The French and Dutch law enforcement seized a large-scale virtual private network (VPN) service catering to cybercriminals, offering services to mask their illicit activities of scanning, botnets, denial of service attacks, scams, hacking and ransomware attacks.
Under the banner name “Operation Saffron,” the authorities shuttered 33 critical servers of the First VPN service provider during the seizure and detained the alleged administrator of the service in Ukraine, in a coordinated operation.
First VPN advertised itself as a provider of anonymity, assuring its users non-cooperation with any law enforcement authorities, zero data storage, and no jurisdiction issues. The VPN Service was almost exclusively promoted in known Russian-language dark web forums such as Exploit[.]in and XSS[.]is, which provide marketplaces for cybercriminals to buy and sell unauthorized access to computer systems, stolen personal identifying information, hacking tools, and contraband.
The U.S. Federal Bureau of Investigation in its Flash Alert confirmed the service to be active since at least 2014 and provided exit node servers in 27 countries. It also concurred that an upwards of 25 ransomware groups, including Avaddon Ransomware, used First VPN Service infrastructure to perform network reconnaissance and intrusions.
Also read: Ransomware Attacks Have Soared 30% in Recent Months
Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences,” Europol said.
“For years, cybercriminals saw this VPN service as a gateway to anonymity,” added Edvardas Šileris, Head of Europol’s European Cybercrime Centre. “They believed it would keep them beyond the reach of law enforcement.”
However, the First VPN service came up in almost every major cybercrime that the law enforcement authorities investigated in recent years, eventually leading to its take down.
The domain names seized during Operation Saffron includes:
- 1vpns[.]com
- 1vpns[.]net
- 1vpns[.]org
- and associated onion domains
The users coming to these domains are now greeted with a seizure banner that displays the names of all the agencies across Europe who worked actively in this operation.
Europol said, that before it turned off the lights on First VPN, investigators gained access to the service and that led them to the user database, which also helped identify VPN connections used by several other cybercriminals.
Also read: Stolen VPN Credentials Most Common Ransomware Attack Vector
“The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide,” Europol said.
The agency shared 83 intelligence packages since it initially began the operation, which also included information on 506 international users. Investigators in multiple jurisdictions are now using this intelligence to support further investigations, the Agency confirmed.
