The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on First VPN Service (1VPNS), a virtual private network provider accused of facilitating ransomware operations targeting American organizations. This marks the first instance of the U.S. government sanctioning a VPN service for its role in cybercriminal activities.
Alongside 1VPNS, OFAC has also sanctioned Dmytro Rashevskyi, the administrator of 1VPNS, and Yegeniy Vladimirovich Silayev, a provider of malware-obfuscation services. These actions are part of a broader effort to disrupt the infrastructure supporting ransomware attacks.
Role of 1VPNS in Ransomware Operations
According to the Treasury Department, ransomware operators utilized 1VPNS’s infrastructure to conceal their identities, deploy malicious software, and manage stolen data during extortion schemes. The victims of these operations included U.S. businesses, financial institutions, healthcare facilities, and municipal governments. The cumulative impact of these ransomware activities has resulted in billions of dollars in losses across critical sectors.
While VPN technology serves legitimate purposes by encrypting internet traffic and masking users’ IP addresses, 1VPNS allegedly marketed its services directly to cybercriminals. The service promoted a strict no-logs policy and a refusal to cooperate with law enforcement inquiries related to malicious activities originating from its servers. Since 2014, 1VPNS has advertised on multiple criminal forums, positioning itself as a tool for illicit operations.
Sanctions and Legal Actions
In May 2026, an international law enforcement operation disrupted the 1VPNS website and its associated infrastructure. This operation was conducted by European authorities with support from the FBI’s Boston Field Office. Following this, the FBI issued a cybersecurity advisory detailing indicators and tactics associated with 1VPNS, aiming to help organizations identify and prevent ransomware intrusions.
OFAC’s sanctions extend to Yegeniy Vladimirovich Silayev, a Belarusian national who supplied “cryptors” to ransomware operators. Cryptors are tools designed to encrypt or obfuscate malware, making it appear benign and enabling it to evade detection by antivirus software and other security measures. Unlike legitimate encryption software intended to protect data, these cryptors are used to enhance the stealth and effectiveness of malware targeting U.S. and allied entities.
These designations were issued under Executive Order 13694, as amended, and support Executive Order 14390, signed in March 2026. The latter directive empowers federal agencies to counter foreign cybercrime, fraud, extortion, and related threats. As a result of these sanctions, all property and interests belonging to the named individuals and entities within U.S. jurisdiction are blocked. U.S. persons are generally prohibited from conducting transactions involving the sanctioned parties unless authorized by OFAC. These restrictions also apply to entities owned 50% or more by one or more blocked individuals.
This coordinated action was taken in conjunction with the United Kingdom’s Foreign, Commonwealth & Development Office, which also announced sanctions against cybercriminals and their enablers. The Treasury Department emphasized that this move reflects a broader strategy to disrupt the services that ransomware groups rely on, including anonymous hosting, VPN access, malware obfuscation, and the use of stolen data.
By targeting the infrastructure that supports ransomware operations, the U.S. government aims to deter future attacks and hold facilitators accountable. This unprecedented sanction against a VPN service underscores the critical role that such services can play in either enabling or preventing cybercrime. Organizations are encouraged to scrutinize their service providers and ensure they are not inadvertently supporting malicious activities.