- US Treasury Sanctions First VPN Administrator for Contributing to Ransomware Attacks Against US Infrastructure
- Another suspect was targeted for selling “encryptors” that hide malware from security systems.
- The move follows a May 2026 takedown by European law enforcement and the FBI who seized the VPN’s infrastructure.
The United States government has officially imposed sanctions against the operators of a popular free virtual private network, intensifying a global crackdown on the digital infrastructure used to facilitate ransomware attacks.
On Monday, July 13, the US Treasury Department’s Office of Foreign Assets Control (OFAC) designated First VPN Service (also known as 1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, for complicity with cybercriminals. The service, which has been operating since 2014, was heavily favored by ransomware gangs targeting US hospitals, municipalities and businesses.
While the best VPN services are designed to protect everyday consumer privacy, malware networks like First VPN have provided bad actors with the tools to “hide the origins of their attacks, deploy malware, and manage exfiltrated data,” according to a Treasury Department press release.
As part of the same action, the Treasury also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling “cryptors” to ransomware operators.
Although Silayev is not directly affiliated with First VPN, his inclusion in the sanctions package highlights a broader strategy to target the entire cybercriminal supply chain. Cryptors are tools specially designed to disguise ransomware as harmless files, preventing security systems from detecting or disabling malware.
A haven for cybercriminals
The latest move from the US Treasury is an update to an ongoing international operation against First VPN.
In a mass takedown in May 2026, a coordinated effort led by European law enforcement and the FBI successfully seized the service’s website and server infrastructure.
Before the takedown, Rashevskyi had aggressively marketed First VPN on dark web forums. To lure cybercriminals, it promised complete anonymity and boasted that the network “does not keep records of users’ identities or activities and refuses to cooperate with law enforcement investigations of illegal activity originating from the servers it rents to its customers.”
According to the U.S. Treasury, Rashevskyi went to great lengths to keep the operation running. He used false identities, such as “Maksim Sorin” and “Roman Chabanenko”, to “purchase infrastructure from companies that would otherwise refuse to do business with him due to complaints of abuse from Internet service providers regarding illegal activities originating from 1VPNS servers.”
Disrupting the cybercriminal ecosystem
This latest wave of sanctions has been coordinated with the UK Foreign, Commonwealth & Development Office (FCDO) and carries serious consequences for those designated.
Under the new sanctions, all property and interests belonging to Rashevskyi and Silayev in the United States are blocked and American citizens are strictly prohibited from carrying out transactions with them. Beyond the immediate financial freeze, the OFAC sanctions constitute a major reputational blow, intended to stifle future revenue streams.
By focusing on the service providers and tool vendors that facilitate these attacks, rather than just the ransomware operators themselves, authorities aim to maximize their impact and dismantle multiple gangs at once.
“Under President Trump’s leadership, Treasury is using every tool available to disrupt the cybercriminal ecosystem and protect the American people,” said Gene Lange, who serves as Under Secretary for Terrorism and Financial Intelligence. “We will continue to target actors who enable ransomware attacks against Americans and our critical infrastructure.”




