US sanctions First VPN and its administrator for supporting ransomware attacks
For years, cybercriminals saw this VPN service as a gateway to anonymity.

Silhouette of a man surrounded by glowing code. Mariyariya/Getty.
- US Treasury sanctioned First VPN Service and two workers for enabling ransomware attacks on American businesses and infrastructure
- First VPN promised anonymity and no cooperation with authorities, attracting criminals who used it for ransomware and data theft
- European authorities previously seized 33 servers and domain names in coordinated operation across seven countries in May
- Sanctions freeze assets and ban business dealings; violators face fines exceeding $1 million for supporting cybercrime infrastructure
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Office of Foreign Assets Control (OFAC), part of the US Department of the Treasury, has sanctioned First VPN Service and two workers for carrying out ransomware attacks against American businesses.
Last May, European law enforcement authorities took First VPN Service offline for offering services to conceal criminal activities, including ransomware attacks, data theft, hacking of IT systems, and fraud schemes.
First VPN Service promised its clients anonymity, that it wouldn’t store any data, and that it wouldn’t cooperate with any judicial authority.
Therefore, law enforcement agencies from France, Luxembourg, the Netherlands, Romania, Switzerland, Ukraine, and the United Kingdom dismantled 33 servers linked to First VPN Service. In addition, several domain names were seized.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate, and evade law enforcement,” Edvardas Šileris, Head of Europol’s European Cybercrime Center, said in a statement at the time.
The US authorities are now chiming in as well.
According to the OFAC, numerous ransomware groups purchased infrastructure from First VPN Service, which they used to launch cyberattacks, deploy malware, and exfiltrate data from American businesses, financial service companies, hospitals, local governments, and other institutions.
Furthermore, the agency claims that First VPN Service advertised its services on multiple online cybercriminal forums.
Therefore, the OFAC has designated First VPN Service and two of its workers: Dmytro Rashevskyi and Yegeniy Vladimirovich Silayev.
Rashevskyi is deemed to be First VPN Service’s administrator and therefore directly responsible for enabling cybercriminal activities against American targets. Silayev allegedly sold so-called “cryptors,” tools used to disguise ransomware and other malware as safe programs to prevent security systems from detecting or deactivating them.
Their involvement in First VPN Service’s activities is considered a threat to America’s national security.
“Under President Trump’s leadership, Treasury is using every available tool to disrupt the cybercriminal ecosystem and protect the American people. We will continue targeting the actors who enable ransomware attacks against Americans and our critical infrastructure,”Gene Lang, Acting Under Secretary for Terrorism and Financial Intelligence at the US Department of the Treasury, said in a statement.
As part of the sanctions, the assets of the VPN provider and its US administrator have been frozen. In addition, individuals and companies are prohibited from doing business with the provider and its operator. Failing to do so may result in monetary penalties exceeding $1 million.