Skip to main content
Threat IntelligenceEmerging Threats

Telegram Disrupts Links Tied to Sanctioned VPN Service

Person in professional attire sits at desk in government agency setting with computer and phone in background.

"The .ME Registry works closely with law enforcement to monitor and mitigate issues across the .ME domain in accordance with applicable laws, including sanctions requirements," Domain.Me stated via X.

Domain.Me suspended t.me shortlinks after OFAC named 1VPNS

On 13 July the US Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS). Domain.Me — operator of the .ME registry that underpins Telegram's t.me shortlinks — confirmed that the action led to a suspension of the t.me domain that lasted roughly a day while the situation was assessed. Domain.Me said a Telegram channel using the t.me domain was among infrastructure identified as linked to 1VPNS, and that the registry suspended the domain on that basis.

Telegram removed links tied to the sanctioned VPN and t.me access was restored

Telegram verified that links associated with the sanctioned VPN had been removed. According to Domain.Me, on 14 July Telegram provided confirmation that it had removed its links and affiliations with 1VPNS; after that confirmation was reviewed and verified, the suspension on the t.me domain was lifted. Pavel Durov, Telegram's founder and CEO, publicly asked the .ME registry to look into the outage as users across the app reported problems with t.me links used to share channels, groups, and profiles.

OFAC designations and related sanctions named people and services

OFAC's 13 July designations named First VPN Service (1VPNS) and its administrator, Dmytro Rashevskyi. The announcement also sanctioned Yevgeniy Vladimirovich Silayev for selling cryptors — software described as tools designed to disguise ransomware and other malware to evade detection by security programs. OFAC's announcement said ransomware groups used both services, causing billions of dollars in losses to US businesses and critical infrastructure providers.

European takedown in May and Europol's assessment of 1VPNS

Authorities in Europe had taken down 1VPNS infrastructure in May. Europol said the service, whose administrator was based in Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions. Edvardas Šileris, head of Europol's European Cybercrime Centre, said: "For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement." The FBI, which supported the France and Netherlands-led takedown, said 1VPNS had been advertised almost exclusively on criminal dark web forums and had been used for a range of activity beyond ransomware.

What this means for Telegram, European law enforcement, and US Treasury

  • Telegram: The platform acted to remove links and affiliations after being notified, and that removal was the proximate cause cited by Domain.Me for restoring t.me service on 14 July.
  • European law enforcement and the FBI: The May takedown and the statements by Europol and the FBI underscore that 1VPNS was treated as a facilitator for multiple illicit campaigns, not solely ransomware, and that operations against such infrastructure can involve cross-border cooperation.
  • US Treasury / OFAC: The designations on 13 July extended enforcement measures to an identified VPN service and named individuals, with the Treasury characterizing the move as part of broader efforts to disrupt the cybercriminal ecosystem. Gene Lange, senior counselor to the Secretary of the Treasury and performing the duties of the Under Secretary for Terrorism and Financial Intelligence, said: "Under President Trump's leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people. We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure."

Domain.Me did not specify which Telegram channel or group it had identified as 1VPNS infrastructure. The register noted that 1VPNS ran its own Telegram channel/account and that a group's t.me link appeared verbatim in OFAC's sanction announcement, and suggested that circumstance likely explains the domain-wide disruption.

The episode ties an OFAC sanction, a platform's internal removals, and a registry's legal compliance actions into a single, short-lived outage of a widely used URL namespace. It highlights how sanctions enforcement can ripple through internet infrastructure when platform accounts or channels are named as part of identified hostile infrastructure — and it leaves open the specific question Domain.Me did not answer: which channel triggered the registry's suspension.

Original story