Threat Intelligence ‘First VPN’ service used by cybercriminals dismantled in international operation May 21, 2026 Share By SC Staff (Adobe Stock) French and Dutch authorities, with support from Europol and Eurojust, have shut down First VPN, a service extensively used by cybercriminals to conceal their illicit activities, including ransomware attacks and phishing campaigns. The operation, codenamed Operation Saffron, has also provided investigators with access to user data, potentially identifying individuals linked to criminal operations, as reported by HackRead. First VPN marketed itself on Russian-speaking cybercrime forums as a reliable tool for anonymity, offering features like anonymous payments and concealed infrastructure to help users evade law enforcement. The service became closely associated with ransomware groups, fraud networks, and data theft campaigns, appearing in numerous major cybercrime cases supported by Europol. The operation, conducted between May 19 and 20, 2026, involved Ukrainian authorities arresting the alleged administrator and seizing 33 servers. Several associated domains and onion domains were also taken offline, displaying a seizure notice to users. The investigation, which began in December 2021, yielded a user database exposing thousands of connections to cybercrime infrastructure, providing crucial leads for ongoing investigations into ransomware attacks, online fraud, and other serious offenses across multiple countries. This takedown highlights a growing trend of law enforcement targeting the infrastructure that enables cybercrime, not just the perpetrators themselves. Source: HackRead SC Staff Related Threat Intelligence FBI warns of surge in crypto ATM scam losses, exceeding $388 million SC Staff May 20, 2026 Cybercriminals are reportedly instructing victims to withdraw cash and deposit it into crypto kiosks, which then transfer the funds to attacker-controlled wallets. Threat Intelligence Storm-2949 actor targets Microsoft 365 and Azure environments SC Staff May 20, 2026 Storm-2949 initiates attacks by targeting users with privileged roles, such as IT personnel or senior leadership, using social engineering tactics to obtain their Microsoft Entra ID credentials. Threat Management Verizon DBIR 2026: Vulnerability exploits top initial access as patching coverage falls Laura French May 20, 2026 The report also highlighted ransomware trends and the evolving role of AI in breaches. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Business Email Compromise (BEC) Dictionary Attack Disruption Distributed Scans Domain Hijacking Google Hacking Information Warfare Password Cracking Reconnaissance You can skip this ad in 5 seconds