ctipilot.ch

Operation Saffron

incident · incident:operation-saffron-first-vpn-takedown-33-servers-27-countri

Operation Saffron: First VPN criminal anonymisation service dismantled; Switzerland JIT participant; Phobos RaaS link confirmed

Coverage timeline
2
first 2026-05-18 → last 2026-05-22
Entries
2
2 distinct days
Sources cited
6
6 hosts
Sections touched
2
active-threats, weekly-policy
Co-occurring entities
1
see Related entities below
2026-05-182 appearances2026-05-22

Story timeline

  1. 2026-05-22Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed
    active-threatsOperation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link
  2. 2026-05-18Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz
    weekly-policyLaw-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz

Where this entity is cited

  • weekly-policy1
  • active-threats1

Source distribution

  • bleepingcomputer.com1 (17%)
  • eurojust.europa.eu1 (17%)
  • fiod.nl1 (17%)
  • helpnetsecurity.com1 (17%)
  • interpol.int1 (17%)
  • justice.gov1 (17%)

Related entities

Entries about Operation Saffron (2)

2026-05-22 · view entry permalink →

Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed

high threat discovered 2026-05-22 05:00 UTC

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

law-enforcement organized-crime ransomware europe switzerland

2026-05-18 · view entry permalink →

Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz

notable policy discovered 2026-05-18 05:00 UTC

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.

law-enforcement organized-crime ransomware ddos europe switzerland global