Tag Archives: VPN provider

USA Sanctioning Ransomware Enablers in Coordinated International Action

The United States recently sanctioned one entity and two individuals — First VPN Service (1VPNS), its administrator Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev — for providing critical support to ransomware groups that have targeted North American hospitals, schools, businesses, and local governments.

These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers.

This action reflects the United States’ commitment to working with allies and partners to disrupt the global cybercrime ecosystem. Today’s designations are coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office, and follow a May 2026 European law enforcement takedown of 1VPNS’s infrastructure, supported by the FBI.

By targeting not just ransomware operators but the service providers and tool suppliers who make their attacks possible, the United States and its partners are dismantling the broader networks that sustain cybercriminal activity worldwide.

The United States will continue to use every diplomatic and economic tool available to disrupt foreign cybercriminals and their enablers and hold them accountable. Ransomware is not only a law enforcement challenge — it is a foreign policy threat that undermines the security and economic stability of the United States and its allies.

This action is being taken pursuant to the authorities under Executive Order (E.O.) 13694, as further amended by E.O. 13694, as amended by E.O. 13757, E.O. 14144, and E.O. 14306 (E.O. 13694, as amended).

Click here to report cyber-enabled crime to the FBI.

1VPNS: VPN SERVICE ENABLING RANSOMWARE OPERATIONS

1VPNS is a VPN provider whose principal clients include ransomware actors and other cybercriminals.  VPNs, which allow users to encrypt their internet traffic and hide their computers’ true location, have legitimate uses for privacy and security, but can support malicious activity if misused.  Numerous ransomware groups have purchased infrastructure from 1VPNS, which they have leveraged in attacks on U.S. companies and institutions—including to hide the origins of their attacks, deploy malware, and manage exfiltrated data. Victims of ransomware attacks that involved the use of 1VPNS infrastructure have included U.S. businesses, financial services companies, hospitals, and municipal governments.

1VPNS and its administrator, Rashevskyi, have provided this technological support to illicit actors. Since 2014, 1VPNS has advertised its services on multiple online cybercriminal forums, stating that it does not keep logs of users’ identities or activities, and that it refuses to cooperate with law enforcement investigations into illegal activity originating from the servers it rents to customers.  Rashevskyi has used false identities, including “Maksim Sorin” and “Roman Chabanenko,” to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers.

OFAC is designating 1VPNS and Rashevskyi pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, cyber-enabled activities originating from, or directed by persons located, in whole or substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve engaging in a ransomware attack, such as extortion through malicious use of code, encryption, or other activity to affect the confidentiality, integrity, or availability of data or a computer or network of computers, against a United States person, the United States, a United States ally or partner, or a citizen, national, or entity organized under the laws thereof.

OTHER ENABLERS OF THE CYBERCRIME ECOSYSTEM

In addition to 1VPNS and Rashevskyi, OFAC is designating Silayev, a Belarusian national and a cryptor provider who has supplied encryption and obfuscation services to ransomware operators targeting U.S. and allied entities.  Unlike legitimate encryption tools, which are designed to protect data and the privacy of the people that own it, cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files. 

OFAC is designating Silayev pursuant to E.O. 13694, as amended, for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, cyber-enabled activities originating from, or directed by persons located, in whole or substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve engaging in a ransomware attack, such as extortion through malicious use of code, encryption, or other activity to affect the confidentiality, integrity, or availability of data or a computer or network of computers, against a United States person, the United States, a United States ally or partner, or a citizen, national, or entity organized under the laws thereof.

SANCTIONS IMPLICATIONS

As a result of this action, all property and interests in property of the designated or blocked persons described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.  In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked.  Unless authorized by OFAC, or exempt, OFAC’s regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of blocked persons. 

Violations of U.S. sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons.  OFAC may impose civil penalties for sanctions violations on a strict liability basis.  OFAC’s Economic Sanctions Enforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions.  In addition, financial institutions and other persons may risk exposure to sanctions for engaging in certain transactions or activities involving designated or otherwise blocked persons.  The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated or blocked person, or the receipt of any contribution or provision of funds, goods, or services from any such person.  Non-U.S. persons are also prohibited from causing or conspiring to cause U.S. persons to wittingly or unwittingly violate U.S. sanctions, as well as engaging in conduct that evades U.S. sanctions.  Individuals located in the United States or abroad who provide information about sanctions violations to Treasury’s Financial Crimes Enforcement Network’s whistleblower incentive program may be eligible for awards if the information they provide leads to a successful enforcement action that results in monetary penalties exceeding $1,000,000 usd.

The power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to the SDN List, but also from its willingness to remove persons from the SDN List consistent with the law.  The ultimate goal of sanctions is not to punish, but to bring about a positive change in behavior.