
The US Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned First VPN Service, also known as 1VPNS, marking the first time the US government has targeted a virtual private network provider for its role in facilitating ransomware attacks.
The sanctions prohibit all US-person transactions with the service and require financial institutions to report any property of the sanctioned entities within US jurisdiction. Two individuals were named: Dmytro Rashevskyi, the administrator of First VPN based in Dnipro, Ukraine, and Yegeniy Vladimirovich Silayev, a Belarusian national who supplied “cryptors”, encryption and obfuscation tools that disguise ransomware to bypass security systems.
First VPN was dismantled by Europol in May 2026 following an investigation that began in 2021. The VPN service was “well publicized on Russian-language cybercrime forums as a service offering anonymous payments, hidden infrastructure and services designed specifically for criminal use,” Europol said in a statement at the time.
The service appeared in almost every major cybercrime investigation Europol supported in recent years. Internet service providers had repeatedly flagged illegal activity originating from First VPN servers, which were used to attack US businesses, financial institutions, hospitals, and municipal governments. Rashevskyi used fake identities to purchase infrastructure from companies that would not otherwise have sold to him.
Silayev’s cryptor services played a complementary role in the ransomware supply chain. Cryptors make malware appear as harmless files, allowing it to bypass antivirus and endpoint detection systems. His designation alongside the VPN operator signals that US authorities are targeting the entire ransomware ecosystem rather than individual attackers.
Ransomware attacks cost an estimated US$74 billion (approximately £57 billion) globally in 2026, according to Cybersecurity Ventures. The US Treasury said the sanctions are designed “not to punish, but to bring about a positive change in behavior,” though critics note that sanctions against infrastructure providers have limited effect when operators can relocate servers and register new domains within hours.
The action follows a pattern of increasing US and European cooperation against cybercrime infrastructure. Earlier this year, the FBI and Google disrupted the NetNut proxy botnet, which had hijacked 2 million smart devices. The First VPN sanctions extend that pressure to the VPN layer that many cybercriminal operations rely on for operational security.
Sources: CNET; Europol press release on First VPN dismantlement

