Skip to main content
Cyber News & CTI Reports :: 2026-07-14 | US sanctions VPN, malware providers for enabling ransomware attacks
Contact Page | Privacy Policy

2026-07-14 | US sanctions VPN, malware providers for enabling ransomware attacks

1. AI Summary

OFAC sanctioned a VPN provider and its administrator for enabling ransomware groups, and a Belarusian national for selling cryptors that evade detection. European law enforcement dismantled the VPN in "Operation Saffron," seizing servers across 27 countries. The actions aim to disrupt the ransomware supply chain and block assets within U.S. jurisdiction. Victims include U.S. businesses, hospitals, financial firms, and municipal governments.

2. IOCs

IOC Type Value Description Relevant MITRE ATT&CK Techniques
Threatactor
Dmytro Rashevskyi
Administrator of 1VPNS; used false identities to acquire infrastructure for ransomware groups. T1090|T1071|T1027
Threatactor
Maksim Sorin
False identity used by Rashevskyi to purchase services while masking true identity. T1090|T1071|T1027
Threatactor
Roman Chabanenko
Additional false identity linked to Rashevskyi for procuring abusive infrastructure. T1090|T1071|T1027
Threatactor
Yegeniy Vladimirovich Silayev
Belarusian national selling cryptor tools that help ransomware and malware evade detection. T1027

3. MITRE ATT&CK

Code Title
T1090 Use of Proxy or Relay for C2 (e.g., VPN service)
T1071 Application Layer Protocol (web protocols used by VPN)
T1027 Obfuscated Files or Information - Obfuscated Files or Information (cryptor tools for evasion)

4. Targets

Type Value
Country United States
Sector Business
Sector Financial services
Sector Government
Sector Healthcare

5. Article Details

6. Original text

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned two individuals and one entity for enabling ransomware attacks against U.S. organizations. On Monday, OFAC designated First VPN Service (1VPNS) , a virtual private network provider that sold services to ransomware groups, and its administrator,

Dmytro Rashevskyi
. Since it surfaced in 2014, 1VPNS has advertised on cybercriminal forums that it keeps no logs of user activity or identities and would not cooperate with law enforcement. Rashevskyi allegedly used false identities (e.g., "
Maksim Sorin
" and "
Roman Chabanenko
") to acquire infrastructure from companies that would otherwise have refused service due to complaints of abuse. The sanctions come after European law enforcement took down 1VPNS's website and infrastructure in May with support from the FBI's Boston Field Office, as part of a joint action dubbed "Operation Saffron" led by French and Dutch authorities. The 1VPNS investigation began in December 2021, with law enforcement officers infiltrating the VPN's infrastructure and collecting its user database before it was dismantled. Throughout the joint operation, the authorities seized 33 servers linked to 1VPNs across 27 countries, arrested its administrator, and exposed thousands of users associated with ransomware, fraud, and other malicious activity worldwide. At the time, Europol also said that the VPN service's name had surfaced in nearly every major cybercrime investigation it supported. Victims of ransomware attacks involving 1VPNS' infrastructure included U.S.
Business
es, hospitals,
Financial services
firms, and municipal
Government
s. This week, the Treasury Department also sanctioned Belarusian national
Yegeniy Vladimirovich Silayev
, who sells cryptors (also known as crypters), which are tools that help ransomware and other malware evade detection by security software.

Officials estimate that ransomware operations using 1VPNS and Silayev cryptors have caused billions of dollars in losses to

Business
es and critical infrastructure providers across the
United States
. "These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers," said State Department spokesperson Thomas Pigott. "By targeting not just ransomware operators but the service providers and tool suppliers who make their attacks possible, the
United States
and its partners are dismantling the broader networks that sustain cybercriminal activity worldwide." OFAC said the action was coordinated with the United Kingdom's Foreign, Commonwealth & Development Office. Under these sanctions, all property of the designated individuals and entities within U.S. jurisdiction is blocked, while U.S. persons and
Business
es are barred from transactions involving them. On Monday, the European Union and the United Kingdom also jointly sanctioned dozens of Russian individuals and entities , accusing Russia of coordinating a network of hacking groups linked to cyberattacks across Europe. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper