The tactic is to expand cyber enforcement by sanctioning foreign infrastructure services, targeting providers that aid cybercriminals.
On 13 July 2026 the US Treasury Department took the unprecedented step of sanctioning a virtual private network provider accused of supporting ransomware operations, marking the first time such an infrastructure service has been formally targeted.
The action names First VPN Service (1VPNS), along with its alleged Ukrainian administrator Dmytro Rashevskyi and Belarusian malware facilitator Yegeniy Vladimirovich Silayev.
Authorities say the service played a central role in enabling cybercriminal groups to carry out attacks against American hospitals, schools, businesses, and government entities. The Treasury’s Office of Foreign Assets Control (OFAC) noted that the individuals and entity were designated under Executive Order 13694, as amended, for materially assisting malicious cyber activities aimed at US interests.
The State Department stated that the network provided ransomware actors with tools to conceal their identities, mask malicious payloads, and bypass detection systems: capabilities that had contributed to billions of dollars in damages across critical infrastructure sectors.
First inadvertent casualty of the sanctions
Investigators allege Rashevskyi had used fraudulent identities to acquire and operate infrastructure supporting the VPN service, while Silayev had distributed crypting tools designed to make ransomware appear as legitimate software. Blockchain analysis reportedly linked payments from ransomware groups such as Anubis, Qilin, and Sinobi Group to the VPN service. The sanctions effort was coordinated with the United Kingdom, following a multinational law enforcement operation known as Operation Saffron.
Shortly after the sanctions were announced, Telegram had experienced a widespread disruption affecting its t.me short-link domain. The .me registry, administered by US-linked operators despite being Montenegro’s country-code domain, placed the domain under a “serverHold” status, effectively removing it from global DNS resolution.
This action had rendered invite links, group pages, channels, and bots inaccessible, although Telegram’s core messaging services remained operational. The registry later confirmed the suspension was tied to OFAC compliance requirements. The outage lasted roughly a day before service was restored. While no direct causal link has been publicly confirmed, observers have suggested that sanctioned actors’ potential use of t.me links may have prompted precautionary action.
US regulators are increasingly targeting the ecosystem of services that enable malicious cyber operations to function. By designating infrastructure providers such as VPN services, authorities aim to disrupt the underlying support networks that facilitate anonymity and operational resilience for cybercriminals. As a result of the sanctions, any property or interests associated with the designated parties that fall under US jurisdiction (or involve US persons) are now blocked.
