On July 13, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS), its administrator, and a malware obfuscation service provider for their critical roles in supporting the ransomware ecosystem. The sanctions target 1VPNS for knowingly providing infrastructure that allowed ransomware groups to hide their activities while attacking U.S. critical infrastructure, including hospitals and financial firms. Also sanctioned were Ukrainian national Dmytro Rashevskyi, the administrator of 1VPNS, and Belarusian national Yegeniy Vladimirovich Silayev, who sold 'cryptors'—services that disguise malware to evade antivirus detection. This action, coordinated with the UK and the FBI, highlights a strategic focus on disrupting the foundational services that enable cybercrime, moving beyond targeting just the ransomware operators themselves.
The sanctions were issued under Executive Order 13694, which targets individuals and entities involved in malicious cyber-enabled activities. The designation makes it illegal for any U.S. person or entity to conduct business with 1VPNS, Rashevskyi, or Silayev. All assets of the sanctioned parties that are within U.S. jurisdiction are frozen.
This move is part of a broader government strategy to treat ransomware as a national security threat and to use all instruments of national power, including financial sanctions, to combat it.
For U.S. persons and entities, the compliance requirements are strict and immediate:
Sanctioning foundational infrastructure and services is a strategic move designed to disrupt the entire cybercriminal supply chain.
Violations of OFAC sanctions can result in severe penalties, including civil fines of up to hundreds of thousands of dollars per violation and, for willful violations, criminal penalties including up to 20 years in prison and fines of up to $1 million.
Behavioral-based antivirus and EDR are crucial for detecting malware even after it has been obfuscated by a cryptor.
Blocking traffic to and from known malicious IP ranges, including those associated with bulletproof VPNs, can disrupt C2 communications.
First VPN Service (1VPNS) begins operations.
A joint law enforcement operation dismantles the website and infrastructure of 1VPNS.
The U.S. Treasury Department announces sanctions against 1VPNS and its enablers.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.