US Treasury Sanctions First VPN Service Over Support for Ransomware Attacks
The U.S. Department of the Treasury has sanctioned First VPN Service, also known as 1VPNS, for allegedly providing network infrastructure to ransomware groups and other cybercriminals. The action also targets the service’s administrator, Dmytro Rashevskyi, and Belarusian malware obfuscation provider Yegeniy Vladimirovich Silayev.
The July 13, 2026 action blocks the U.S.-linked property and financial interests of the designated parties. According to the Treasury sanctions announcement, ransomware operators used 1VPNS infrastructure to hide their locations, deploy malware and manage stolen data during attacks against American organizations.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Treasury identified U.S. businesses, financial services companies, hospitals and municipal governments among the victims of attacks involving the service. The department said ransomware groups that used services supplied by the sanctioned parties caused billions of dollars in losses to U.S. businesses and critical infrastructure providers.
Who Did OFAC Sanction?
The Office of Foreign Assets Control, or OFAC, designated one entity and two individuals under U.S. authorities covering malicious cyber activity. The official OFAC designation notice lists First VPN Service under several alternative names, including 1VPNS, FIRSTVPN and FVPNS.
| Designated party | Role described by Treasury | Alleged activity |
|---|---|---|
| First VPN Service (1VPNS) | VPN and network infrastructure provider | Supplied infrastructure used by ransomware groups and other cybercriminals |
| Dmytro Rashevskyi | 1VPNS administrator | Managed the service and allegedly obtained infrastructure through false identities |
| Yegeniy Vladimirovich Silayev | Cryptor provider | Supplied malware encryption and obfuscation services to ransomware operators |
Treasury said 1VPNS had advertised on online cybercriminal forums since 2014. Its promotions reportedly stressed that the service did not retain logs of customer identities or activities and would not cooperate with investigations into illegal conduct originating from rented servers.
How Ransomware Groups Used 1VPNS
A VPN routes a user’s traffic through an intermediary server, which can conceal the original IP address and encrypt part of the connection. Companies and individuals use legitimate VPN services to secure remote access and protect traffic on untrusted networks. Criminal operators can misuse the same technology to make investigations and network attribution more difficult.
The FBI said at least 25 ransomware groups, including Avaddon, used First VPN Service infrastructure for reconnaissance and intrusions. Its First VPN takedown announcement also connected the service’s IP addresses with scanning, botnets, denial-of-service attacks, scams and hacking.
Investigators linked 1VPNS infrastructure to several stages of malicious operations:
- Scanning internet-facing systems for exposed services
- Conducting reconnaissance before an intrusion
- Connecting to victim environments with stolen accounts
- Hiding the source of malware deployment
- Managing or transferring data stolen from victims
- Supporting denial-of-service and botnet activity
The service offered exit nodes in about 27 countries, including servers in California, Florida and New York. Customers could pay with cryptocurrency and route connections through multiple nodes to make their traffic more difficult to trace, according to the FBI’s First VPN Service FLASH advisory.
International Operation Disrupted the VPN
The sanctions followed an international operation in May 2026 that took down First VPN Service’s websites and other infrastructure. French and Dutch law enforcement agencies conducted the operation with assistance from Ukraine, the United Kingdom, Switzerland and Luxembourg. The FBI’s Boston Field Office and Cyber Division provided technical assistance and shared investigative information.
Visitors to the former 1VPNS websites now see a law enforcement seizure notice. The FBI operation summary said the bureau had worked with international partners on the investigation since at least 2021.
The law enforcement action disrupted the service’s immediate infrastructure, while the Treasury designations add financial and legal restrictions. Together, the measures target both the technology and business relationships that supported the alleged criminal operation.
Why Treasury Also Sanctioned a Cryptor Provider
OFAC separately sanctioned Silayev for allegedly supplying cryptors to ransomware operators targeting U.S. and allied organizations. Criminal cryptors encrypt, package or alter malware so that security products may mistake it for a harmless program.
These tools differ from legitimate encryption products that protect files, messages and network traffic. Malware cryptors focus on evading antivirus software, endpoint detection products and automated analysis systems.
The Treasury ransomware action described Silayev as a Belarusian national who provided encryption and obfuscation services. OFAC accused him of materially assisting cyber-enabled activity involving ransomware attacks against U.S. persons and allied entities.
What the Sanctions Mean
OFAC issued the designations under Executive Order 13694, as amended. The action also supports Executive Order 14390 of March 6, 2026, which directs U.S. agencies to counter foreign cybercrime, fraud, extortion and related schemes.
| Restriction | Practical effect |
|---|---|
| Asset blocking | Property and interests in property under U.S. jurisdiction must be blocked and reported to OFAC. |
| Transaction prohibition | U.S. persons generally cannot conduct transactions involving the designated parties without authorization or an applicable exemption. |
| 50 percent rule | Entities owned 50 percent or more, directly or indirectly, by blocked persons are also blocked. |
| Enforcement exposure | Sanctions violations may lead to civil or criminal penalties. |
Organizations should update sanctions screening systems with the names, aliases and identifiers published in the OFAC cyber-related designations. Financial institutions, hosting companies, cryptocurrency services and network providers should also review historical relationships connected to the listed parties.
Security Steps for Organizations
Security teams should not treat every connection from a commercial VPN as malicious. VPN exit addresses can change ownership or serve legitimate users. Investigators should combine network indicators with authentication records, endpoint activity and other evidence.
The FBI’s 1VPNS cybersecurity advisory recommends layered controls that cover remote access, identities and network monitoring. Organizations should prioritize the following measures:
- Review historical traffic involving listed 1VPNS domains and IP addresses.
- Monitor connections from unapproved VPN, proxy and hosting networks.
- Require multifactor authentication for remote access, SSH, RDP and cloud services.
- Restrict administrative services to managed devices and trusted networks.
- Investigate impossible travel, unfamiliar locations and concurrent sessions from distant regions.
- Close unnecessary internet-facing ports and management services.
- Segment networks and limit privileges to reduce lateral movement.
- Correlate IP indicators with identity, endpoint and behavioral telemetry.
The sanctions show how U.S. authorities are expanding ransomware disruption beyond the groups that encrypt victim systems. Infrastructure providers, malware developers and other specialist services can face law enforcement action and financial restrictions when authorities link their operations to attacks.
FAQ
The Treasury said 1VPNS sold infrastructure to ransomware groups and other cybercriminals. Attackers allegedly used the service to conceal their locations, deploy malware and manage stolen data.
OFAC also sanctioned 1VPNS administrator Dmytro Rashevskyi and Belarusian cryptor provider Yegeniy Vladimirovich Silayev.
The FBI said at least 25 ransomware groups, including Avaddon, used First VPN Service infrastructure for reconnaissance and network intrusions.
Property under US jurisdiction must generally be blocked and reported. US persons usually cannot conduct transactions involving the designated party unless OFAC authorizes the activity or an exemption applies.
No. Many people and businesses use VPNs for legitimate security and privacy purposes. Security teams should assess listed indicators alongside authentication logs, endpoint telemetry and behavioral evidence.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages