US cybercrime enforcement and sanctions policy

Treasury's First VPN Sanctions Target Criminal Intent, Not VPN Technology — A Distinction Worth Preserving

OFAC's July 13 sanctions on 1VPNS and its administrator follow a May takedown, offering a narrower enforcement model than blanket restrictions on privacy tools.

First VPN: From Takedown to Sanctions People of Internet Research · US 25+ Ransomware gangs using service At least 25 ransomware groups reli… 33 Servers seized in takedown Operation Saffron dismantled 33 se… 18 Countries backing the operation France and the Netherlands led an … 12 Years service operated before seizure 1VPNS marketed itself as log-free … peopleofinternet.com
First VPN: From Takedown to Sanctions People of Internet Research · US 25+ Ransomware gangs using service 33 Servers seized in takedown 18 Countries backing the operation 12 Years service operated before … peopleofinternet.com

Key Takeaways

The Treasury Department's Office of Foreign Assets Control announced on July 13, 2026 that it had sanctioned First VPN Service (1VPNS), a Ukraine-based VPN provider, along with its administrator Dmytro Rashevskyi and a separate Belarusian national, Yegeniy Vladimirovich Silayev, who sold "cryptors" — tools that disguise malware to evade antivirus detection (Treasury press release). The designations were made under Executive Order 13694, as amended, which authorizes sanctions against those who materially support cyber-enabled activity threatening U.S. national security or economic stability, and were coordinated with the UK's Foreign, Commonwealth & Development Office (OFAC recent actions, July 13, 2026). Treasury said 1VPNS supplied ransomware groups with tools to "hide their identities, disguise malicious software, and evade detection," enabling attacks that caused billions of dollars in losses to U.S. hospitals, schools and municipalities.

A Sanction That Follows a Takedown

This is not a first strike. In Operation Saffron, running May 19–20, 2026, French and Dutch authorities — backed by Europol, Eurojust, the FBI and 16 other partner countries — dismantled 33 servers and seized the 1VPNS domains, having identified at least 25 ransomware gangs that relied on the service's no-log, no-cooperation model to hide their infrastructure (TechCrunch; The Hacker News). Investigators interviewed Rashevskyi in Ukraine during that operation but, notably, did not arrest him (Help Net Security) — which is precisely why sanctions, rather than prosecution, are now doing the enforcement work. He remains outside the reach of a U.S. courtroom; freezing whatever assets or business relationships he can still access is the tool actually available.

The Case For Going After the Infrastructure Layer

There is a real case for this approach, and it deserves to be stated plainly rather than waved away. 1VPNS was not a general-purpose privacy service that happened to attract some bad actors — Treasury's own materials note it had operated since 2014 explicitly marketing itself as refusing law-enforcement cooperation and keeping no logs, a pitch aimed squarely at criminals rather than privacy-conscious consumers (The Record). Europol's own findings described it as embedded in "almost every major" cybercrime investigation the agency supported in recent years. Sanctioning the operator, and separately the cryptor seller who tooled malware for detection evasion, targets the supply chain that makes ransomware operationally viable — the anonymizing infrastructure and the obfuscation tooling — rather than reaching for the blunter instrument of restricting encryption or VPN technology broadly. That is a meaningfully narrower intervention than, say, mandated backdoors or bans on no-log VPN services as a category.

Where the Caution Belongs

But the distinction Treasury drew here — sanctioning demonstrated criminal intent and marketing, not the technology of anonymization itself — is the part worth defending, because it is also the part most at risk of eroding. No-log policies, refusal to cooperate with law enforcement absent valid legal process, and encrypted, anonymized traffic are core features of legitimate privacy and security tools used by journalists, dissidents, abuse survivors and ordinary businesses. Nothing in this action, taken on its own facts, criminalizes those features — Treasury's designation rests on 1VPNS's demonstrated pattern of servicing ransomware crews and the operator's own conduct evading ISP abuse complaints by buying infrastructure under false identities. That is a fact-specific finding, not a category judgment about VPNs.

The risk is precedent creep: a future administration invoking the same "material support" theory against a mainstream VPN or hosting provider whose service was merely used by criminals, without the marketing-to-criminals and evasion-of-abuse-complaints evidence that anchors this case. Congress and Treasury should keep the bar where it sits here — demonstrated, provider-level facilitation of criminal activity, not mere technical capability for anonymity — rather than let "the service enabled bad actors" become sufficient on its own. Sanctions compliance counsel already treat cyber-related SDN designations as some of OFAC's most operationally significant tools; expanding the theory loosely would chill legitimate privacy infrastructure providers from operating in or serving the U.S. market at all, which is a worse outcome for security than the ransomware problem this action addresses.

The Practical Limits

It is also worth being honest about what this sanction accomplishes and what it does not. 1VPNS's infrastructure was already seized in May; the July designation is chiefly reputational and financial — blocking Rashevskyi and Silayev from the U.S. financial system and warning other infrastructure providers of the same fate. It does not recover the losses already inflicted on sanctioned hospitals and municipalities, and it does nothing to stop the next no-log VPN from launching under a different name. Sanctions work best as one layer in a stack that includes the law-enforcement takedown that preceded it and the international coordination that followed. Judged as that — a narrowly targeted, evidence-based follow-on to an actual operation, rather than a freestanding assertion of authority over privacy tools — this is a defensible use of Treasury's cyber sanctions program.

Sources & Citations

  1. Treasury Department press release
  2. OFAC recent actions, July 13, 2026
  3. The Record: VPN service favored by ransomware groups is sanctioned by US
  4. TechCrunch: Law enforcement shuts down VPN service used by ransomware gangs
  5. The Hacker News: First VPN dismantled in global takedown
  6. Help Net Security: Operation Saffron takedown details