Europol Just Seized 33 Servers and Quietly Read the Traffic of 'First VPN' Users for Months Before Pulling the Plug—506 Criminals Got a Pop Up Telling Them They Had Been Identified

The Headline Numbers

On May 21, 2026, French and Dutch authorities, with coordination from Europol and Eurojust, dismantled a virtual private network service marketed as "First VPN." Bleeping Computer and Help Net Security reported that thirty three servers were seized across twenty seven countries. The administrator was interviewed in Ukraine after a coordinated house search at his address. The service immediately went offline.

The takedown numbers are large, but they are not the operationally interesting part. The interesting part is what happened before the takedown. According to Europol's own briefing, investigators had infiltrated the First VPN infrastructure before it went offline and had collected traffic data. The traffic data has so far generated 83 intelligence packages and unmasked 506 specific users internationally. The Dutch Police described the period as one in which they had "access to the criminal traffic of users who mistakenly believed themselves to be safe."

When the service was finally taken offline, every connected user received a message stating that First VPN had been seized and that they had been identified. The pop up is the visible part of an operation that ran for months without the customers knowing.

What First VPN Was Selling

First VPN was advertised across cybercrime forums as a privacy first service that did not log user data and ignored law enforcement requests. The marketing copy is identical to the language legitimate VPN services use to differentiate themselves: no logs, no cooperation with subpoenas, anonymized payment. The difference is the customer base and the price. First VPN's user agreement explicitly accepted activity that would get any mainstream VPN provider banned: ransomware operations, data theft, credential harvesting, online fraud at scale.

Europol stated that the name First VPN "came up in almost every major cybercrime investigation" the agency had supported in the preceding two years. That includes ransomware affiliates routing exfiltration through the service, infostealer operators using it to deliver harvested data to dropsites, and BEC actors using it to operate without exposing their home IP. The service was, in effect, the dark side of the VPN industry's value proposition—a real privacy guarantee, sold to people whose privacy was the obstacle to their prosecution.

The product worked, in the sense that it delivered the technical effect customers paid for. Traffic going through First VPN was not visible to the ISP, to the destination service, or to most investigators looking from the outside. The flaw was that the operator of the service itself could see the traffic. When law enforcement compromised the operator's infrastructure, the entire customer base became visible to the operator's new occupants—the investigators.

The Pattern: Infiltrate First, Seize Second

Operation Saffron is the third major iteration of a takedown pattern that law enforcement has refined since 2024. The earlier examples are the EncroChat phone network takedown in 2020 and the Sky ECC dismantling in 2021. In both cases, French investigators gained access to the infrastructure of an end to end encrypted communication service used predominantly by organized crime, read the messages for months, and only later took the service offline. The arrests from those operations are still ongoing in 2026.

The pattern matters because it inverts the security model the services sell. The customer pays for "no logs," and from the customer's perspective the service really does not log. But the infrastructure that delivers the service is now an asset law enforcement can compromise. Once compromised, the absence of logs at the service level is irrelevant—the investigators are seeing the traffic in real time, and they are logging it themselves.

The operational implication for criminal users is that any service whose entire value proposition is privacy from law enforcement is, by definition, a high priority infiltration target. The longer the service operates, the more confidence its customers have in it, the worse the eventual exposure when the infiltration succeeds. EncroChat customers used the network for years before the seizure. The arrests are still happening.

What the 506 Identifications Actually Mean

The 506 unmasked users are not the total user base of First VPN. They are the users whose activity during the infiltration window was prosecutable enough, and attributed clearly enough, for the investigation team to package the evidence into an "intelligence package" that can be transferred to a national prosecutor.

The 83 intelligence packages translate roughly into 83 distinct investigations, each spanning one or more identified users. Some will result in immediate arrests in jurisdictions where the underlying crime is prosecuted aggressively. Some will land in jurisdictions where the prosecution priority is lower, and the file will sit until another case ties to the same person. Some will surface during border crossings, when an identified user attempts to enter a country whose authorities now have a flag on the user's identity.

The pop up sent to all First VPN users when the service went offline serves a secondary investigative purpose. It is designed to provoke a reaction—calls to associates, attempts to destroy evidence, panic moves—that surveillance can then capture. The investigators do not need to make every arrest at once. They need to maximize the number of follow on investigations the visible takedown enables.

The Implication for Legitimate VPN Use

First VPN was a criminal service, sold to criminal users. The takedown is, by every reasonable measure, a win for law enforcement and a loss for organized crime. But the operational details of how it was accomplished are relevant to every VPN user, criminal or otherwise.

A VPN, mathematically, replaces trust in your ISP with trust in your VPN provider. The provider sees the traffic. If the provider's infrastructure is compromised—by a hack, a subpoena, or, as in this case, a coordinated international law enforcement operation—the user's traffic is exposed to whoever has compromised it. The "no logs" promise is a promise about the provider's behavior, not a guarantee enforced by mathematics.

For users whose threat model is targeted state surveillance—journalists, activists, dissidents in adversarial countries—the lesson is the same one anonymity researchers have repeated for years: a single VPN provider is one compromise away from full traffic visibility. Layered systems—Tor, multi hop chains, mixnets—exist because the single provider model has the failure mode First VPN's customers just experienced.

For users whose threat model is commercial—blocking advertisers, hiding location from a streaming service, avoiding ISP traffic shaping—the relevant question is whether the VPN provider is operating within the same legal jurisdiction as the user, and whether the provider has a track record of resisting legal compulsion. Both questions matter; neither is mathematically guaranteed.

The Cybercrime Ecosystem Impact

Privacy services for criminals are a commodity market. When one provider is taken down, customers migrate. The expected effect of First VPN's removal is a short term shift to alternative providers, followed by a longer term increase in the price these services charge, as the surviving providers price in their increased risk.

The same pattern played out after the Genesis Market takedown in 2023 and the BreachForums takedown in 2024. Customers regrouped, prices rose, and operational tempo dropped for a quarter before recovering. The recovery is partial in each case—each takedown removes the longest tenured operators and forces the remaining ones to operate more cautiously. The trend over a multiyear horizon is a fragmented, more expensive criminal infrastructure market.

The other effect is reputational. Criminal customers are price sensitive but more sensitive to reputation. After the EncroChat takedown, customers who had been on the service for years and seen no problems suddenly faced the question of whether their next service would last another year. The First VPN takedown adds a third data point. The implied lifetime of a top tier criminal privacy service is now measured in low single digit years, and the visible identifications at takedown time means the customers cannot move on without exposure to the previous operation.

Why This Matters for Email and Identity Security

A lot of the activity that flowed through First VPN was email centric. BEC actors used it to operate from a location consistent with the impersonated executive's claimed travel. Phishing operators used it to ride through residential proxy networks that legitimate email infrastructure trusts. Infostealer brokers used it to upload harvested credentials to dropsites without exposing their actual IP.

The takedown does not directly remove any of those threats. The actors will migrate to alternative services within days. But the disruption period is real, and the intelligence that comes out of the seizure—who was paying whom, which dropsites were active, which campaigns were running—becomes the input to other investigations. Some of the 83 intelligence packages will be email security related. Defenders working on phishing infrastructure mapping will see new data flow into their threat feeds over the next quarter.

For ordinary users, the takeaway is more straightforward. Most phishing emails arrive from infrastructure that the operator has gone to deliberate lengths to obscure. The obfuscation works most of the time. Periodic takedowns like Operation Saffron pull back the curtain on what was actually behind the obfuscation, and the visible truth is consistent across operations: it was an identifiable person, using a paid service, whose anonymity guarantee turned out to be conditional.