US Treasury Sanctions First VPN Service Over Support for Ransomware Attacks


The U.S. Department of the Treasury has sanctioned First VPN Service, also known as 1VPNS, for allegedly providing network infrastructure to ransomware groups and other cybercriminals. The action also targets the service’s administrator, Dmytro Rashevskyi, and Belarusian malware obfuscation provider Yegeniy Vladimirovich Silayev.

The July 13, 2026 action blocks the U.S.-linked property and financial interests of the designated parties. According to the Treasury sanctions announcement, ransomware operators used 1VPNS infrastructure to hide their locations, deploy malware and manage stolen data during attacks against American organizations.

Treasury identified U.S. businesses, financial services companies, hospitals and municipal governments among the victims of attacks involving the service. The department said ransomware groups that used services supplied by the sanctioned parties caused billions of dollars in losses to U.S. businesses and critical infrastructure providers.

Who Did OFAC Sanction?

The Office of Foreign Assets Control, or OFAC, designated one entity and two individuals under U.S. authorities covering malicious cyber activity. The official OFAC designation notice lists First VPN Service under several alternative names, including 1VPNS, FIRSTVPN and FVPNS.

Designated partyRole described by TreasuryAlleged activity
First VPN Service (1VPNS)VPN and network infrastructure providerSupplied infrastructure used by ransomware groups and other cybercriminals
Dmytro Rashevskyi1VPNS administratorManaged the service and allegedly obtained infrastructure through false identities
Yegeniy Vladimirovich SilayevCryptor providerSupplied malware encryption and obfuscation services to ransomware operators

Treasury said 1VPNS had advertised on online cybercriminal forums since 2014. Its promotions reportedly stressed that the service did not retain logs of customer identities or activities and would not cooperate with investigations into illegal conduct originating from rented servers.

How Ransomware Groups Used 1VPNS

A VPN routes a user’s traffic through an intermediary server, which can conceal the original IP address and encrypt part of the connection. Companies and individuals use legitimate VPN services to secure remote access and protect traffic on untrusted networks. Criminal operators can misuse the same technology to make investigations and network attribution more difficult.

The FBI said at least 25 ransomware groups, including Avaddon, used First VPN Service infrastructure for reconnaissance and intrusions. Its First VPN takedown announcement also connected the service’s IP addresses with scanning, botnets, denial-of-service attacks, scams and hacking.

Investigators linked 1VPNS infrastructure to several stages of malicious operations:

  • Scanning internet-facing systems for exposed services
  • Conducting reconnaissance before an intrusion
  • Connecting to victim environments with stolen accounts
  • Hiding the source of malware deployment
  • Managing or transferring data stolen from victims
  • Supporting denial-of-service and botnet activity

The service offered exit nodes in about 27 countries, including servers in California, Florida and New York. Customers could pay with cryptocurrency and route connections through multiple nodes to make their traffic more difficult to trace, according to the FBI’s First VPN Service FLASH advisory.

International Operation Disrupted the VPN

The sanctions followed an international operation in May 2026 that took down First VPN Service’s websites and other infrastructure. French and Dutch law enforcement agencies conducted the operation with assistance from Ukraine, the United Kingdom, Switzerland and Luxembourg. The FBI’s Boston Field Office and Cyber Division provided technical assistance and shared investigative information.

Visitors to the former 1VPNS websites now see a law enforcement seizure notice. The FBI operation summary said the bureau had worked with international partners on the investigation since at least 2021.

The law enforcement action disrupted the service’s immediate infrastructure, while the Treasury designations add financial and legal restrictions. Together, the measures target both the technology and business relationships that supported the alleged criminal operation.

Why Treasury Also Sanctioned a Cryptor Provider

OFAC separately sanctioned Silayev for allegedly supplying cryptors to ransomware operators targeting U.S. and allied organizations. Criminal cryptors encrypt, package or alter malware so that security products may mistake it for a harmless program.

These tools differ from legitimate encryption products that protect files, messages and network traffic. Malware cryptors focus on evading antivirus software, endpoint detection products and automated analysis systems.

The Treasury ransomware action described Silayev as a Belarusian national who provided encryption and obfuscation services. OFAC accused him of materially assisting cyber-enabled activity involving ransomware attacks against U.S. persons and allied entities.

What the Sanctions Mean

OFAC issued the designations under Executive Order 13694, as amended. The action also supports Executive Order 14390 of March 6, 2026, which directs U.S. agencies to counter foreign cybercrime, fraud, extortion and related schemes.

RestrictionPractical effect
Asset blockingProperty and interests in property under U.S. jurisdiction must be blocked and reported to OFAC.
Transaction prohibitionU.S. persons generally cannot conduct transactions involving the designated parties without authorization or an applicable exemption.
50 percent ruleEntities owned 50 percent or more, directly or indirectly, by blocked persons are also blocked.
Enforcement exposureSanctions violations may lead to civil or criminal penalties.

Organizations should update sanctions screening systems with the names, aliases and identifiers published in the OFAC cyber-related designations. Financial institutions, hosting companies, cryptocurrency services and network providers should also review historical relationships connected to the listed parties.

Security Steps for Organizations

Security teams should not treat every connection from a commercial VPN as malicious. VPN exit addresses can change ownership or serve legitimate users. Investigators should combine network indicators with authentication records, endpoint activity and other evidence.

The FBI’s 1VPNS cybersecurity advisory recommends layered controls that cover remote access, identities and network monitoring. Organizations should prioritize the following measures:

  • Review historical traffic involving listed 1VPNS domains and IP addresses.
  • Monitor connections from unapproved VPN, proxy and hosting networks.
  • Require multifactor authentication for remote access, SSH, RDP and cloud services.
  • Restrict administrative services to managed devices and trusted networks.
  • Investigate impossible travel, unfamiliar locations and concurrent sessions from distant regions.
  • Close unnecessary internet-facing ports and management services.
  • Segment networks and limit privileges to reduce lateral movement.
  • Correlate IP indicators with identity, endpoint and behavioral telemetry.

The sanctions show how U.S. authorities are expanding ransomware disruption beyond the groups that encrypt victim systems. Infrastructure providers, malware developers and other specialist services can face law enforcement action and financial restrictions when authorities link their operations to attacks.

FAQ

Why did the US Treasury sanction First VPN Service?

The Treasury said 1VPNS sold infrastructure to ransomware groups and other cybercriminals. Attackers allegedly used the service to conceal their locations, deploy malware and manage stolen data.

Who was sanctioned with 1VPNS?

OFAC also sanctioned 1VPNS administrator Dmytro Rashevskyi and Belarusian cryptor provider Yegeniy Vladimirovich Silayev.

How many ransomware groups used First VPN Service?

The FBI said at least 25 ransomware groups, including Avaddon, used First VPN Service infrastructure for reconnaissance and network intrusions.

What happens when OFAC sanctions an entity?

Property under US jurisdiction must generally be blocked and reported. US persons usually cannot conduct transactions involving the designated party unless OFAC authorizes the activity or an exemption applies.

Should organizations block every VPN connection?

No. Many people and businesses use VPNs for legitimate security and privacy purposes. Security teams should assess listed indicators alongside authentication logs, endpoint telemetry and behavioral evidence.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages