On 19–20 May 2026, a Franco-Dutch operation codenamed Operation Saffron dismantled First VPN, an anonymisation service advertised on Russian-speaking criminal forums and used, since roughly 2014, by no fewer than 25 ransomware crews including Avaddon. With Europol and Eurojust support, investigators seized 33 servers across 27 countries, took down the service's domains, questioned a suspect in Ukraine, and shared 83 intelligence packages covering 506 identified users with partner countries (Europol; Eurojust).
The operationally significant detail is not the server count. It is how the unmasking happened. As Dutch police put it, "Before the service went offline, the police had access to the criminal traffic of the users of the service, who mistakenly believed themselves to be safe" (Help Net Security). Law enforcement did not merely pull a plug. They wiretapped the very tool sold as wiretap-proof, watched the traffic flow, then collapsed the network and mailed out identifications.
The strongest case for the takedown
Let us state the case for Saffron plainly, because it is a good one. First VPN was not a privacy product that happened to attract bad actors. It was, on the evidence, criminal infrastructure by design — marketed on hacking forums, accepting anonymous payment, promising freedom from law-enforcement reach. Europol's assessment that it featured in "almost every major cybercrime investigation" it supported is not hyperbole about a fringe tool. Ransomware is not a victimless abstraction; it has shuttered hospitals, municipalities, and supply chains. When a service exists to launder the attribution of extortion and data theft, dismantling it is exactly the proportionate, targeted enforcement that a healthy internet ecosystem should welcome. A judicially coordinated takedown of a purpose-built crime service is the opposite of mass surveillance — it is precision.
That distinction is the whole game, and it is why the target here was right. The concern is the method and, more importantly, the precedent and rhetoric it generates.
A technique with a track record — and limits courts have already drawn
Reading a whole anonymisation network before shutting it is now an established European playbook. It is the EncroChat and Sky ECC model: infiltrate the service, harvest everyone's traffic in bulk, then sort the catch afterwards. That model has not had a clean run through the courts. In Case C-670/22 (M.N.), decided 30 April 2024, the Court of Justice of the EU permitted cross-border use of EncroChat material via European Investigation Orders but imposed real conditions: infiltrating terminal devices counts as "interception of telecommunications" triggering notification duties, and evidence must be excluded where a defendant cannot "comment effectively" on material likely to have "preponderant influence on the findings of fact" (eucrim).
Those are not technicalities. They are the difference between intelligence and admissible evidence, and between a targeted operation and indiscriminate collection. Saffron swept up traffic for 506 people on the premise that the platform was wholly criminal. That premise may well hold for First VPN. But "we monitored everyone on the network first" is a method whose legitimacy depends entirely on how narrowly the target is defined — and on courts, not press releases, validating that the people caught were lawfully caught.
Why the framing matters for everyone else
Here is the risk a pro-innovation publication should name. The same week Saffron was announced, Canada was pushing Bill C-22, the "Lawful Access" bill that civil-liberties groups warn would "threaten encryption and increase surveillance" (EFF, 18 June 2026). The political temptation is to use a clean win against criminal infrastructure as an argument against the privacy technology that ordinary people, journalists, and businesses rely on. First VPN and a commercial consumer VPN are not the same category — one is a bulletproof crime service, the other is a mainstream tool for securing remote work, evading censorship, and protecting browsing. Conflating them is how a legitimate takedown becomes a lever for delegitimising encryption itself.
The correct lesson from Saffron is the narrow one. Law enforcement does not need to break encryption or backdoor consumer VPNs to dismantle criminal services; it needs patient, court-supervised infiltration of the specific bad actors — which is precisely what France and the Netherlands did over four-and-a-half years. The case against anti-encryption mandates is strengthened, not weakened, by Saffron: agencies achieved the result through targeted operations, not by weakening the tools everyone else uses.
What proportionate looks like
The measure of Saffron will not be the 33 servers or the triumphant rhetoric. It will be whether the 506 prosecutions that follow survive contact with EncroChat-style admissibility challenges, whether notification and defence-rights duties under C-670/22 are honoured, and whether governments resist the urge to cite a crime-service takedown as a mandate to surveil lawful encryption. Get those right, and Saffron is a model of proportionate, evidence-based enforcement. Get them wrong, and it becomes the cautionary tale of how a good operation laundered a bad principle.