Europol's Operation Saffron takes down First VPN service over ransomware attacks — 33 'bulletproof' servers spread across 27 countries seized

(Image credit: Getty Images)

Takedowns of "bulletproof" VPNs allegedly used for cybercrime activities have become fairly common, and they often raise some interesting legal questions. First VPN is the latest such service to go down in virtual flames, thanks to a Europol-led initiative called Operation Saffron. The seizure caught 33 servers spread across 27 countries, reportedly identified 506 users, and led authorities to a Ukrainian residence.According to the Europol report, Operation Saffron had the participation of 18 countries, with the main actors being France, the Netherlands, Luxembourg, Romania, Switzerland, Ukraine, and the United Kingdom. First Net's regular and .onion domains were also seized, and they currently display a banner for the operation.Besides the promise of anonymity, First VPN reportedly advertised itself as not cooperating with any judicial authority and that it would not be subject to any jurisdiction. Additionally, it apparently advertised exclusively in Russian-language cybercrime forums, and was predictably the source of extensive online criminal activity, with Europol stating the service came up in most every cybercrime investigation it was pursuing. The investigation was five years in the making, as it actually started back in 2021.Although the definition is a little fuzzy, the key differences between bulletproof VPNs and privacy-minded services are in how they handle cooperation with authorities, how they deal with abuse reports, who they typically market their services to, what their terms of service are, and how deeply (if any) they are the source of cybercrime.Whereas popular services like Mullvad or ProtonVPN offer a no-log, no-data-saved policy, they're designed and advertised in such a manner that ought to let them function normally in most jurisdictions. In fact, Mullvad graciously hosted six Swedish officers in 2023, who came away empty-handed as there was no data to hand over. Similarly, last year, a Greek court dismissed cybercrime-abetting charges against the CEO of Windscribe. Windscribe's servers only used RAM disks and had no permanent storage, and earlier this year, Dutch authorities amusingly shut them off and took them for inspection.Online commentary generally expresses concern about the legal overreach of these takedowns. It's worth noting that while the investigations are coordinated between many authorities, the legal framework for seizures generally falls within the purview of local law. That means that, for example, the need for a warrant or supporting evidence for a seizure depends on which jurisdiction it takes place.There's also some irony in the fact that the European Union's Charter of Fundamental Rights broadly states that keeping oneself's digital information private is a basic right, and the well-known GDPR has rather sizable teeth that chomp on data mishandling violations. Privacy-minded VPN services can arguably be interpreted as respecting not just the spirit but also the letter of the law, and yet they're subject to law enforcement activities under national-level rules.Additionally, the long-standing concept of digital privacy in the EU is under fire, thanks to initiatives like ProtectEU that want data saved for law enforcement purposes, or the unpopular "Chat Control" framework that would allow for scanning private communications under the guise of protecting children. Chat Control almost became law but was shot down repeatedly... for now.