U.S. sanctions a VPN service for the first time over ransomware links
OFAC is reshaping its cybercrime strategy by targeting VPN providers and malware obfuscation services instead of focusing solely on ransomware gangs. GetBlock AML Research examines how blockchain analysis connected major ransomware operators to the infrastructure supporting their attacks—and why this marks an important shift for compliance teams.
15.07.2026
34
9 min
0
U.S. authorities are changing their approach to fighting cybercrime by targeting the infrastructure that enables attacks rather than focusing exclusively on the attackers themselves. GetBlock AML Research examines the first-ever U.S. sanctions against a VPN service.
Key Takeaways
- On July 13, 2026, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned three entities that allegedly facilitated ransomware attacks targeting the United States. The designations include FirstVPN Service (1VPNS), a VPN provider accused of supplying anonymous infrastructure for cybercriminals, its administrator Dmitry Rashevsky, and Belarusian national Yevgeniy Vladimirovich Silaev, who allegedly distributed cryptors—tools designed to obfuscate malware and help it evade security software.
- Unlike previous actions aimed directly at ransomware groups, these sanctions target the infrastructure that makes such attacks possible. VPN services and cryptors allow threat actors to conceal their identity and bypass cybersecurity defenses, and OFAC now treats providers of these services as sanctions targets in their own right.
- Blockchain analysis shows that cryptocurrency wallets associated with FirstVPN had already been identified, with ransomware operators paying directly for the service. The Anubis ransomware group, for example, sent a total of $715 to FirstVPN in December 2025 and March 2026. While the payments were relatively small, they provide direct on-chain evidence that ransomware operators relied on the service as part of their operational infrastructure.
- The U.S. action was coordinated with the UK Foreign, Commonwealth & Development Office (FCDO), which announced its own sanctions against cybercriminals and their facilitators on the same day. The designations also follow a May 2026 joint European law enforcement operation, supported by the FBI's Boston Field Office, that dismantled FirstVPN's website and infrastructure.
- Compliance teams should immediately incorporate the newly sanctioned cryptocurrency addresses into their sanctions screening programs. Monitoring should extend beyond ransomware wallets themselves to include the infrastructure providers—such as VPN services and anonymity tools—that receive crypto payments across multiple blockchain networks.
Infrastructure Supporting Cybercrime
On July 13, 2026, OFAC sanctioned two individuals and one entity for allegedly providing technical support to ransomware operators and other cybercriminals.
The sanctions target FirstVPN Service (FirstVPN, 1VPNS), a VPN provider whose primary customers allegedly included ransomware groups, its administrator Dmitry Rashevsky, and Yevgeniy Vladimirovich Silaev, who allegedly supplied malware obfuscation services using specialized tools known as cryptors.
According to OFAC, cybercriminal groups using these services caused billions of dollars in damage to U.S. businesses and critical infrastructure.
Unlike most previous cyber-related sanctions, these measures do not target the ransomware operators themselves. Instead, they focus on the infrastructure providers that enabled the attacks: a VPN platform offering anonymity and a service that helped malware evade detection by cybersecurity tools.
The sanctions were imposed under Executive Order 14390, signed in March 2026 to strengthen the protection of U.S. financial and digital infrastructure from foreign cyber threats, as well as Executive Order 13694, as amended, which remains the primary legal authority for U.S. cyber-related sanctions.
OFAC Targets the Infrastructure Behind Ransomware
OFAC designated FirstVPN and Dmitry Rashevsky for providing material and technological support to malicious cyber activities, including ransomware attacks targeting U.S. persons and critical infrastructure.
Yevgeniy Silaev was sanctioned on similar grounds for supplying malware encryption and obfuscation services to ransomware operators targeting organizations in the United States and allied countries.
The sanctions were coordinated with the UK Foreign, Commonwealth & Development Office (FCDO), which simultaneously designated additional cybercriminals and individuals who supported their activities.
The action also comes two months after a joint European law enforcement operation that dismantled FirstVPN's website and technical infrastructure in May 2026. The operation was supported by the FBI Boston Field Office.
Following the takedown, the FBI issued a public advisory detailing FirstVPN's tactics, techniques, and procedures to help organizations detect and prevent ransomware attacks more effectively.
A Closer Look at OFAC’s New Targets
U.S. authorities have identified an extensive infrastructure network that allegedly supported ransomware operators and other cybercriminals. Here's a closer look at the entities and individuals now under sanctions.
FirstVPN Service (FirstVPN, 1VPNS)
According to OFAC, FirstVPN was a VPN provider whose primary customer base consisted of ransomware operators and other cybercriminals.
VPN services themselves are widely used for legitimate purposes, including protecting privacy, securing internet connections, and safeguarding user data. However, U.S. authorities allege that FirstVPN was built specifically to serve the cybercrime ecosystem.
Since 2014, the service had been actively promoted on underground cybercrime forums, including Exploit and XSS. One of its main selling points was its strict no-logs policy, meaning it kept no user activity records that could identify customers or reconstruct their actions. The operators also openly claimed they would not cooperate with law enforcement investigations involving servers rented through the platform.
Beyond its VPN offering, FirstVPN also operated a Jabber messaging service. OFAC says numerous ransomware groups relied on the platform to conceal the origin of cyberattacks, distribute malware, and manage stolen victim data.
Victims of attacks involving FirstVPN infrastructure reportedly included U.S. businesses, financial institutions, healthcare organizations, and local government agencies.
According to OFAC, FirstVPN administrator Dmitry Rashevsky used fake identities — "Maksim Sorin" and "Roman Chabanenko" — to lease server infrastructure from hosting providers that otherwise might have refused to work with the service because of repeated abuse complaints.
As part of the sanctions, OFAC also designated five cryptocurrency wallet addresses across the Bitcoin, Ethereum, Litecoin, and Tron networks. Blockchain analysis indicates these wallets are likely connected to the high-risk cryptocurrency exchange Cryptomus.
| FirstVPN-designated wallet addresses |
| bc1qdnr88f4d2yqunnc4mjsguezm6g3mlwe44z5dw8 |
| bc1qr4ankqmvmrhce3ydvzse86dfx5s3zhehfr9tg9 |
| 0x2711d73d559f62f4f855ee21f38378f528e07985 |
| ltc1qr8ntsedq8tv0svmxqhzvdcdl5k7kntdmnhwep7 |
| TUuaxBAWfA5nmsqNfycxYrzEvz4a5GJMGY |
Dmitry Rashevsky
Dmitry Rashevsky, identified as the administrator of FirstVPN, was sanctioned alongside the platform for allegedly providing material and technological support to cybercriminals.
OFAC published 15 cryptocurrency wallet addresses linked to Rashevsky across multiple blockchain networks, including Bitcoin, Ethereum, Tron, Litecoin, Dogecoin, Dash, Zcash, and Solana.
| Rashevsky wallet addresses added to the OFAC SDN List |
| 1MTndG4K51RRMvkzyvguaHnQpiMLnxFGzM |
| 1DfyWkiXVVqWfcSduj23qTDis9kb2qvRDa |
| 0x1d19b52b54e7ef5ea1a4b40b616165e798eac9f8 |
| 0x2C7DcD774b33e10367F7d6385479e04F97d179dc |
| LcP1DumXkNJbBtSYD3XxAfsJ2nZR5hLdpM |
| LbPAqHvemZBv3pvAqiAtDnZ3U1t6EziaL1 |
| t1LHesgnkapziGQCJtrfZWYXhyjfTVo1dvh |
| XcuGqRfrR85zyDrzVr1gSL5RNjwwpbu2KS |
| XowUeMFa1FkEUnAHL78E5oqpezMfSB6xP1 |
| TTLRNgLpz5H5tLPuNU4FViUs7zmmAtyvzW |
| TBFW9gF4oDX5cG44gS7AoxQeujScmm3z6h |
| DHzAVdEoL3PjGeLWNdEJwwMA1CeQ9J9Cpo |
| DTqpKQ96rqkTvHcohQQd9BksmgRjasHgGo |
| Fc1EwQUZyTEagaDvA1utHXCcZNyG1x2PLt2DfNu1cJdH |
| FuCC7GoYwt5TsNTjWL23Xx9UKCvC18chjMEFPL3vJDCC |
Evgeniy Vladimirovich Silaev
Belarusian national Evgeniy Vladimirovich Silaev was sanctioned alongside FirstVPN and Dmitry Rashevsky.
According to OFAC, Silaev distributed cryptors — software tools designed to disguise malware by altering its code and appearance so that antivirus programs and other security solutions fail to detect it.
U.S. authorities allege that he supplied these services to ransomware operators targeting organizations in the United States and allied countries.
Unlike the sanctions imposed on FirstVPN and Rashevsky, OFAC did not publish any cryptocurrency wallet addresses associated with Silaev.
Taken together, however, these designations illustrate a significant shift in OFAC's enforcement strategy. Rather than targeting only ransomware groups themselves, the agency is now sanctioning the infrastructure that enables their operations — from VPN providers that help attackers stay anonymous to malware obfuscation services that allow malicious code to evade detection.
Blockchain links ransomware gangs to FirstVPN
Blockchain analysis uncovered direct financial links between FirstVPN and several well-known ransomware groups, showing that cybercriminals paid for the service with cryptocurrency.
According to the investigation, the Anubis ransomware group sent FirstVPN a total of $715 in two payments made on December 13, 2025, and March 15–16, 2026. On January 11, 2026, Qilin Ransomware transferred $120, while Sinobi Group sent another $58 on February 8, 2026.
The amounts are relatively small, but they are consistent with subscription fees for infrastructure services such as VPN providers. The significance lies not in the value of the payments, but in what they prove: ransomware operators were directly paying a specific infrastructure provider, and every one of those transactions remains permanently recorded on public blockchains.
TRM Labs visualization showing links between FirstVPN wallet addresses and ransomware groups
The findings also highlight an important characteristic of modern cybercrime. The same cryptocurrency networks used by ransomware gangs to collect ransom payments are also used to pay for the infrastructure that enables their attacks. Because these transactions occur on public blockchains, investigators can trace and connect them to specific actors within the cybercriminal ecosystem.
What this means for compliance teams
The latest OFAC sanctions signal a major shift in U.S. enforcement strategy. Instead of targeting only ransomware gangs, regulators are now also going after the infrastructure providers that make these attacks possible.
For compliance teams, this expands the scope of sanctions screening. Monitoring should no longer focus solely on wallets linked directly to ransomware operators. Organizations also need to identify and assess payments involving infrastructure providers that enable cybercrime, including VPN services, malware obfuscation tools, anonymity services, and other vendors supporting illicit operations.
In practical terms, firms should immediately update their sanctions monitoring systems with the newly designated wallet addresses and strengthen controls around payments to infrastructure providers operating across multiple blockchain networks.
More broadly, the new sanctions demonstrate that regulators increasingly view the cybercrime ecosystem as a whole. Effective blockchain investigations and transaction monitoring should therefore extend beyond the final recipient of funds to include the broader network of service providers that facilitate ransomware operations.
Useful material?
Research
One and the same cryptocurrency address received two completely opposite assessments from different analytics systems: from an ordinary gambling service to an extremely severe criminal offense. This story has become the starting point for a broader conversation about what the scientific standards of blockchain analysis should look like — and why errors in systems like these can shape the fates of real people.
Jul 1, 2026
Research
The blockchain has helped uncover the ties between cryptocurrency fundraising campaigns, exchangers in Syria, and intermediaries in several countries around the world. A telltale pattern has emerged in which the same addresses were used across multiple donation drives at once
Jun 24, 2026
Research
Four Iranian cryptocurrency exchanges accounted for roughly 78% of all digital asset volume tied to the country in 2025. They have now become the focal point of the largest U.S. sanctions campaign against Iran's cryptocurrency infrastructure.
Jun 5, 2026
Research
A financial system is already up and running on public blockchains, with loans, analogues of U.S. Treasuries, and automated capital markets. More than $551 billion has flowed through DeFi protocols — but most of that activity has nothing to do with the real economy and everything to do with the speculative build-up of risk.
May 29, 2026
Research
Around 97% of Chinese suppliers of chemicals used to make fentanyl accept payment in cryptocurrency. The volume of such transactions continues to grow alongside the global market for synthetic drugs
May 22, 2026
Research
For the first time, the new law makes blockchain analytics an officially mandatory tool of financial oversight in the United States. Authorities will also gain the power to restrict transactions with foreign crypto services tied to money-laundering risks.
May 20, 2026
Telegram
Twitter