The United States has sanctioned a virtual private network provider, its administrator, and a malware obfuscation specialist for allegedly supplying services and tools used by ransomware groups targeting American organizations.
The Treasury Department’s Office of Foreign Assets Control designated First VPN Service, also known as 1VPNS, along with its Ukrainian administrator, Dmytro Rashevskyi, and Belarusian national Yegeniy Vladimirovich Silayev.
Treasury described 1VPNS as a VPN provider whose principal customers included ransomware operators and other cybercriminals. Numerous ransomware groups allegedly purchased infrastructure from the service and used it to conceal the origins of attacks, deliver malware, and manage exfiltrated information.
Organizations targeted through infrastructure connected to the service included U.S. businesses, financial services companies, hospitals, and municipal governments. Ransomware groups using services supplied by the designated parties have caused billions of dollars in losses to American businesses and critical infrastructure providers, according to U.S. officials.
First VPN Service had allegedly advertised on online cybercriminal forums since 2014. Its marketing reportedly claimed that the company did not retain logs identifying its customers or their activity and would not cooperate with law enforcement investigations involving illegal conduct originating from its rented servers.
Rashevskyi allegedly used the false identities “Maksim Sorin” and “Roman Chabanenko” to purchase infrastructure from companies that may otherwise have refused to work with him following complaints about illegal activity originating from 1VPNS servers.
The sanctions also target Silayev, who Treasury described as a provider of “cryptors” to ransomware operators attacking U.S. and allied organizations.
Cryptors are designed to encrypt or obfuscate malicious code so malware appears harmless to security software. Unlike legitimate encryption products intended to protect data, these tools are specifically used to make ransomware and other malware more difficult to detect or disable.
The action was coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office, which announced separate sanctions against cybercriminals and other ransomware enablers.
The designations follow a May 2026 law enforcement operation that took down the First VPN Service website and other infrastructure. European authorities carried out the disruption with assistance from the FBI’s Boston Field Office.
Under the sanctions, property and financial interests belonging to the designated individuals and entity that are located in the United States or controlled by U.S. persons must be blocked and reported to OFAC.
Companies owned at least 50 percent by one or more blocked individuals are also subject to the restrictions. Unless specifically authorized, U.S. persons are generally prohibited from conducting transactions involving First VPN Service, Rashevskyi, or Silayev.
The coordinated action reflects a broader shift in ransomware enforcement. Instead of focusing only on affiliates who deploy ransomware, authorities are increasingly targeting the hosting providers, VPN services, money launderers, access brokers, and malware developers that support the wider cybercrime economy.
Disrupting one ransomware group may remove a single operation. Targeting shared infrastructure and specialist service providers can affect numerous criminal groups simultaneously.