US Treasury Sanctions VPN Service for Aiding Ransomware Attacks
Key Takeaways The U.S. Treasury has sanctioned First VPN Service (1VPNS), its administrator, and a malware obfuscation provider. The sanctions target entities accused of enabling ransomware attacks...
Key Takeaways
- The U.S. Treasury has sanctioned First VPN Service (1VPNS), its administrator, and a malware obfuscation provider.
- The sanctions target entities accused of enabling ransomware attacks against U.S. organizations and critical infrastructure.
- This action follows an international law enforcement operation that disrupted 1VPNS’s infrastructure in May 2026.
- U.S. persons are now prohibited from transactions with the sanctioned individuals and entities.
U.S. Treasury Imposes Sanctions on VPN Service for Aiding Ransomware Operations
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has announced sanctions against First VPN Service (1VPNS), a virtual private network provider. The Treasury alleges that 1VPNS furnished critical infrastructure to ransomware syndicates actively targeting American enterprises.
Table Of Content
In addition to 1VPNS, the sanctions also name Dmytro Rashevskyi, identified as an administrator of the VPN service, and Yegeniy Vladimirovich Silayev, who provides malware obfuscation services. According to the Treasury, ransomware actors leveraged 1VPNS’s infrastructure to mask their digital footprints, distribute malicious payloads, and manage exfiltrated data during their extortion campaigns.
The victims of these attacks reportedly spanned a wide range of sectors, including U.S. businesses, financial institutions, healthcare providers, and local government bodies. These ransomware activities have collectively inflicted billions of dollars in financial losses upon U.S. businesses and essential infrastructure providers.
While VPN technology offers legitimate applications for privacy and security, enabling users to encrypt their internet traffic and conceal their IP addresses, OFAC’s findings paint a different picture for 1VPNS.
VPN Service Accused of Direct Support to Cybercriminals
OFAC reported that 1VPNS actively marketed its services on cybercriminal forums, promoting a strict no-logs policy and a stated refusal to cooperate with law enforcement investigations into malicious activities originating from its servers. The Treasury noted that the service had advertised on various criminal platforms since 2014.
Rashevskyi is accused of employing false identities, such as “Maksim Sorin” and “Roman Chabanenko,” to procure servers and other necessary infrastructure from providers who would otherwise have rejected his business due to a history of abuse complaints.
These sanctions come on the heels of an international law enforcement operation conducted in May 2026, which successfully disrupted 1VPNS’s website and associated infrastructure. European authorities led this operation, with crucial support from the FBI’s Boston Field Office.
The FBI subsequently released a cybersecurity advisory, detailing indicators and tactics linked to 1VPNS, aiming to assist organizations in detecting and preventing ransomware intrusions. OFAC also designated Silayev, described as a Belarusian national, for supplying “cryptors” to ransomware operators.
Cryptors are specialized tools designed to package, encrypt, or obfuscate malware, allowing it to bypass detection by antivirus software, endpoint detection tools, and other security measures. The Treasury emphasized that, unlike standard encryption software used for legitimate data protection, these services were specifically deployed to enhance the stealth and effectiveness of malware against U.S. and allied targets.
Legal Basis and Broader Strategy
The designations were issued under Executive Order 13694, as amended, and align with Executive Order 14390, signed in March 2026. This latter order mandates federal agencies to combat foreign cybercrime, fraud, extortion, and related threats.
As a direct consequence of these sanctions, all property and interests in property belonging to the named individuals and entity within U.S. jurisdiction are now blocked. U.S. persons are generally forbidden from engaging in transactions involving these sanctioned parties unless specifically authorized by OFAC. These restrictions also extend to any entities owned 50% or more by one or more blocked persons.
This action was coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office, which simultaneously announced its own sanctions against cybercriminals and their enablers. The Treasury stated that this coordinated effort underscores a broader strategic initiative to dismantle the ecosystem of services that ransomware groups rely upon, including anonymous hosting, VPN access, malware obfuscation, and infrastructure for managing stolen data.
What You Should Do
- Organizations should review the FBI’s cybersecurity advisory for indicators of compromise (IOCs) and tactics associated with services like 1VPNS to enhance detection capabilities.
- Implement robust endpoint detection and response (EDR) solutions and next-generation antivirus (NGAV) to detect and block obfuscated malware.
- Educate employees on phishing and social engineering tactics often used by ransomware groups to gain initial access.
- Regularly back up critical data and test recovery procedures to minimize the impact of a ransomware attack.
- Maintain strong network segmentation and access controls to limit lateral movement within your environment.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.