The US Department of Treasury's Office of Foreign Assets Control (OFAC) sanctioned First VPN Service (1VPNS) on July 13, 2026 — along with its Ukrainian administrator and a Belarusian malware obfuscation seller — for enabling ransomware attacks on American critical infrastructure. The action, coordinated with the United Kingdom's Foreign, Commonwealth & Development Office (FCDO), represents a significant shift in US strategy: targeting ransomware supply chain enablers rather than operators alone.
Who Was Sanctioned
Three entities were designated:
First VPN Service (1VPNS) — A VPN provider operating since 2014 that explicitly advertised a strict no-logs policy and a refusal to cooperate with law enforcement. This made it the anonymization layer of choice for multiple ransomware groups. 1VPNS's website and supporting infrastructure were taken down by European law enforcement in May 2026 with FBI support.
Dmytro Rashevskyi — The Ukrainian national who administered 1VPNS. He operated under aliases including Maksim Sorin and Roman Chabanenko, using fake identities to purchase hosting infrastructure from providers that would otherwise reject abuse-flagged accounts.
Yegeniy Vladimirovich Silayev — A Belarusian national who sold "cryptors" — tools that disguise ransomware and malware payloads as benign programs to evade antivirus and endpoint detection and response (EDR) solutions.
How 1VPNS Enabled Ransomware Operations
Ransomware operations depend on layers of operational security: attackers need to hide their identity during reconnaissance and exploitation, disguise their malicious tools to bypass defenses, and maintain anonymized command-and-control infrastructure. 1VPNS filled the identity-concealment role.
According to Treasury's press release, 1VPNS provided ransomware groups with tools to "hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to US critical infrastructure providers."
Rashevskyi's use of fake identities to procure infrastructure illustrates how ransomware supply chain actors deliberately insulate themselves from abuse complaints and takedown requests — a gap the sanctions regime is specifically designed to close.
Strategic Significance
By sanctioning a VPN provider and a cryptor seller — rather than just ransomware operators — the US and its allies are attempting to disrupt multiple ransomware gangs simultaneously by cutting off shared tooling and infrastructure. A single sanctioned provider may have served dozens of criminal groups.
The coordinated action with the UK signals an increasing willingness among Western governments to treat ransomware attacks on hospitals, schools, and municipal governments as national security threats warranting the same financial-warfare tools used against state-level adversaries.
Treasury's statement that 1VPNS enabled attacks on "US critical infrastructure providers" also indicates that healthcare ransomware attacks — which have repeatedly disrupted patient care — are now firmly within the sanctions threshold.
Timeline
| Date | Event |
|---|---|
| 2014 | 1VPNS begins operations, advertising no-logs and no law enforcement cooperation |
| May 2026 | European law enforcement, with FBI support, takes down 1VPNS infrastructure |
| July 13, 2026 | US OFAC sanctions 1VPNS, Rashevskyi, and Silayev; UK coordinates |
What This Means for Defenders
The sanctions designation means US persons and entities are prohibited from doing business with 1VPNS, Rashevskyi, or Silayev. Any organization that inadvertently has commercial relationships with sanctioned entities should review their compliance exposure.
More broadly, this action signals that the US will increasingly pursue the infrastructure layer — VPN providers, bulletproof hosters, cryptor sellers, and initial access brokers — that makes ransomware operations viable. Defenders should expect continued disruption of criminal supply chains as a complement to technical takedown operations.