US Treasury Sanctions First VPN Service for Ransomware Support

US Sanctions VPN Provider 1VPNS for Enabling Ransomware Gangs

HIGH
July 14, 2026
4m read
Policy and ComplianceThreat ActorRansomware

Related Entities

Organizations

U.S. Department of the Treasury Office of Foreign Assets Control (OFAC)Federal Bureau of Investigation (FBI) UK Foreign, Commonwealth & Development Office (FCDO)

Other

First VPN Service (1VPNS)Dmytro RashevskyiYegeniy Vladimirovich Silayev

Full Report

Executive Summary

On July 13, 2026, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS), its administrator, and a malware obfuscation service provider for their critical roles in supporting the ransomware ecosystem. The sanctions target 1VPNS for knowingly providing infrastructure that allowed ransomware groups to hide their activities while attacking U.S. critical infrastructure, including hospitals and financial firms. Also sanctioned were Ukrainian national Dmytro Rashevskyi, the administrator of 1VPNS, and Belarusian national Yegeniy Vladimirovich Silayev, who sold 'cryptors'—services that disguise malware to evade antivirus detection. This action, coordinated with the UK and the FBI, highlights a strategic focus on disrupting the foundational services that enable cybercrime, moving beyond targeting just the ransomware operators themselves.

Regulatory Details

The sanctions were issued under Executive Order 13694, which targets individuals and entities involved in malicious cyber-enabled activities. The designation makes it illegal for any U.S. person or entity to conduct business with 1VPNS, Rashevskyi, or Silayev. All assets of the sanctioned parties that are within U.S. jurisdiction are frozen.

  • Targeted Entity: First VPN Service (1VPNS), a VPN provider that advertised its non-cooperation with law enforcement and lack of logging.
  • Targeted Individuals:
    • Dmytro Rashevskyi (Ukraine), administrator of 1VPNS.
    • Yegeniy Vladimirovich Silayev (Belarus), seller of malware crypting services.
  • Coordination: The action was taken in partnership with the United Kingdom's Foreign, Commonwealth & Development Office (FCDO) and followed an infrastructure takedown operation in May 2026 involving the FBI.

This move is part of a broader government strategy to treat ransomware as a national security threat and to use all instruments of national power, including financial sanctions, to combat it.

Affected Organizations

  • First VPN Service (1VPNS): The service is now effectively blacklisted from the global financial system and its infrastructure is subject to seizure.
  • Ransomware Groups: The primary customers of 1VPNS and Silayev. The disruption of these services makes it more difficult and costly for them to operate anonymously and effectively.
  • U.S. and Allied Entities: The action aims to protect U.S. critical infrastructure and businesses that have been victimized by ransomware groups using these services.

Compliance Requirements

For U.S. persons and entities, the compliance requirements are strict and immediate:

  1. Cease All Transactions: Immediately cease any and all direct or indirect dealings with the sanctioned entities and individuals.
  2. Block Property: Any property or interests in property of the sanctioned parties that come into the possession of a U.S. person must be blocked and reported to OFAC.
  3. Enhanced Due Diligence: Financial institutions and technology companies must update their screening lists and compliance programs to ensure they do not inadvertently provide services to these designated parties or their proxies.

Implementation Timeline

  • May 2026: Joint law enforcement operation dismantles 1VPNS infrastructure.
  • July 13, 2026: OFAC announces sanctions against 1VPNS, Rashevskyi, and Silayev.

Impact Assessment

Sanctioning foundational infrastructure and services is a strategic move designed to disrupt the entire cybercriminal supply chain.

  • Increased Operational Cost for Attackers: By removing a popular 'bulletproof' VPN service, attackers are forced to find alternatives, which may be more expensive, less reliable, or more easily tracked by law enforcement.
  • Reduced Malware Efficacy: Targeting cryptor services like the one run by Silayev makes it harder for attackers to bypass modern antivirus and EDR solutions, increasing the chances of their malware being detected early.
  • Deterrent Effect: This action sends a strong message to other providers of illicit cyber services that they are not immune from law enforcement and financial sanctions, potentially deterring others from entering or continuing in this market.

Enforcement & Penalties

Violations of OFAC sanctions can result in severe penalties, including civil fines of up to hundreds of thousands of dollars per violation and, for willful violations, criminal penalties including up to 20 years in prison and fines of up to $1 million.

Compliance Guidance

  • Update Sanctions Screening Lists: All organizations, particularly those in the financial and technology sectors, must immediately update their sanctions screening software and lists to include 1VPNS, Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev.
  • Review Network Logs: While not a compliance requirement, it would be prudent for organizations to review historical network and VPN logs for any connections to infrastructure known to be associated with 1VPNS. This could indicate past or ongoing exposure to threat actors who used the service.
  • Threat Intelligence Integration: Threat intelligence platforms should be updated with information about these sanctioned entities to improve detection of associated malicious activity.

Timeline of Events

1
January 1, 2014
First VPN Service (1VPNS) begins operations.
2
May 1, 2026
A joint law enforcement operation dismantles the website and infrastructure of 1VPNS.
3
July 13, 2026
The U.S. Treasury Department announces sanctions against 1VPNS and its enablers.
4
July 14, 2026
This article was published

MITRE ATT&CK Mitigations

Behavioral-based antivirus and EDR are crucial for detecting malware even after it has been obfuscated by a cryptor.

Blocking traffic to and from known malicious IP ranges, including those associated with bulletproof VPNs, can disrupt C2 communications.

Timeline of Events

1
January 1, 2014

First VPN Service (1VPNS) begins operations.

2
May 1, 2026

A joint law enforcement operation dismantles the website and infrastructure of 1VPNS.

3
July 13, 2026

The U.S. Treasury Department announces sanctions against 1VPNS and its enablers.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

SanctionsOFACTreasuryRansomwareVPNCybercrime1VPNS

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.