The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and one entity for supplying infrastructure and tools that enabled ransomware attacks against American organizations, marking the latest move in a broader campaign to disrupt the support networks behind ransomware operations rather than just the operators themselves.

VPN provider with a no-log promise

Among those designated is First VPN Service (1VPNS), a virtual private network provider that had operated since 2014 and marketed itself on cybercriminal forums as keeping no logs and refusing to cooperate with law enforcement. Its administrator, Dmytro Rashevskyi, allegedly used false identities, including the aliases “Maksim Sorin” and “Roman Chabanenko,” to obtain hosting infrastructure from providers that would otherwise have rejected the service over abuse complaints.

The sanctions follow a law enforcement takedown of 1VPNS in May, when French and Dutch authorities led a joint action called “Operation Saffron” with support from the FBI’s Boston Field Office. Investigators had infiltrated the VPN’s infrastructure and collected its user database as early as December 2021, well before the service was dismantled. The operation ultimately seized 33 servers across 27 countries and led to the administrator’s arrest, exposing thousands of users tied to ransomware, fraud, and other criminal activity worldwide. Europol has said the VPN’s name surfaced in nearly every major cybercrime investigation it supported, with victims including U.S. businesses, hospitals, financial services firms, and municipal governments.

Cryptor seller also designated

OFAC separately sanctioned Belarusian national Yegeniy Vladimirovich Silayev, who sold cryptors, also known as crypters, tools that help ransomware and other malware evade detection by security software. Officials estimate that ransomware operations relying on 1VPNS and Silayev’s cryptors have caused billions of dollars in losses to U.S. businesses and critical infrastructure providers.

State Department spokesperson Thomas Pigott said the sanctioned actors supplied ransomware groups with tools to hide identities, disguise malware, and evade detection, and that targeting these service providers alongside the ransomware operators themselves is intended to dismantle the broader networks sustaining cybercriminal activity.

Coordinated international action

OFAC said the action was coordinated with the United Kingdom’s Foreign, Commonwealth and Development Office. Under the sanctions, all property belonging to the designated individuals and entity within U.S. jurisdiction is blocked, and U.S. persons and businesses are barred from engaging in transactions with them. The same week, the European Union and the United Kingdom jointly sanctioned dozens of Russian individuals and entities, accusing Russia of coordinating a network of hacking groups behind cyberattacks across Europe.