- The US Treasury has sanctioned First VPN’s administrator for aiding ransomware attacks on American infrastructure
- Another suspect was targeted for selling “cryptors” that cloak malware from security systems
- The move follows a May 2026 takedown by European law enforcement and the FBI that seized the VPN’s infrastructure
The United States government has officially issued sanctions against the operators of a notorious free virtual private network, escalating a global crackdown on digital infrastructure used to facilitate ransomware attacks.
On Monday (July 13), the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated First VPN Service (also known as 1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, for abetting cybercriminals. The service, which has operated since 2014, was heavily favored by ransomware gangs targeting American hospitals, municipalities, and businesses.
While the best VPN services are designed to protect everyday consumer privacy, rogue networks like First VPN provided malicious actors with the tools to “hide the origins of their attacks, deploy malware, and manage exfiltrated data,” according to a Treasury Department press release.
As part of the same action, the Treasury also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling “cryptors” to ransomware operators.
While Silayev is not directly affiliated with First VPN, his inclusion in the sanctions package highlights a broader strategy of targeting the entire cybercriminal supply chain. Cryptors are tools specifically built to disguise ransomware as harmless files, preventing security systems from detecting or deactivating the malware.
A haven for cybercriminals
The US Treasury’s latest move is an update to an ongoing international operation against First VPN.
In a massive May 2026 takedown, a coordinated effort led by European law enforcement agencies and the FBI successfully seized the service’s website and server infrastructure.
Prior to the takedown, Rashevskyi aggressively marketed First VPN on dark web forums. To lure cybercriminals, he promised total anonymity and boasted that the network “does not keep logs of users’ identities or activities, and that it refuses to cooperate with law enforcement investigations into illegal activity originating from the servers it rents to customers”.
According to the US Treasury, Rashevskyi went to great lengths to keep the operation running. He utilized false identities, such as “Maksim Sorin” and “Roman Chabanenko,” to “buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers”.
Disrupting the cybercriminal ecosystem
This latest wave of sanctions was coordinated alongside the United Kingdom’s Foreign, Commonwealth & Development Office (FCDO) and carries severe consequences for the designated individuals.
Under the new sanctions, all property and interests belonging to Rashevskyi and Silayev within the US are blocked, and US citizens are strictly prohibited from engaging in any transactions with them. Beyond the immediate financial freeze, OFAC sanctions serve as a massive reputational blow designed to choke off future revenue streams.
By focusing on the service providers and tool suppliers who facilitate these attacks, rather than just the ransomware operators themselves, authorities are aiming to maximize their impact and disrupt multiple gangs at once.
“Under President Trump’s leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people,” said Gene Lange, who is performing the duties of the Under Secretary for Terrorism and Financial Intelligence. “We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure”.
