- The US Treasury has sanctioned the administrator of First VPN for assisting in ransomware attacks on US infrastructure
- Another suspect was targeted for selling “crypters” that hide malware from security systems.
- The move follows a May 2026 takedown by European law enforcement and the FBI who seized the VPN infrastructure.
The US government has officially issued sanctions against the operators of a notorious free virtual private network, intensifying a global offensive against the digital infrastructure used to facilitate ransomware attacks.
On Monday (July 13), the US Treasury Department’s Office of Foreign Assets Control (OFAC) named First VPN Service (also known as 1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, for inciting cybercriminals. The service, which has been in operation since 2014, was greatly favored by ransomware gangs that targeted American hospitals, municipalities and companies.
While the best VPN services are designed to protect everyday consumer privacy, fraudulent networks like First VPN provided malicious actors with the tools to “hide the origins of their attacks, deploy malware, and manage exfiltrated data,” according to a press release from the Treasury Department.
As part of the same action, the Treasury also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling “cryptosters” to ransomware operators.
While Silayev is not directly affiliated with First VPN, his inclusion in the sanctions package highlights a broader strategy targeting the cybercriminals’ entire supply chain. Cryptors are tools specifically designed to disguise ransomware as harmless files, preventing security systems from detecting or disabling the malware.
A paradise for cybercriminals
The latest action from the US Treasury is an update to an ongoing international operation against First VPN.
In a massive takedown in May 2026, a coordinated effort led by European law enforcement agencies and the FBI successfully seized the service’s website and server infrastructure.
Before the crash, Rashevskyi aggressively marketed First VPN on dark web forums. To lure cybercriminals, it promised complete anonymity and boasted that the network “keeps no logs of user identities or activities, and refuses to cooperate with law enforcement investigations into illegal activities originating from the servers it rents to customers.”
According to the US Treasury, Rashevskyi did everything he could to keep the operation going. He used fake identities, such as “Maksim Sorin” and “Roman Chabanenko,” to “purchase infrastructure from companies that might otherwise refuse to do business with him due to abuse complaints by Internet service providers about illegal activities originating from 1VPNS servers.”
Disrupting the cybercriminal ecosystem
This latest wave of sanctions was coordinated alongside the UK’s Foreign, Commonwealth and Development Office (FCDO) and carries serious consequences for those designated.
Under the new sanctions, all property and interests belonging to Rashevskyi and Silayev within the United States are blocked, and American citizens are strictly prohibited from conducting transactions with them. Beyond the immediate financial freeze, OFAC sanctions represent a massive reputational blow designed to choke off future revenue streams.
By focusing on the service providers and tools that facilitate these attacks, rather than just the ransomware operators themselves, authorities aim to maximize their impact and disrupt multiple gangs at once.
“Under President Trump’s leadership, Treasury is using every tool available to disrupt the cybercriminal ecosystem and protect the American people,” said Gene Lange, who serves as Under Secretary for Terrorism and Financial Intelligence. “We will continue to target actors who enable ransomware attacks against Americans and our critical infrastructure.”




