OFAC sanctions VPN supplier FirstVPN and two operators tied to high ransomware gangs hiding assaults utilizing malware-disguising instruments.
The US Treasury’s Workplace of Overseas Property Management sanctioned a VPN supplier and two people on July 13, 2026.
The motion names FirstVPN Service, additionally referred to as 1VPNS, together with administrator Dmytro Rashevskyi and Belarusian nationwide Yevgeniy Vladimirovich Silayev. FirstVPN offered anonymizing infrastructure to cybercriminals since 2014. It promised no exercise logs and no cooperation with regulation enforcement.
Ransomware teams together with Anubis, Qilin, and Sinobi used the service to cover the supply of their assaults.
OFAC Targets Ransomware Infrastructure, Not Simply Attackers
Based on a report by TRM Labs, this designation goes after the instruments ransomware teams purchase fairly than a ransomware group itself. FirstVPN supplied the anonymizing layer.
Silayev equipped one thing totally different: a cryptor constructed to disguise malware as a innocent file. That disguise lets malicious code slip previous safety methods undetected.
Collectively, the 2 designations cowl each halves of the assault chain, community anonymity and endpoint evasion.
OFAC issued the motion underneath Government Order 14390, the March 2026 order directing US companies to harden methods towards international cybercrime. It additionally relied on E.O. 13694, the standing cyber-sanctions authority.
The UK’s Overseas, Commonwealth & Improvement Workplace coordinated an identical set of sanctions the identical day towards different cybercriminals and their enablers.
The motion follows earlier regulation enforcement strain on FirstVPN.
European authorities took down the service’s web site and infrastructure in Could 2026. The FBI’s Boston Area Workplace supported that takedown and later revealed an advisory describing FirstVPN’s techniques for companies to look at for.
🚨 As we speak, @USTreasury’s OFAC sanctioned FirstVPN Service (1VPNS), admin Dmytro Rashevskyi, and Yevgeniy Silayev — who offered “cryptors” disguising malware as secure information.
Since 2014, FirstVPN promised cybercriminals no logs, no cooperation with regulation enforcement. Ransomware teams… pic.twitter.com/ZtFhMgWHiR
— TRM Labs (@trmlabs) July 13, 2026
FirstVPN’s Crypto Addresses Span A number of Blockchains
OFAC listed 5 cryptocurrency addresses tied to FirstVPN itself, spanning Bitcoin, Ethereum, Litecoin, and Tron.
All 5 hint again to Cryptomus, an alternate OFAC flagged as excessive threat. Rashevskyi’s particular person itemizing carries way more addresses: fifteen in whole, unfold throughout Bitcoin, Ethereum, Tron, Litecoin, Dogecoin, Sprint, Zcash, and Solana.
That unfold throughout eight chains reveals how far FirstVPN’s operator diversified his holdings. Silayev’s itemizing, against this, got here with no addresses hooked up.
Paired with the VPN and cryptor designations, it nonetheless marks him as sanctionable for supplying obfuscation instruments to ransomware operators concentrating on US and allied entities.
Rashevskyi additionally used false identities, listed by OFAC as “Maksim Sorin” and “Roman Chabanenko,” to purchase server infrastructure. Suppliers had flagged FirstVPN for abuse complaints earlier than, so the pretend names saved the service working.
Learn additionally:
U.S. Sanctions Crypto Exchanges Linked to Iran
On-Chain Knowledge Exhibits Ransomware Teams Paying FirstVPN Instantly
Blockchain analytics agency TRM Labs traced funds from ransomware teams straight to FirstVPN earlier than the sanctions landed.
The Anubis ransomware group despatched a complete of $715 to the service, break up between December 13, 2025, and March 15 to 16, 2026. Qilin Ransomware despatched $120 on January 11, 2026. Sinobi Group despatched $58 on February 8, 2026.
These greenback figures look small subsequent to typical ransomware extortion funds. Infrastructure subscriptions are inclined to run low-cost in comparison with the payouts they assist extract.
Nonetheless, the funds affirm that named ransomware teams relied on FirstVPN for operational infrastructure, and that reliance reveals up on-chain.
TRM Labs famous that enabling providers receives a commission by way of the identical rails their prospects use to extort victims. These funds stay traceable as soon as investigators know the place to look.
Compliance groups have been suggested to display the newly listed addresses towards their very own transaction histories going ahead.
