The Treasury Department is slapping sanctions on First VPN and its administrator for allegedly selling services to ransomware operators, as well as another person aiding ransomware gangs.
First VPN Services, or 1VPNS, was “deeply embedded in the cybercriminal ecosystem” and appeared in virtually every Europol investigation in recent years, the law enforcement body said after a sting targeting the service in May.
Treasury’s Office of Foreign Assets Control (OFAC) sanctioned 1VPNS as well as its alleged administrator, Ukrainian citizen Dmytro Rashevskyi, Monday in conjunction with the United Kingdom. The outfit provided anonymity services that could be legitimate in some instances, but 1VPNS advertised itself in online cybercrime forums for more than a decade, touting its refusal to cooperate with law enforcement, the office said.
“Numerous ransomware groups have purchased infrastructure from 1VPNS, which they have leveraged in attacks on U.S. companies and institutions — including to hide the origins of their attacks, deploy malware, and manage exfiltrated data,” OFAC said. “Victims of ransomware attacks that involved the use of 1VPNS infrastructure have included U.S. businesses, financial services companies, hospitals, and municipal governments.”
Treasury also sanctioned Belarus national Yegeniy Vladimirovich Silayev for allegedly selling “cryptors,” tools used to disguise ransomware and other malware, to ransomware operators.
“Unlike legitimate encryption tools, which are designed to protect data and the privacy of the people that own it, cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files,” OFAC said.
Treasury’s sanctions designations dovetail with separate, unrelated cyber sanctions that European governments from Monday. The FBI has previously issued an alert about First VPN Service.
Blockchain intelligence firm TRM Labs said it has seen 1VPNS selling its services to ransomware operators for prices ranging from $723 for Anubis to $58 Sinobi.
“The amounts are small because infrastructure subscriptions are small,” Ari Redbord, global head of policy and government affairs for the company, wrote on LinkedIn. “A named ransomware group paying a named enabler on public chains still leaves a trail investigators can follow after the fact.”
Victims tied to First VPN Service infrastructure include U.S. municipalities, hospitals and financial services companies.
Europol said it had arrested the administrator of 1VPNS in its May sting, but did not name them.
The Treasury Department did not immediately respond to a question about whether its sanctions targeted that same arrested person.

