US sanctions a VPN, a malware disguiser, and the people behind them for helping ransomware gangs

Treasury targets 1VPNS and a Belarusian 'crypter' seller who together helped ransomware crews hit hospitals, banks and local governments.

ThreatVectr Newsdesk· 4 min read
Full-frame photoreal editorial image of a dimly lit server room with rows of dark server racks, one rack visibly powered down with cables hanging loose, cool bl
Share

Key points

  • The U.S. Treasury's Office of Foreign Assets Control sanctioned the VPN provider 1VPNS, its administrator Dmytro Rashevskyi, and Belarusian national Yegeniy Vladimirovich Silayev on Monday.
  • 1VPNS operated since 2014 and advertised on criminal forums that it kept no logs and would not help police.
  • European police seized 33 servers across 27 countries in May 2025 during Operation Saffron, arresting the administrator.
  • Officials estimate ransomware attacks using 1VPNS and Silayev's tools caused billions of dollars in losses to U.S. businesses and critical services.
  • The action was coordinated with the United Kingdom, alongside separate EU and UK sanctions on Russian hacking networks.

The U.S. Treasury has gone after the plumbing of the ransomware business, not just the gangs themselves.

On Monday, Treasury's Office of Foreign Assets Control (OFAC), the office that enforces U.S. financial sanctions, named two people and one company as off-limits for any American to do business with. The target: the quiet suppliers who make ransomware attacks possible.

First on the list is 1VPNS, short for First VPN Service. A VPN, or virtual private network, is a tool that hides where internet traffic is really coming from. Ordinary people use them for privacy. Criminals use them to cover their tracks.

1VPNS, according to Treasury, was firmly in the second camp.

Since 2014, the service had been advertised on cybercrime forums with a simple pitch: no logs, no records of who used it, and no cooperation with police. That is exactly what a ransomware crew wants when it is breaking into a hospital network.

OFAC also sanctioned the man it says ran the service, Dmytro Rashevskyi. Investigators say he used fake names like "Maksim Sorin" and "Roman Chabanenko" to rent servers from hosting companies that would have turned him away if they had known who he really was.

The sanctions follow a takedown in May led by French and Dutch police, with help from the FBI's Boston office. The joint effort, called Operation Saffron, was first reported by BleepingComputer and had been building since December 2021. Officers quietly got inside 1VPNS's own systems, copied its user database, then pulled the plug.

By the end, they had seized 33 servers across 27 countries and arrested the administrator. Europol later said 1VPNS had shown up in almost every major cybercrime case it worked on.

Victims of ransomware attacks that ran through 1VPNS included American hospitals, banks, small businesses and local governments. Ransomware is malicious software that locks up a victim's files and demands a payment to unlock them.

The second person sanctioned this week is Yegeniy Vladimirovich Silayev, a Belarusian national. He sold what the industry calls "crypters": small programs that disguise ransomware so antivirus software does not recognise it as dangerous. Think of it as a costume for malware.

Treasury estimates that attacks relying on 1VPNS and Silayev's crypters have cost U.S. victims billions of dollars.

"These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection," State Department spokesperson Thomas Pigott said in the announcement.

The practical effect of the sanctions is blunt. Any property the named people or company hold inside U.S. jurisdiction is frozen. Americans, and American companies, are barred from doing business with them. That includes hosting providers, payment processors and cryptocurrency exchanges that touch the U.S. financial system.

OFAC coordinated the move with the United Kingdom's Foreign, Commonwealth and Development Office. On the same day, the European Union and the UK jointly sanctioned dozens more Russian individuals and organisations they accuse of running hacking campaigns across Europe.

What does this mean for ordinary people?

Probably nothing you will feel tomorrow, but it matters. Sanctions like these do not arrest anyone new. They cut off the money and infrastructure that let ransomware crews operate at scale.

When a hospital cannot book appointments or a city cannot process payments for a week, there is a good chance a service like 1VPNS was somewhere in the chain. Squeezing those suppliers is slower than a dramatic arrest, but it makes the whole business more expensive to run.

For businesses, the message is simpler. The gangs are still out there. The people who sold them their cloaking devices just got a lot less useful.

© 2026 Threat Vectr