U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support
US sanctions VPN service and cryptor seller for enabling ransomware attacks.
Summary
The U.S. Treasury Department has sanctioned two individuals and a VPN service provider, First VPN Service (1VPNS), for facilitating ransomware attacks and other cybercriminal activities. First VPN, operational since 2014, allegedly provided services to numerous ransomware groups to obscure attack origins and manage exfiltrated data. Additionally, Yegeniy Vladimirovich Silayev was sanctioned for selling cryptors to evade security detection. These actions coincide with the UK and EU imposing sanctions on Russian individuals and entities for cyber operations.
Full text
U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support Ravie LakshmananJul 14, 2026Network Security / Cyber Espionage The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian administrator, Dmytro Rashevskyi. The department has also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national, for selling cryptors to help conceal ransomware and other malware as safe programs to avoid being detected by security tools. First VPN was dismantled in May 2026 as part of a joint law enforcement operation by European and North American authorities for assisting criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The service had been operational since 2014, advertising that it neither keeps a log of users' identities or activities nor cooperates with law enforcement to tackle illegal activity originating from servers it rents to customers. Per the Treasury, several ransomware groups are said to have purchased First VPN to carry out attacks on U.S. companies and institutions and hide their true origins, deploy malware, and manage exfiltrated data. Victims of ransomware attacks that involved the VPN infrastructure included U.S. businesses, financial services companies, hospitals, and municipal governments. Ransomware groups using services supplied by the designated parties allegedly caused billions of dollars in losses to American businesses and critical infrastructure providers, U.S. officials said. "Rashevskyi has used false identities, including 'Maksim Sorin' and 'Roman Chabanenko,' to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers," the department said. U.K. and E.U. Impose Sanctions on Russian Individuals and Entities The disclosure coincides with the U.K. and E.U. sanctioning Russian cyber networks for their "persistent and increasingly reckless attempts to sow chaos and division across Europe." The sanctions target 24 individuals and entities behind destructive cyber and hybrid operations, including operators involved in proxy networks linked to the Russian Intelligence Services (RIS). This includes Russia's Main Intelligence Directorate (GRU) senior leadership members Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko for their role in directing GRU cyber and hybrid threat operations. In tandem, Centre 16 of the Federal Security Service (FSB) has been attributed to disruptive sabotage operations against Poland's energy grid late last year. "GRU Unit 29155 cyber division worked with cybercriminals, including the company IMPULS, to recruit hackers and cyber specialists from universities and academies across Russia," the U.K. government said. The sanctions are also aimed at individuals behind Lumma Stealer for enabling cybercriminals to collect sensitive information from compromised devices at scale. Russia is said to have used the stealer's stolen credentials to conduct cyber espionage operations against targets globally to support the Kremlin's objectives. "Cybercriminals, self-proclaimed hacktivists and private companies linked to Russia, including actors operating under its instructions, direction or control, have also carried out, enabled and facilitated a wide range of malicious activities," the E.U. said. "We strongly condemn Russia's behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses. By calling out Russia's malicious behaviour and imposing costs on those responsible for such activities, the EU underscores its determination to uphold accountability in cyberspace." Russian State-Sponsored Targeting Goes After Routers The sanctions also arrive against the backdrop of a new advisory issued by the U.S. Federal Bureau of Investigation (FBI) about FSB Center 16 cyber actors' exploitation of poorly configured and vulnerable networking devices across the world to opportunistically hack into multiple critical infrastructure sector networks. "The Russian FSB Center 16 cyber actors primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation," the agency said. "The actors scan for Internet IP ranges with active Simple Network Management Protocol (SNMP) agents that accept common or default community strings for authentication." These scans, which are run via proxies, consist of SNMP Set-Requests from a spoofed IP address containing Object Identifiers (OIDs) that instruct the SNMP agent on poorly configured networking devices to copy its configuration to a file and transfer it to an attacker-controlled virtual private server (VPS) or compromised FTP server. The activity also involves abusing common vulnerabilities and exposures (CVEs) in Cisco devices, such as CVE-2018-0171 and CVE-2008-4128, as a way to discover and exploit poorly configured networking appliances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2008-4128 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by July 16, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE critical infrastructure, cyber espionage, Cybercrime, ddos, Information Stealer, Malware, network security, ransomware, Vulnerability ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- domain — 1vpns.com
- malware — Lumma Stealer