransom payment flows they can obscure, and attribution barriers that keep investigators at arm’s length. First VPN provided all three. The service was promoted on Russian-speaking cybercrime forums as a tool for “remaining beyond the reach of law enforcement,” offering anonymous payments, hidden infrastructure, and features designed specifically for criminal use.

The operation dismantled 33 servers, seized the service’s primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated onion sites, and led to the arrest of the service’s administrator in Ukraine. French and Dutch investigators gained access to the service, obtained its user database, and identified VPN connections used by cybercriminals to hide ransomware attacks, large-scale fraud, and data theft. Europol disseminated 83 intelligence packages internationally. Information linked to 506 users was shared across participating jurisdictions. Twenty-one Europol-supported investigations advanced through the intelligence obtained.

The operation involved 18 countries: Canada, Denmark, Estonia, France, Germany, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania, Spain, Sweden, Switzerland, Ukraine, the United Kingdom, and the United States. Eurojust hosted 16 coordination meetings. A Joint Investigation Team - a Eurojust legal framework that lets countries share evidence and coordinate prosecutions across borders - was established in November 2023 and enabled French and Dutch authorities to coordinate prosecutorial strategy across jurisdictions. The investigation launched in December 2021. The action days were May 19-20, 2026. The announcement came May 21, 2026.

Why Anonymization Infrastructure Matters

Edvardas Šileris, Head of Europol’s European Cybercrime Centre, framed it directly: “For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.

Cybercriminal anonymization services are the connective tissue of the ransomware economy. A ransomware group can develop custom malware, recruit affiliates, and plan operations, but without a way to hide command-and-control infrastructure and payment flows, the operation collapses under investigative pressure within weeks. First VPN solved that problem for its customers. Europol describes the service as appearing “in almost every major Europol-supported cybercrime investigation” in recent years.

The service appeared in investigations because it worked. Actors used it to obscure lateral movement during intrusions, to hide the origin of phishing campaigns, and to route ransom negotiation traffic through infrastructure investigators couldn’t trace back to physical locations.

Disrupting anonymization services raises the cost of operation across the ecosystem. Every ransomware group that relied on First VPN now needs to find an alternative, evaluate whether it provides equivalent protections, and rebuild operational security around a new service. Some will succeed. Many will make mistakes during the transition, creating investigative opportunities that didn’t exist when First VPN was operational. The takedown doesn’t end the category of anonymization services, but it shortens the operational window of the next one and raises the barrier to entry for actors who depended on turnkey solutions.

How This Fits the Draco Team’s Work

Bitdefender’s law enforcement collaboration program, the Draco Team, is a virtual unit composed of Bitdefender Labs researchers. The team was founded in 2015, and its work follows the same research-led prevention we apply to endpoint defense: predict which attacks are coming, understand the infrastructure they depend on, and disrupt it before the next wave launches.

The First VPN takedown is the first VPN-category disruption for the Draco Team, but it follows a decade-long arc. We supported the Hansa dark-web marketplace takedown in 2017. We developed decryptors for GandCrab (2018, helping over 500,000 victims), LockerGoga (2022), and MegaCortex (2023). We contributed investigative intelligence to the Sodinokibi / REvil operation in 2021, to the PIILOPUOTI marketplace case in 2023, and to Operation Endgame in 2024, the largest botnet takedown to date. Each operation targeted a different layer of the cybercrime economy: marketplaces where tools are sold, ransomware campaigns that rely on those tools, botnets that provide attacker infrastructure, and now the anonymization services that tie it all together.

The guiding principle for us remains the same: research leads to prediction, prediction leads to prevention, and prevention works better when it happens before exploitation rather than after.

What Happens Next

The seized infrastructure will be analyzed. The 506 users whose information was shared internationally represent a subset of the service’s customer base, and ongoing investigations will determine which of those connections map to active criminal operations. Some will be traced to known ransomware groups. Others will reveal fraud operations, data theft campaigns, or cybercrime-as-a-service infrastructure we didn’t know existed.

New anonymization services will appear. The economic demand hasn’t changed. But each takedown shortens the operational window of the next service and raises the barrier for actors who relied on turnkey solutions. First VPN advertised itself as a service criminals could trust to keep them beyond law enforcement’s reach. The operation proved that claim wrong, and every actor evaluating the next anonymization service now knows the same risk exists.

We will continue supporting law enforcement operations through Europol. The methodology behind our intelligence contributions remains confidential, but the outcome is public: infrastructure dismantled, users exposed, investigations advanced. Updates on Bitdefender’s law enforcement collaboration work are available at the Defeat Cybercrime page.