The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for enabling ransomware attacks against U.S. organizations.
On Monday, OFAC designated First VPN Service (1VPNS), a virtual private network provider that sold services to ransomware groups, and its administrator, Dmytro Rashevskyi.
Since it surfaced in 2014, 1VPNS has advertised on cybercriminal forums that it keeps no logs of user activity or identities and would not cooperate with law enforcement. Rashevskyi allegedly used false identities (e.g., "Maksim Sorin" and "Roman Chabanenko") to acquire infrastructure from companies that would otherwise have refused service due to complaints of abuse.
The sanctions come after European law enforcement took down 1VPNS's website and infrastructure in May with support from the FBI's Boston Field Office, as part of a joint action dubbed "Operation Saffron" led by French and Dutch authorities.
The 1VPNS investigation began in December 2021, with law enforcement officers infiltrating the VPN's infrastructure and collecting its user database before it was dismantled.
Throughout the joint operation, the authorities seized 33 servers linked to 1VPNs across 27 countries, arrested its administrator, and exposed thousands of users associated with ransomware, fraud, and other malicious activity worldwide.
At the time, Europol also said that the VPN service's name had surfaced in nearly every major cybercrime investigation it supported.
Victims of ransomware attacks involving 1VPNS' infrastructure included U.S. businesses, hospitals, financial services firms, and municipal governments.
This week, the Treasury Department also sanctioned Belarusian national Yegeniy Vladimirovich Silayev, who sells cryptors (also known as crypters), which are tools that help ransomware and other malware evade detection by security software.
Officials estimate that ransomware operations using 1VPNS and Silayev cryptors have caused billions of dollars in losses to businesses and critical infrastructure providers across the United States.
"These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers," said State Department spokesperson Thomas Pigott.
"By targeting not just ransomware operators but the service providers and tool suppliers who make their attacks possible, the United States and its partners are dismantling the broader networks that sustain cybercriminal activity worldwide."
OFAC said the action was coordinated with the United Kingdom's Foreign, Commonwealth & Development Office. Under these sanctions, all property of the designated individuals and entities within U.S. jurisdiction is blocked, while U.S. persons and businesses are barred from transactions involving them.
On Monday, the European Union and the United Kingdom also jointly sanctioned dozens of Russian individuals and entities, accusing Russia of coordinating a network of hacking groups linked to cyberattacks across Europe.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
Facts Only
* OFAC sanctioned First VPN Service (1VPNS), Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev.
* 1VPNS is a virtual private network provider that sold services to ransomware groups.
* 1VPNS advertised that it keeps no logs of user activity or identities and would not cooperate with law enforcement since 2014.
* Rashevskyi allegedly used false identities to acquire infrastructure from companies refusing service due to abuse complaints.
* European law enforcement, with FBI support in "Operation Saffron," took down 1VPNS's website and infrastructure in May.
* Law enforcement infiltrated 1VPNS's infrastructure starting in December 2021 to collect user data.
* Authorities seized 33 servers linked to 1VPNS across 27 countries during the joint operation.
* Yegeniy Vladimirovich Silayev was sanctioned for selling cryptors used by ransomware and malware to evade detection.
* Ransomware operations using 1VPNS and cryptors are estimated to have caused billions of dollars in losses to U.S. critical infrastructure providers.
Executive Summary
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for facilitating ransomware attacks against U.S. organizations. The sanctions were applied to First VPN Service (1VPNS), a virtual private network provider that supplied services to ransomware groups, and its administrator, Dmytro Rashevskyi. 1VPNS had been known since 2014 to operate without user logs and refuse cooperation with law enforcement. Rashevskyi allegedly used false identities to acquire infrastructure from companies that would otherwise have refused service due to abuse complaints.
This action followed a joint operation by European law enforcement, including the FBI's Boston Field Office, which took down 1VPNS's website and infrastructure in May under "Operation Saffron." Investigations into 1VPNS began in December 2021, during which law enforcement collected user data before dismantling the VPN. During this operation, 33 servers linked to 1VPNS were seized across 27 countries, and the administrator was arrested, exposing thousands of users involved in ransomware and fraud globally. Additionally, Belarusian national Yegeniy Vladimirovich Silayev was sanctioned for selling cryptors used by ransomware groups to evade detection. Officials estimate that these activities caused billions of dollars in losses to U.S. critical infrastructure providers by supplying tools for hiding identities and malware evasion.
Full Take
The narrative demonstrates a systemic challenge where the infrastructure of cybercrime is deliberately obscured through layers of obfuscation—false identities, non-logging, and specialized tools. The coordination between domestic U.S. bodies (OFAC) and international partners (EU, UK, FBI) highlights that digital criminal networks operate beyond national borders, necessitating joint action to dismantle them. The shift from sanctioning individual operators to targeting the supply chain—the service providers and tool suppliers—represents a strategic pivot in counter-cybercrime efforts: moving from punitive measures against endpoints to disrupting the foundational enabling mechanisms.
This dynamic suggests that control over the tools and infrastructure necessary for malicious activity is as critical as controlling the actors themselves. The pattern involves utilizing anonymity (false identities) and technical evasion (cryptors, non-logging VPNs) to create a persistent environment outside traditional accountability structures. The implication is that security and law enforcement must focus on disrupting the technological means of operation rather than just prosecuting the immediate threats. This necessitates understanding how these obfuscation techniques are integrated into broader criminal economies to effectively dismantle global cybercriminal networks.
What assumptions underpin the efficacy of cross-jurisdictional action in this space? How does the continuous evolution of evasion techniques, exemplified by the sanctioned tools and services, challenge static regulatory approaches? What are the long-term consequences when disruption targets enabling technology rather than just transactional crimes?
