"These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers," said State Department spokesperson Thomas Pigott.
OFAC designations: 1VPNS and Dmytro Rashevskyi
On Monday the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS), a virtual private network provider, and its administrator, Dmytro Rashevskyi. OFAC said 1VPNS sold services to ransomware groups and had advertised since it surfaced in 2014 that it kept no logs of user activity or identities and would not cooperate with law enforcement. Rashevskyi allegedly used false identities, including "Maksim Sorin" and "Roman Chabanenko," to acquire infrastructure from companies that would otherwise have refused service because of complaints of abuse.
Operation Saffron: European takedown with FBI support
The sanctions follow a May takedown of 1VPNS's website and infrastructure by European law enforcement with support from the FBI's Boston Field Office, as part of a joint action dubbed "Operation Saffron" led by French and Dutch authorities. According to the account of the joint operation, the investigation began in December 2021 when law enforcement officers infiltrated the VPN's infrastructure and collected its user database prior to dismantling the service.
During the operation authorities seized 33 servers linked to 1VPNS across 27 countries, arrested the VPN's administrator, and exposed thousands of users associated with ransomware, fraud, and other malicious activity worldwide. Europol said the VPN service's name had surfaced in nearly every major cybercrime investigation it supported.
Yegeniy Vladimirovich Silayev and the sale of cryptors
The Treasury also sanctioned Belarusian national Yegeniy Vladimirovich Silayev. OFAC described Silayev as a seller of cryptors—tools that help ransomware and other malware evade detection by security software. Officials estimate ransomware operations using 1VPNS and Silayev cryptors have caused billions of dollars in losses to businesses and critical infrastructure providers across the United States.
Impacts on U.S. victims and allied actions
Victims cited in the enforcement account included U.S. businesses, hospitals, financial services firms, and municipal governments. OFAC said the action was coordinated with the United Kingdom's Foreign, Commonwealth & Development Office. Under the sanctions, all property of the designated individuals and entities within U.S. jurisdiction is blocked, and U.S. persons and businesses are barred from transactions involving them.
Separately on Monday, the European Union and the United Kingdom jointly sanctioned dozens of Russian individuals and entities, accusing Russia of coordinating a network of hacking groups linked to cyberattacks across Europe.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: the enforcement record shows law enforcement can penetrate and collect data from criminal infrastructure—evidence from the 1VPNS investigation included an infiltrated user database and seized server infrastructure across 27 countries.
- Policymakers and regulators: the coordinated action—OFAC designations aligned with the U.K.'s FCDO and concurrent EU/UK sanctions—illustrates a strategy of targeting not only ransomware operators but the service providers and tool sellers who enable them.
- Affected enterprises and procurement leaders: the list of victims (businesses, hospitals, financial services firms, and municipal governments) underscores the broad operational and financial exposure officials attribute to services like 1VPNS and to cryptors sold by Silayev, which authorities say contributed to "billions of dollars" in losses.
The enforcement move marks a shift from naming alleged attackers to removing the infrastructure and suppliers that obscure and enable those attacks. By blocking property and forbidding transactions, OFAC and allied partners aim to constrict the market for anonymity and anti-detection tools; the record from Operation Saffron—33 seized servers, a dismantled service, and thousands of exposed users—will be a tangible example cited as those measures proceed. The prosecutors, investigators, and affected organizations now face the practical tasks of civil remediation, attribution of harm, and assessing how many incidents tied to this infrastructure will lead to indictment, restitution, or further international action.




