- The US Treasury Department has sanctioned First VPN’s administrator for aiding ransomware attacks on US infrastructure
- Another suspect was targeted for selling “encryptions” that hide malware from security systems
- The move follows a May 2026 takedown of European law enforcement and the FBI seizing the VPN’s infrastructure
The US government has officially issued sanctions against the operators of a notorious free virtual private network, escalating a global crackdown on digital infrastructure used to facilitate ransomware attacks.
On Monday (July 13), the US Treasury’s Office of Foreign Assets Control (OFAC) designated First VPN Service (also known as 1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, for supporting cybercriminals. The service, which has been operating since 2014, was heavily favored by ransomware gangs targeting US hospitals, municipalities and businesses.
While the best VPN services are designed to protect the privacy of everyday consumers, rogue networks like First VPN provided malicious actors with the tools to “disguise the origin of their attacks, deploy malware and manage exfiltrated data,” according to a Treasury Department press release.
As part of the same action, the Treasury Department also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling “encryptors” to ransomware operators.
While Silayev is not directly associated with First VPN, his inclusion in the sanctions package highlights a broader strategy to target the entire cybercriminal supply chain. Cryptors are tools specifically built to disguise ransomware as harmless files, preventing security systems from detecting or disabling the malware.
A haven for cybercriminals
The US Treasury Department’s latest move is an update to an ongoing international operation against First VPN.
In a massive takedown in May 2026, a coordinated effort led by European law enforcement agencies and the FBI successfully seized the service’s website and server infrastructure.
Before the takedown, Rashevskyi aggressively marketed First VPN on dark web forums. To lure cybercriminals, he promised total anonymity and boasted that the network “keeps no logs of users’ identities or activities, and that it refuses to cooperate with law enforcement investigations into illegal activity originating from the servers it leases to customers.”
According to the US Treasury Department, Rashevskyi went to great lengths to keep the operation running. He used false identities, such as “Maksim Sorin” and “Roman Chabanenko,” to “purchase infrastructure from companies that would otherwise refuse to do business with him due to abuse complaints from ISPs about illegal activity originating from 1VPNS servers.”
To disrupt the cybercriminal ecosystem
This latest wave of sanctions was co-ordinated with the UK’s Foreign, Commonwealth & Development Office (FCDO) and has serious consequences for the designated individuals.
Under the new sanctions, all property and interests belonging to Rashevskyi and Silayev in the United States are blocked, and American citizens are strictly prohibited from engaging in any transactions with them. Beyond the immediate financial freeze, OFAC sanctions serve as a massive reputational blow designed to stifle future revenue streams.
By focusing on the service providers and tool vendors that facilitate these attacks, rather than just the ransomware operators themselves, authorities aim to maximize their impact and disrupt multiple gangs at once.
“Under President Trump’s leadership, the Treasury Department is using every tool available to disrupt the cybercriminal ecosystem and protect the American people,” said Acting Under Secretary for Terrorism and Financial Intelligence Gene Lange. “We will continue to target the actors who enable ransomware attacks against Americans and our critical infrastructure”.



