All incidents

US sanctions VPN provider 1VPNS for aiding ransomware gangs

incidentopenJul 13, 2026 — Jul 14, 2026
US sanctions VPN provider 1VPNS for aiding ransomware gangs

THE United States Treasury has imposed sanctions on the VPN provider 1VPNS and two individuals linked to the service, accusing them of facilitating ransomware operations that have caused billions of dollars in losses to American businesses and critical infrastructure. The action targets both the company and its administrators, cutting off their access to the US financial system. Details of the designation were released in a press notice available from the Treasury Department.

1VPNS marketed itself as a privacy‑focused virtual private network, promising users anonymity by routing traffic through servers in jurisdictions with limited oversight. Ransomware groups adopted the service to conceal the origin of their command‑and‑control channels and to hide the distribution of encryptors and data‑exfiltration tools. By masking their true IP addresses, the actors could prolong their presence on victim networks and evade early detection by security monitors. No public CVE identifiers are associated with the provider, as the risk stems from its intended use rather than a software flaw.

The sanctions also name Yegeniy Vladimirovich Silayev, who is alleged to have sold cryptors that obscure malicious code and make it harder for antivirus products to detect ransomware payloads, and Dmytro Rashevskyi, the Ukrainian administrator accused of using false identities to procure servers and bandwidth from companies that would otherwise decline to work with him.

Silayev’s cryptors were marketed to ransomware affiliates seeking to bypass signature‑based defences, while Rashevskyi’s network management kept the VPN infrastructure operational despite growing complaints about abuse. Both designations freeze any assets they may hold under US jurisdiction and prohibit US persons from engaging with them.

The Treasury’s move follows a law enforcement operation that previously seized 1VPNS infrastructure and exposed its user database, revealing a heavy concentration of ransomware affiliates among the subscriber base. Although the sanction notice does not tie the provider to a specific ransomware gang, it notes that the service has been favoured by actors targeting US municipalities, hospitals, schools and a range of private enterprises. The financial impact attributed to these campaigns runs into the billions, prompting the administration to treat the VPN as a facilitative tool in the broader ransomware ecosystem.

Network defenders should begin by checking logs for any connections to IP ranges known to belong to 1VPNS and blocking those addresses at perimeter firewalls and VPN concentrators. Threat intelligence feeds should be updated with the sanction identifiers so that alerts trigger when attempts to reach the sanctioned nodes are observed. Organisations using third‑party remote‑access solutions must verify that none of their providers rely on the sanctioned service for exit nodes or traffic obfuscation.

Additionally, reviewing contracts with cloud and hosting partners can help ensure that no infrastructure has been leased through front companies linked to the sanctioned individuals.

Sharing the observed indicators with sector‑specific ISACs and contacting upstream ISPs to report abuse notices can help limit the spread of the infrastructure. While the sanctions focus on 1VPNS, security teams should remain vigilant for other privacy services that may be co‑opted by ransomware actors and maintain baseline controls such as multi‑factor authentication, timely patching and regular backup verification. Staying informed about future Treasury designations will allow defenders to adapt their blocklists before new threats emerge.

Intelligence briefing updated Jul 14, 2026

Root sourcehome.treasury.gov
Timeline Coverage

Swipe to explore timeline