Skip to main content
Emerging ThreatsMalware & Ransomware

US Treasury Sanctions VPN Service Over Ransomware Support

Law enforcement officers surround a computer setup, symbolizing the dismantling of a VPN service linked to ransomware groups.

First VPN was dismantled in May 2026 after a multi-jurisdictional law enforcement operation in Europe and North America, accused of helping ransomware groups obscure the origins of attacks and manage stolen data.

OFAC designations: First VPN Service and Dmytro Rashevskyi

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) designated a VPN provider called First VPN Service (1VPNS) and its 45‑year‑old Ukrainian administrator, Dmytro Rashevskyi, for enabling ransomware actors and other cybercriminals to carry out malicious activity, including attacks on Americans. According to the Treasury, First VPN had been operational since 2014 and promoted that it kept no logs of users' identities or activities and did not cooperate with law enforcement. OFAC says several ransomware groups purchased First VPN infrastructure to hide their true origins, deploy malware, and manage exfiltrated data.

Victims in attacks that involved the VPN infrastructure included U.S. businesses, financial services companies, hospitals, and municipal governments. U.S. officials attributed "billions of dollars in losses to American businesses and critical infrastructure providers" to ransomware groups using services supplied by the designated parties.

The Treasury further charged that "Rashevskyi has used false identities, including 'Maksim Sorin' and 'Roman Chabanenko,' to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers."

Sanctioned cryptor seller: Yegeniy Vladimirovich Silayev

Alongside the VPN designation, OFAC sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national, for selling "cryptors" — tools alleged to conceal ransomware and other malware by making them appear as safe programs to evade security detection. The Treasury framed this activity as directly enabling ransomware actors to operate with reduced risk of detection and attribution.

U.K. and E.U. impose sanctions on Russian cyber networks and operators

The U.S. actions landed as the U.K. and E.U. announced sanctions of their own targeting 24 individuals and entities tied to destructive cyber and hybrid operations. The measures include sanctions on senior leadership in Russia's Main Intelligence Directorate (GRU) — Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko — for directing GRU cyber and hybrid threat operations.

The E.U. attributed disruptive sabotage operations against Poland's energy grid to Centre 16 of the Russian Federal Security Service (FSB). The U.K. said GRU Unit 29155's cyber division worked with cybercriminals, including the company IMPULS, to recruit hackers and cyber specialists from universities and academies across Russia. The sanctions additionally targeted individuals behind Lumma Stealer for enabling large-scale credential collection; the E.U. said Russia used those stolen credentials to conduct cyber espionage to support Kremlin objectives.

The E.U. framed the measures with sharp language: "We strongly condemn Russia's behaviour and misuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses. By calling out Russia's malicious behaviour and imposing costs on those responsible for such activities, the EU underscores its determination to uphold accountability in cyberspace."

FBI advisory: FSB Center 16 exploitation of poorly configured routers and CVE actions

The U.S. Federal Bureau of Investigation issued an advisory describing FSB Center 16 cyber actors' opportunistic exploitation of poorly configured networking devices worldwide, primarily routers. The FBI said the actors "primarily use scanning to identify poorly configured networking devices, primarily routers, for exploitation" and scan IP ranges for active Simple Network Management Protocol (SNMP) agents that accept common or default community strings.

These scans—run via proxies—use SNMP Set‑Requests from spoofed IP addresses with Object Identifiers (OIDs) that instruct the SNMP agent to copy its configuration to a file and transfer it to an attacker‑controlled virtual private server (VPS) or a compromised FTP server. The actors also exploit known vulnerabilities in Cisco devices, including CVE‑2018‑0171 and CVE‑2008‑4128.

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2008‑4128 to its Known Exploited Vulnerabilities (KEV) catalog, creating a federal requirement for agencies to apply fixes by July 16, 2026.

What this means for technologists, policymakers, and U.S. businesses, hospitals, and municipal governments

  • Technologists and security teams: Expect heightened scrutiny of exposed networking gear and SNMP configurations. The FBI advisory describes concrete exploitation methods—spoofed SNMP Set‑Requests and exfiltration via VPS or FTP—that defenders can hunt for using network telemetry.
  • Policymakers and regulators: The coordinated sanctions and law enforcement takedown illustrate a multipronged approach—economic pressure plus criminal disruption—aimed at infrastructure that facilitates ransomware. CISA's KEV listing imposes an immediate compliance timeline for federal agencies with a July 16, 2026, mitigation deadline for CVE‑2008‑4128.
  • U.S. businesses, hospitals, and municipal governments: These groups are named among victims of attacks that leveraged the designated VPN and related services; the designations signal an expectation of continued enforcement actions against suppliers and enablers that criminal actors rely upon.

The U.S. sanctions, allied European measures, and the FBI advisory together paint a picture of synchronized pressure on both the service providers that help conceal ransomware operations and the state‑linked networks that exploit poorly configured infrastructure. With First VPN dismantled in May 2026, a sanctioned cryptor seller identified, and CVE‑2008‑4128 added to the KEV catalog with an imminent patch deadline, the near‑term battlefield is focused on securing networking devices and choking off the tools that let attackers hide in plain sight.

https://thehackernews.com/2026/07/us-sanctions-first-vpn-service-and.html