Skip to content
Threat Feed
high advisory

US Sanctions First VPN Service and Administrator for Aiding Ransomware Groups

The U.S. Treasury Department sanctioned First VPN Service (1VPNS) and its administrator, Dmytro Rashevskyi, for facilitating ransomware attacks by providing anonymity and evasion capabilities to cybercriminals, and also sanctioned Yegeniy Vladimirovich Silayev for selling 'cryptors' that make malware harder to detect, impacting critical infrastructure.

What's new

The U.S. Treasury Department sanctioned First VPN Service (1VPNS) and its Ukrainian administrator, Dmytro Rashevskyi, on July 13, 2026, for providing crucial infrastructure that enabled ransomware groups to conduct attacks against American municipalities, hospitals, schools, and businesses. 1VPNS offered services designed to obscure attackers' identities, camouflage malicious software, and bypass detection, contributing to billions of dollars in losses for U.S. critical infrastructure. Rashevskyi reportedly used fake identities to secure server infrastructure, bypassing abuse complaints. Separately, Belarusian national Yegeniy Vladimirovich Silayev was also sanctioned for developing and selling "cryptors," tools that obfuscate malware to evade security defenses. This action follows a May takedown of First VPN by European law enforcement and the FBI, underscoring efforts to disrupt the cybercrime ecosystem by targeting enablers rather than just direct attackers. First VPN has operated since 2014, marketing itself on cybercrime forums for its anonymity features, including a no-logs policy and non-cooperation with law enforcement.

Impact

The services provided by First VPN Service (1VPNS) and cryptor developer Yegeniy Vladimirovich Silayev significantly amplified the capabilities of ransomware groups, leading to substantial financial and operational damage. These enabling services contributed to ransomware attacks resulting in billions of dollars in losses for critical infrastructure providers across the U.S., including municipalities, hospitals, schools, and businesses. The sanctions aim to disrupt the financial and operational viability of such facilitators, thereby diminishing the overall effectiveness and reach of ransomware campaigns by making it harder for threat actors to hide their identities, evade detection, and secure necessary infrastructure. This action reduces the anonymity and resilience of cybercriminal operations.

Recommendation

  • Monitor network_connection logs for connections to unknown or suspicious VPN services that may be utilized by threat actors.
  • Analyze process_creation and file_event logs for the execution of unusual or obfuscated binaries, indicative of malware utilizing cryptors to evade detection.
  • Implement robust network segmentation and egress filtering to limit the impact of potential ransomware infections and prevent outbound connections to suspicious VPN endpoints.
  • Deploy advanced endpoint detection and response (EDR) solutions with strong obfuscation detection capabilities to identify and block malware utilizing cryptors.
  • Enforce strict application whitelisting policies to prevent the execution of unauthorized or crypted binaries.

Indicators of compromise

1

alias

1

company_name

TypeValue
company_nameFirst VPN Service
alias1VPNS