The U.S. Treasury Department on Monday imposed sanctions on First VPN Service (1VPNS) and its administrator, Ukrainian national Dmytro Rashevskyi, for providing infrastructure that helped ransomware groups hide their identities and evade detection during attacks on American municipalities, hospitals, schools, and businesses.

According to Treasury, 1VPNS gave ransomware operators tools to disguise malicious software and conceal their tracks, contributing to attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers. The press release did not name specific ransomware groups that used the service, but said numerous gangs purchased internet infrastructure through it.

Treasury said Rashevskyi used fake identities to acquire infrastructure from providers that would otherwise have refused to do business with him given a history of abuse complaints from internet service providers tied to illegal activity on 1VPNS servers. He reportedly marketed the service as low-risk by advertising that it kept no logs of user identity or activity and would not cooperate with law enforcement investigations.

A second individual, Belarusian national Yegeniy Vladimirovich Silayev, was also designated under the sanctions for allegedly selling “cryptors,” tools that disguise malware as harmless files to make it harder to detect and more effective. Silayev is not affiliated with First VPN, but his designation reflects a broader effort to target the tool suppliers underpinning ransomware operations.

The sanctions bar any U.S. person or entity from completing transactions with the designees and are also intended to inflict reputational damage that can reduce business revenue for services operating in this space.

Prior Takedown

The sanctions follow a May law enforcement action in which European agencies and the FBI took down First VPN, citing its long-standing use by cybercriminals to mask fraud, ransomware activity, and other illegal conduct. The service, which has operated since 2014, was heavily promoted on Russian-language cybercrime forums and dark web marketplaces, where it was also pitched as suitable for supporting botnets and scam operations while promising customer anonymity.

By sanctioning both a ransomware-enabling VPN provider and a malware obfuscation tool seller in the same action, Treasury said it aims to disrupt operations across a broad swath of ransomware gangs that rely on shared third-party infrastructure and services rather than building their own tools from scratch.