The U.S. government just took an unprecedented step against the hidden infrastructure that powers ransomware. On July 13, 2026, the Treasury Department’s Office of Foreign Assets Control designated First VPN Service, better known as 1VPNS. It also hit the service’s administrator, Ukrainian national Dmytro Rashevskyi, and a Belarusian seller of malware-hiding tools named Yevgeniy Vladimirovich Silayev.
This marks the first time American authorities have formally sanctioned a VPN provider for supporting cybercrime. The move follows a May 2026 international takedown of 1VPNS servers across 27 countries. Yet the sanctions add a financial chokehold that could prove more lasting. They freeze assets and bar U.S. persons from any dealings with the designated parties.
Ransomware groups bought 1VPNS services for more than a decade. They used the VPN to mask their locations, deploy malicious software, exfiltrate data and coordinate attacks. Victims spanned U.S. businesses, hospitals, financial firms and city governments. The damage reached billions of dollars. One senior Treasury official described the infrastructure as a shield that let criminals operate with impunity.
But why target a VPN? These services promise privacy. Many deliver it legally. 1VPNS crossed the line. It advertised openly on cybercrime forums since at least 2014. The company boasted it kept no logs. It refused to help law enforcement. And it accepted anonymous payments. That pitch drew ransomware operators like LockBit, Conti and others who needed to hide command-and-control traffic.
Rashevskyi, 45, ran the operation from Dnipro, Ukraine. He allegedly used fake names such as “Maksim Sorin” and “Roman Chabanenko” to purchase servers. Internet providers had flagged abuse from 1VPNS IP addresses. The aliases helped him dodge those complaints, according to the Treasury. European police arrested him in May as part of Operation Saffron, a coordinated effort backed by the FBI’s Boston field office, Europol and Eurojust.
The operation seized 33 servers. It dismantled a service that Europol said appeared in nearly every major cybercrime case it supported in recent years. French and Dutch authorities led the raids. The action disrupted ransomware logistics at scale. Still, criminals adapt. Many simply migrated to new providers.
That reality explains the sanctions. They aim to make migration harder. By naming 1VPNS and Rashevskyi, the U.S. warns banks, payment processors and hosting firms worldwide. Touch these parties at your peril. The designations rest on Executive Order 13694, which targets cyber threats to national security and economic stability.
Sanctions also reached Silayev. He sold “cryptors,” specialized software that disguises ransomware binaries so antivirus tools miss them. His customers included groups striking American hospitals and municipalities. Pairing VPN anonymity with malware obfuscation created a potent combination. One hid the attacker. The other hid the attack.
Industry watchers called the action a logical evolution. Previous Treasury moves hit cryptocurrency mixers and ransomware negotiators. Now it reaches the upstream enablers. “Today we are going after the rails behind the attacks,” one analyst noted on social media shortly after the announcement. The message lands clearly. Infrastructure providers can no longer claim neutrality.
Yet the sanctions created unintended fallout. The Treasury notice listed a Telegram channel linked to 1VPNS: t.me/FirstVPNService. The .me domain registry, based in the U.S. and wary of compliance violations, placed the entire telegram.me domain on serverHold. For several hours, web links to countless Telegram channels stopped resolving globally. Apps continued to function. The registry lifted the hold once Telegram removed the offending references.
The episode highlighted a familiar tension. Sanctions cast wide nets. Private companies, fearful of penalties, often overblock. In this case, millions of legitimate users lost access to links for a brief period. It served as a reminder that enforcement tools designed for nation-states and terrorists now touch consumer-facing technology.
1VPNS wasn’t the only VPN with a dark customer base. Others advertise no-logs policies and offshore locations. Many market to journalists and activists. The line between legitimate privacy tools and criminal aids can blur. Law enforcement has long complained that some providers ignore subpoenas or destroy evidence.
This designation draws that line in sharper ink. It signals that advertising to ransomware forums, refusing cooperation and facilitating attacks on critical infrastructure carry consequences. U.S. allies joined the effort. The United Kingdom issued parallel sanctions against related cyber actors the same day.
Hospitals felt particular relief. Ransomware strikes on health systems force diversion of ambulances, delay surgeries and expose patient data. When attackers use anonymized infrastructure, attribution slows and deterrence weakens. By cutting off one supply line, officials hope to raise the cost of entry for future campaigns.
Experts caution against declaring victory. Ransomware revenue hit record levels in recent years despite aggressive law enforcement. Groups rebrand, shift to ransomware-as-a-service models and recruit new affiliates. The May takedown removed servers. The July sanctions target money and reputation. Combined pressure might force operators toward riskier, more detectable methods.
FBI officials reiterated standard advice. Patch systems. Maintain offline backups. Never pay the ransom. Those steps remain the best defense. Yet the sanctions address the supply side. They make it tougher for attackers to buy the anonymity they crave.
Rashevskyi and Silayev now face practical isolation. Their cryptocurrency wallets appear in the sanctions notice. Transactions involving those addresses risk scrutiny. Hosting providers and payment services must block them or face secondary sanctions. The 50 percent rule extends restrictions to any entity majority-owned by the designated individuals.
For the broader cybersecurity community, the action raises questions about future targets. Will other no-logs VPNs that appear in threat reports face similar treatment? Could proxy services or bulletproof hosting providers come next? The Treasury has expanded its cyber sanctions program steadily. This case tests how far that expansion reaches into consumer privacy tools.
Privacy advocates worry about collateral effects. Legitimate users in authoritarian countries rely on VPNs to bypass censorship. Overly broad actions could chill innovation or drive users toward even less accountable services. Officials counter that the designations rest on specific evidence of material support to ransomware, not generalized suspicion.
The 1VPNS case offers a study in persistence. Investigators tracked the service from 2021 onward. They documented its presence in forum advertisements, its refusal to log, its customer base. The European bust provided the operational disruption. Sanctions deliver the financial and reputational blow. Together they form a layered strategy increasingly common in cyber enforcement.
Shortly after the announcement, security researchers noted fresh advertisements for replacement services on the same forums once frequented by 1VPNS. Criminal markets move fast. Yet the sanctions add friction. They force due diligence on buyers and sellers alike. They also warn legitimate VPN companies: monitor your users, respond to abuse reports, cooperate with lawful requests.
In the end, this first-of-its-kind action against a VPN provider changes the calculus. It tells the underground economy that the anonymity business carries new risks. For defenders watching billions in annual losses, any increase in attacker friction counts as progress. The real test will come in whether subsequent ransomware campaigns show measurable disruption or simply route around the latest obstacle.
Recent coverage from CyberScoop highlighted the joint U.S.-U.K. coordination and the service’s decade-long presence on crime forums. The Record emphasized the billions in losses to critical infrastructure and the use of false identities by Rashevskyi. The Hacker News detailed victim sectors including hospitals and municipal governments. Each account reinforces the same core facts drawn from the official Treasury release while adding operational color.


WebProNews is an iEntry Publication