Treasury Targets VPN Infrastructure
The US has sanctioned a VPN administrator and a cryptor vendor, escalating a crackdown on the ransomware supply chain.
The infrastructure underpinning global ransomware operations is facing renewed scrutiny as government agencies pivot toward dismantling the services that facilitate malicious activity. By targeting the tools and providers that offer anonymity to cybercriminals, authorities are attempting to degrade the operational efficacy of gangs targeting critical infrastructure.
Sanctioning the Digital Enablers
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued formal sanctions against First VPN Service and its primary administrator, Dmytro Rashevskyi. Operating since 2014, the service became a preferred tool for threat actors aiming to mask the origins of their attacks, deploy payloads, and manage exfiltrated data. This action follows a coordinated May 2026 takedown involving the FBI and European law enforcement, which successfully seized the service's website and server hardware.
Alongside the action against the VPN provider, the Treasury sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national. Silayev is accused of supplying cryptors—specialized software designed to disguise ransomware as benign files to evade detection by security systems. While Silayev operated independently of the VPN, his designation reflects a strategic shift toward crippling the broader cybercriminal supply chain.
The Anatomy of an Operation
Before the May 2026 takedown, Rashevskyi utilized dark web forums to market his network, explicitly promising that the service maintained no logs of user identities or activities. The Treasury noted that he actively resisted law enforcement inquiries and employed aliases, such as Maksim Sorin and Roman Chabanenko, to secure infrastructure from companies that would have otherwise blacklisted him due to abuse reports.
Under President Trump's leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people. We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure.
— Gene Lange, who is performing the duties of the Under Secretary for Terrorism and Financial Intelligence.
Financial and Operational Consequences
- The service has been operational since 2014.
- A coordinated takedown of the VPN occurred in May 2026.
- Sanctions now prohibit all US citizens from engaging in transactions with Dmytro Rashevskyi and Yegeniy Vladimirovich Silayev.
The imposition of these sanctions results in the immediate blocking of all property and interests belonging to the designated individuals within the United States. Beyond the direct financial impact, the move is intended to serve as a massive reputational deterrent. By disrupting the support layer—the providers of anonymity and obfuscation—authorities aim to increase the costs and risks for ransomware syndicates, forcing them to operate in a more hostile environment where their specialized tooling is increasingly compromised.