Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1880+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. US Treasury Sanctions 1VPNS: The VPN Service Favored by Ransomware Groups
US Treasury Sanctions 1VPNS: The VPN Service Favored by Ransomware Groups
NEWS

US Treasury Sanctions 1VPNS: The VPN Service Favored by Ransomware Groups

The US Treasury's OFAC sanctioned First VPN Service (1VPNS) and its Ukrainian administrator for providing anonymization cover to ransomware groups attacking US critical infrastructure, causing billions in losses. Action is coordinated with the UK and follows a May 2026 European infrastructure takedown.

Dylan H.

News Desk

July 13, 2026
3 min read

The US Department of Treasury's Office of Foreign Assets Control (OFAC) sanctioned First VPN Service (1VPNS) on July 13, 2026 — along with its Ukrainian administrator and a Belarusian malware obfuscation seller — for enabling ransomware attacks on American critical infrastructure. The action, coordinated with the United Kingdom's Foreign, Commonwealth & Development Office (FCDO), represents a significant shift in US strategy: targeting ransomware supply chain enablers rather than operators alone.

Who Was Sanctioned

Three entities were designated:

First VPN Service (1VPNS) — A VPN provider operating since 2014 that explicitly advertised a strict no-logs policy and a refusal to cooperate with law enforcement. This made it the anonymization layer of choice for multiple ransomware groups. 1VPNS's website and supporting infrastructure were taken down by European law enforcement in May 2026 with FBI support.

Dmytro Rashevskyi — The Ukrainian national who administered 1VPNS. He operated under aliases including Maksim Sorin and Roman Chabanenko, using fake identities to purchase hosting infrastructure from providers that would otherwise reject abuse-flagged accounts.

Yegeniy Vladimirovich Silayev — A Belarusian national who sold "cryptors" — tools that disguise ransomware and malware payloads as benign programs to evade antivirus and endpoint detection and response (EDR) solutions.

How 1VPNS Enabled Ransomware Operations

Ransomware operations depend on layers of operational security: attackers need to hide their identity during reconnaissance and exploitation, disguise their malicious tools to bypass defenses, and maintain anonymized command-and-control infrastructure. 1VPNS filled the identity-concealment role.

According to Treasury's press release, 1VPNS provided ransomware groups with tools to "hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to US critical infrastructure providers."

Rashevskyi's use of fake identities to procure infrastructure illustrates how ransomware supply chain actors deliberately insulate themselves from abuse complaints and takedown requests — a gap the sanctions regime is specifically designed to close.

Strategic Significance

By sanctioning a VPN provider and a cryptor seller — rather than just ransomware operators — the US and its allies are attempting to disrupt multiple ransomware gangs simultaneously by cutting off shared tooling and infrastructure. A single sanctioned provider may have served dozens of criminal groups.

The coordinated action with the UK signals an increasing willingness among Western governments to treat ransomware attacks on hospitals, schools, and municipal governments as national security threats warranting the same financial-warfare tools used against state-level adversaries.

Treasury's statement that 1VPNS enabled attacks on "US critical infrastructure providers" also indicates that healthcare ransomware attacks — which have repeatedly disrupted patient care — are now firmly within the sanctions threshold.

Timeline

DateEvent
20141VPNS begins operations, advertising no-logs and no law enforcement cooperation
May 2026European law enforcement, with FBI support, takes down 1VPNS infrastructure
July 13, 2026US OFAC sanctions 1VPNS, Rashevskyi, and Silayev; UK coordinates

What This Means for Defenders

The sanctions designation means US persons and entities are prohibited from doing business with 1VPNS, Rashevskyi, or Silayev. Any organization that inadvertently has commercial relationships with sanctioned entities should review their compliance exposure.

More broadly, this action signals that the US will increasingly pursue the infrastructure layer — VPN providers, bulletproof hosters, cryptor sellers, and initial access brokers — that makes ransomware operations viable. Defenders should expect continued disruption of criminal supply chains as a complement to technical takedown operations.

References

  • US Treasury OFAC Press Release sb0559
  • The Record — 1VPNS Sanctions Coverage
#Ransomware#Sanctions#OFAC#Cybercrime#Malware

Related Articles

The U.S. Sanctions Nobitex Crypto Exchange Used by Ransomware

The U.S. Treasury's OFAC has sanctioned Nobitex, Iran's largest cryptocurrency exchange, for facilitating payments linked to terrorist activities and…

5 min read

'GodDamn' Ransomware Uses BYOVD Technique to Kill Security Software at US Companies

A new ransomware strain dubbed 'GodDamn' is leveraging a Microsoft-signed malicious kernel driver through the Bring Your Own Vulnerable Driver technique...

4 min read

GigaWiper: New Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

Microsoft has dissected GigaWiper, a destructive Windows backdoor that combines three distinct destructive capabilities — full disk wiping, fake...

4 min read
Back to all News