The U.S. Treasury sanctioned First VPN Service (1VPNS), its alleged Ukrainian administrator Dmytro Rashevskyi, and Belarusian cryptor seller Yevgeniy Vladimirovich Silayev for allegedly supporting ransomware and other cybercriminal activity. Officials said 1VPNS provided anonymizing infrastructure that helped threat actors hide their identities, disguise malware, and evade detection during attacks on U.S. municipalities, hospitals, schools, businesses, and critical infrastructure providers. Treasury alleged Rashevskyi used false identities to obtain infrastructure for the service, while Silayev sold malware-obfuscation tools that made malicious code harder for defenders to detect.
The sanctions, issued under Executive Order 14390 and E.O. 13694 as amended, block U.S. persons from transacting with the designated parties and mark a broader move against ransomware enablers rather than only the gangs themselves. The action was coordinated with the United Kingdom and followed a May law enforcement takedown of 1VPNS infrastructure by European agencies with FBI support. Separate reporting said blockchain tracing tied payments from ransomware groups including Anubis, Qilin, and Sinobi Group to FirstVPN, adding financial evidence that the service was used as operational infrastructure by ransomware actors.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Following an FBI advisory describing FSB Center 16 exploitation of vulnerable and misconfigured networking devices, CISA added Cisco flaw CVE-2008-4128 to its Known Exploited Vulnerabilities catalog. The reference says U.S. federal agencies were ordered to remediate the flaw by July 16, 2026.
On 2026-07-13, the U.S. Treasury's Office of Foreign Assets Control sanctioned First VPN Service, its Ukrainian administrator Dmytro Rashevskyi, and Belarusian cryptor seller Yevgeniy Vladimirovich Silayev for allegedly enabling ransomware and other cybercriminal activity. The action, coordinated with the United Kingdom's FCDO, barred U.S. persons from transacting with the designated parties.
In May 2026, European law enforcement agencies, supported by the FBI Boston Field Office, took down infrastructure associated with First VPN Service (1VPNS). Later reporting described the sanctions as following this law enforcement action.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourcebleepingcomputer.com
Open sourcemalware.news
Open sourcetrmlabs.com
Open sourcehome.treasury.gov
Open sourcedarkwebinformer.com
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.