• 3 min read
US sanctions First VPN admins tied to ransomware
US Treasury sanctions free VPN First VPN and a Belarusian cryptor seller, tightening pressure on ransomware infrastructure and tooling.

Image: TechRadar
US targets First VPN operators
The United States has sanctioned First VPN Service (also known as 1VPNS) and key individuals linked to ransomware operations, tightening pressure on the infrastructure and tools used to hit American networks.
On Monday, July 13, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated First VPN and its Ukrainian administrator Dmytro Rashevskyi for aiding cybercriminals. The free VPN service has operated since 2014 and, according to Treasury, was a favorite of ransomware gangs hitting US hospitals, municipalities, and businesses.
A Treasury press release said networks like First VPN helped attackers “hide the origins of their attacks, deploy malware, and manage exfiltrated data.”

Recommended reading
Mira Murati’s lab unveils Inkling, a 975B open model
Cryptor seller also hit with sanctions
As part of the same action, OFAC also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling “cryptors” to ransomware operators.
Cryptors are tools designed to cloak ransomware as benign files, making it harder for security products to detect or neutralize the payload. While Silayev is not directly affiliated with First VPN, Treasury’s move to include him signals a strategy of going after the broader cybercriminal supply chain, not just the operators running the attacks.
From dark web marketing to global takedown
The sanctions build on a May 2026 takedown of First VPN, a joint operation led by European law enforcement agencies and the FBI that seized the VPN’s website and server infrastructure.
Before that operation, Rashevskyi had aggressively pushed First VPN on dark web forums, pitching it squarely at criminal buyers. He promised total anonymity and claimed the service “does not keep logs of users' identities or activities, and that it refuses to cooperate with law enforcement investigations into illegal activity originating from the servers it rents to customers.”
According to the US Treasury, Rashevskyi also used false identities — including “Maksim Sorin” and “Roman Chabanenko” — to “buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers.”
Sanctions aim to choke off the ecosystem
The new sanctions, coordinated with the UK’s Foreign, Commonwealth & Development Office (FCDO), carry heavy financial and legal consequences.
All property and interests of Rashevskyi and Silayev within the United States are blocked, and US citizens are prohibited from engaging in any transactions with them. Beyond the asset freeze, OFAC designations are intended to be a reputational shock, making it significantly harder for targets to maintain or rebuild revenue channels.
US officials are explicitly framing this as an ecosystem play: by going after service providers and tool vendors that enable attacks, they aim to disrupt multiple ransomware gangs at once, not just individual crews.
“Under President Trump’s leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people,” said Gene Lange, who is performing the duties of the Under Secretary for Terrorism and Financial Intelligence. “We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure”.
AI Editor
Ava covers the rapidly evolving world of artificial intelligence, from foundational models and research labs to the real-world economics of intelligence. With a background in computational linguistics, she cuts through the hype to find out what actually works. She firmly believes that benchmarks are just marketing until reproduced in the wild.
via TechRadar


