// 2 ZERO-DAY · 1 CVE · 1 EXPLOIT · 1 ADVISORY IN THE LAST 24H
The Treasury Department sanctions First VPN Service and its Ukrainian administrator for supporting ransomware groups. It marks the first time OFAC has targeted a VPN provider, extending enforcement from criminals to their enabling infrastructure.

On July 13, 2026, the U.S. Department of the Treasury sanctioned First VPN Service (1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, for providing anonymization services to ransomware groups. It is the first time the Office of Foreign Assets Control (OFAC) has struck a VPN provider, extending the line of fire from criminals to their enabling infrastructure. The action follows a European takedown two months earlier that dismantled 33 servers and seized user databases.

Key Takeaways
  • The Treasury OFAC designated 1VPNS, Rashevskyi, and Belarusian cryptor provider Yegeniy Silayev on July 13, 2026: the first U.S. sanction against a VPN provider.
  • Rashevskyi operated from 2014 using false identities ("Maksim Sorin," "Roman Chabanenko") to evade infrastructure provider vetting.
  • 1VPNS promised a no-log policy and refusal to cooperate with law enforcement, marketing on Russian-speaking cybercrime forums.
  • The Treasury did not name the specific ransomware groups involved; victims include U.S. municipalities, hospitals, schools, and businesses with losses in the billions of dollars.

The 1VPNS Business Model: Anonymity as a Service

First VPN Service operated from 2014 as a specialized provider for a well-defined market: organized cybercrime actors. Rashevskyi managed the platform by systematically using false identities to purchase servers and infrastructure from providers that would otherwise have refused the business. The names "Maksim Sorin" and "Roman Chabanenko" — explicitly cited in the Treasury release — functioned as an additional operational layer, masking the service's true ownership.

1VPNS marketing centered on two promises: no log retention and no cooperation with authorities. While legitimate for privacy-oriented providers, these features were sold on Russian-speaking cybercrime forums as a guarantee of judicial immunity. The Treasury emphasized the platform was used by ransomware groups whose attacks hit U.S. municipalities, hospitals, schools, businesses, and financial services firms, causing — by the Treasury's estimate — losses in the billions of dollars.

The European Operation That Laid the Groundwork

The OFAC sanction did not come out of nowhere. On May 19–20, 2026, European law enforcement with FBI support conducted a coordinated takedown of 1VPNS infrastructure. The operation, documented by Europol, resulted in the dismantling of 33 servers and the seizure of the user database. Edvardas Sileris, head of the European Cybercrime Centre at Europol, stated: "For years, cybercriminals considered this VPN service a gateway to anonymity. They believed it put them beyond the reach of law enforcement. This operation proves they were wrong."

The May operation included residential searches and interrogations, though the dossier does not specify whether Rashevskyi was arrested. Transatlantic coordination continued with the Treasury's July action, which converts the European operational result into a permanent legal constraint: the blocking of property and transactions for any person subject to U.S. jurisdiction.

"Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people." — Gene Lange, Treasury, performing the duties of Under Secretary for Terrorism and Financial Intelligence

Sanctions Extended: From Criminals to Their Suppliers

The July 13 OFAC action designated three entities: 1VPNS as a company, Rashevskyi as administrator, and Yegeniy Vladimirovich Silayev as an independent provider. Silayev, a Belarusian national, was sanctioned for producing and selling "cryptors" — tools designed to disguise ransomware and other malware as legitimate programs, evading antivirus and EDR detection. The Treasury explicitly stated these tools are distinct from "legitimate encryption tools," drawing a clear line between legitimate cryptography and security evasion.

The sanction rests on Executive Order 13694 as amended, and EO 14390 of March 6, 2026. The mechanism blocks any property or interest in property of the designated entities that comes within the possession or control of U.S. persons, and prohibits transactions involving them. The action is coordinated with the UK Foreign, Commonwealth & Development Office (FCDO), which simultaneously sanctioned other cybercriminals not directly linked to 1VPNS.

Why It Matters

The dossier does not specify whether other VPN providers similar to 1VPNS are under scrutiny, nor does it document compliance guidelines for the industry. The Treasury has not disclosed the names of the ransomware groups that used the service, making it impossible to map the enabled criminal ecosystem. It also does not indicate whether the user database seized in the May operation has already spawned derivative investigations or new designations.

The exact nature of the damage — beyond the generic citation of "billions of dollars" — is not detailed in a verifiable way. The brief does not document the current state of 1VPNS infrastructure after the May takedown: whether remnants of the service persist in fragmented form, or whether the financial sanction has closed off any possibility of operational revival. Finally, the specific content of an FBI cybersecurity advisory mentioned by the Treasury is not reported in the dossier.

A Signal for the Privacy Industry

The regulatory novelty is precise: for the first time, Washington strikes not only those who execute ransomware, but those who provide the tools that make it possible. The sanction simultaneously hits two layers of the ecosystem — anonymization (VPN) and evasion (cryptors) — with a criminal value-chain disruption strategy that until now remained theoretical. For IT service providers, the consequence is an expansion of compliance risk: the "no-questions-asked" clientele is no longer just ethically controversial, but potentially sanctionable.

Marketing based on "no logs" and "no cooperation" — a widespread practice in the commercial privacy sector — now assumes a dual valence. From a legitimate guarantee of confidentiality for lawful users, it can become a regulatory risk indicator when associated with criminal distribution channels. The line of demarcation, until today managed at the level of corporate reputation, may translate into due-diligence checks imposed by international compliance frameworks.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. therecord.media
  2. mlex.com
  3. news.az
  4. home.treasury.gov
  5. recordedfuture.com