On 19–20 May 2026, a Europol- and Eurojust-coordinated operation led by French and Dutch authorities dismantled First VPN, an anonymisation service that had operated since 2014 and was marketed exclusively on Russian-language cybercrime forums. Investigators seized 33 servers spread across 27 countries, took down the service's clearnet and Tor domains, and — crucially — identified the people behind more than 5,000 accounts. According to Europol, the service had appeared in nearly every major cybercrime investigation the agency supported in recent years, and was used by at least 25 ransomware crews, including the Phobos and Avaddon operations.
The codename was Operation Saffron. The investigation began in December 2021, with Eurojust opening a case in May 2022. By the time the servers went dark this month, authorities had compiled 83 intelligence packages covering 506 specific users and shared them with partner countries — turning a single takedown into fuel for dozens of downstream prosecutions.
A criminal service, not a privacy tool
The first thing policymakers should get right is what First VPN actually was. It was not a consumer privacy product caught in a dragnet. Per Europol, it advertised that it would not cooperate with any judicial authority, accepted anonymous and laundering-friendly payment rails, and sold infrastructure designed for criminal use. This is the defining trait of so-called bulletproof services: their value proposition is impunity, not confidentiality.
That distinction matters enormously, because every high-profile ransomware takedown reliably produces calls to regulate the underlying technology — VPNs, encryption, anonymous payments — as though the tools were the problem. They are not. The same protocols First VPN ran (WireGuard, OpenConnect, Outline) are the backbone of legitimate corporate remote access and the privacy stack that journalists, dissidents, and ordinary citizens depend on. A service is criminal because of how it is operated and marketed, not because it encrypts traffic.
The steelman for tougher rules
The case for broader regulation deserves a fair hearing. Ransomware remains, by ENISA's assessment, the most impactful cyber threat facing the EU. The ENISA Threat Landscape 2025 analysed 4,875 incidents between July 2024 and June 2025 and documented a fragmenting ransomware-as-a-service ecosystem that keeps spawning new variants. When extortion gangs hide behind layered anonymisation for years, it is reasonable to ask whether the law should compel logging, identity verification, or registration for anonymisation providers — and whether voluntary cooperation is enough.
That is the strongest version of the argument, and it is not frivolous. But Operation Saffron is itself the rebuttal.
Targeted enforcement worked — without breaking encryption
The operation did not require mandatory backdoors, a VPN registry, or weakened cryptography. It required patience, cross-border legal cooperation, and old-fashioned investigative access. Authorities gained insight into the service from the inside, mapped its users over more than four years, and then struck. The result was not just disruption but attribution at scale: 506 users named, thousands more exposed. Blunt rules mandating data retention across all VPN providers would have swept up millions of innocent users while sophisticated criminals migrated to the next bulletproof host — which is exactly what they do.
The EU already has the proportionate instrument it needs. The NIS2 Directive (EU) 2022/2555), in force since 2024, requires essential entities to issue an early warning within 24 hours and a full notification within 72 hours of a significant incident, and tasks the Cooperation Group with regularly assessing threats "such as ransomware." NIS2 builds situational awareness and resilience without dictating the design of communications tools. Pair that with operational muscle — Europol's European Cybercrime Centre, Eurojust's case coordination, and the public-private No More Ransom decryption project — and you have a model that targets criminals rather than capabilities.
The policy lesson
The right reading of Operation Saffron is that the EU's enforcement architecture is maturing and works. Eighteen countries coordinated; private security firms contributed; intelligence was packaged and redistributed for follow-on cases. That is the proportionate path: go after the operators of services built for impunity, seize their infrastructure, and identify their customers — while leaving the general-purpose encryption that protects everyone else untouched.
The temptation after every takedown is to legislate the tool. The smarter move is to fund and empower the people who just demonstrated they can dismantle a 12-year-old criminal service and name its users one by one. Ransomware is a human enterprise. It is beaten by removing the humans' safe harbours, not by making the internet less safe for everyone.
First VPN's selling point was impunity. Operation Saffron proved that impunity was a lie — and it did so without asking a single legitimate user to give up their privacy.