U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses

Pierluigi Paganini July 14, 2026

U.S. sanctions hit VPN provider 1VPNS and a cryptor seller for enabling ransomware gangs behind billions in losses to critical infrastructure.

The U.S. Treasury’s Office of Foreign Assets Control sanctioned two individuals and one entity on July 13 for supplying tools and infrastructure to ransomware groups that have caused billions of dollars in losses to American businesses and critical infrastructure.

“Today, the Office of Foreign Assets Control (OFAC) is designating two individuals and one entity enabling ransomware actors’ and other cybercriminals’ malign activities, notably ransomware attacks against Americans.  These include First VPN Service (1VPNS), a virtual private network (VPN) provider selling services to ransomware groups, and its administrator, Dmytro Rashevskyi (Rashevskyi).  OFAC is also designating Yegeniy Vladimirovich Silayev (Silayev), an individual who sells “cryptors,” which are tools used to disguise ransomware and other malware as safe programs to prevent security systems from detecting or deactivating them.” reads the announcement published by the U.S. Treasury’s Office of Foreign Assets Control.”Ransomware groups utilizing these individuals’ services have caused billions of dollars in losses to U.S. businesses and critical infrastructure providers.”

The action was coordinated with the UK’s Foreign, Commonwealth & Development Office, which sanctioned additional cybercriminals the same day.

“1VPNS is a VPN provider whose principal clients include ransomware actors and other cybercriminals. VPNs, which allow users to encrypt their internet traffic and hide their computers’ true location, have legitimate uses for privacy and security, but can support malicious activity if misused.” continues the announcement. “Numerous ransomware groups have purchased infrastructure from 1VPNS, which they have leveraged in attacks on U.S. companies and institutions—including to hide the origins of their attacks, deploy malware, and manage exfiltrated data.”

Victims included hospitals, financial services firms, and municipal governments. Since 2014, the service advertised openly on cybercriminal forums that it kept no logs and refused to cooperate with law enforcement — the kind of guarantee that attracts exactly the clientele you’d expect.

“Rashevskyi has used false identities, including “Maksim Sorin” and “Roman Chabanenko,” to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers.” states the OFAC.

The sanctions follow a May 2026 takedown of 1VPNS’s website and servers by European law enforcement, with support from the FBI’s Boston Field Office, as part of Operation Saffron led by French and Dutch authorities. The investigation had started in December 2021, with law enforcement infiltrating 1VPNS infrastructure and collecting its user database before dismantling it — 33 servers across 27 countries, and thousands of users exposed.

The second designation targets Yegeniy Vladimirovich Silayev, a Belarusian national who sells cryptors: tools that disguise malware as harmless files to get past security software.

“Unlike legitimate encryption tools, which are designed to protect data and the privacy of the people that own it, cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files.” continues the announcement.

Silayev supplied these obfuscation services to ransomware operators targeting U.S. and allied organizations. Treasury estimates the combined operations involving 1VPNS and Silayev’s cryptors have caused billions in losses.

The State Department framed the action explicitly as targeting the supply chain behind ransomware, not just the operators themselves.

“These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers.” reads the press release published by the U.S. State Department.

“This action reflects the United States’ commitment to working with allies and partners to disrupt the global cybercrime ecosystem. Today’s designations are coordinated with the United Kingdom’s Foreign, Commonwealth & Development Office, and follow a May 2026 European law enforcement takedown of 1VPNS’s infrastructure, supported by the FBI.”

The designations freeze any U.S.-jurisdiction assets of the named individuals and entities, and bar U.S. persons and businesses from any transactions involving them. The action sits under Trump’s Executive Order 14390 of March 6, 2026, directing agencies to harden U.S. financial and digital systems against foreign cybercrime.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VPN Provider)



you might also like

leave a comment