US Treasury Sanctions First VPN Service that Helped Ransomware Actors Attack Organizations

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on First VPN Service (1VPNS), a VPN provider accused of supplying infrastructure to ransomware groups targeting American organizations.

The action also targets 1VPNS administrator Dmytro Rashevskyi and malware-obfuscation service provider Yegeniy Vladimirovich Silayev.

According to the Treasury, ransomware operators used 1VPNS infrastructure to conceal their origin, deploy malicious payloads, and manage stolen data during extortion operations.

Victims reportedly included U.S. businesses, financial-services firms, hospitals, and municipal governments. The ransomware activity caused billions of dollars in losses across U.S. businesses and critical infrastructure providers.

VPN technology has legitimate privacy and security applications, allowing users to encrypt network traffic and mask their IP addresses.

U.S. Treasury Targets VPN

However, OFAC said 1VPNS marketed itself directly on cybercriminal forums and promoted a no-logs policy, along with a refusal to cooperate with law-enforcement inquiries related to malicious activity originating from its servers.

Treasury said the service had advertised on multiple criminal forums since 2014 . Rashevskyi allegedly used false identities, including “Maksim Sorin” and “Roman Chabanenko,” to purchase servers and other infrastructure from providers that would otherwise have rejected his business due to abuse complaints.

The sanctions follow a May 2026 international law-enforcement operation that disrupted the 1VPNS website and associated infrastructure. European authorities conducted the action with support from the FBI’s Boston Field Office.

The FBI also issued a cybersecurity advisory outlining indicators and tactics associated with the service, intended to help organizations identify and prevent ransomware intrusions. OFAC also designated Silayev, described as a Belarusian national who supplied “cryptors” to ransomware operators.

Cryptors are tools designed to package, encrypt, or obfuscate malware so that it appears benign and can evade antivirus engines, endpoint detection tools, and other security controls.

Unlike ordinary encryption software designed to protect legitimate data, Treasury said these services were used to make malware stealthier and more effective against U.S. and allied targets.

The designations were issued under Executive Order 13694, as amended, and support Executive Order 14390, signed in March 2026, which directs federal agencies to counter foreign cybercrime, fraud, extortion, and related threats.

As a result, all property and interests belonging to the named individuals and entity within U.S. jurisdiction are blocked.

U.S. persons are generally prohibited from conducting transactions involving the sanctioned parties unless authorized by OFAC. The restrictions also extend to entities owned 50% or more by one or more blocked persons.

The action was coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office, which also announced sanctions against cybercriminals and their enablers.

Treasury said the move reflects a broader strategy to disrupt the services that ransomware groups depend on, including anonymous hosting, VPN access, malware obfuscation, and stolen-data management infrastructure.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.