What just happened? The US Treasury Department has imposed sanctions on a VPN provider and its administrator for the first time. The agency is targeting a service accused of helping ransomware gangs hide their identities and attack American organizations.

The Office of Foreign Assets Control designated First VPN Service, also known as 1VPNS, and its Ukrainian administrator, Dmytro Rashevskyi. Belarusian national Yegeniy Vladimirovich Silayev was sanctioned separately for selling "cryptors," tools designed to disguise ransomware and other malware as harmless software so security systems do not detect it.

Treasury officials say ransomware groups using services supplied by the sanctioned parties have caused billions of dollars in losses to US businesses and critical infrastructure providers. Victims connected to 1VPNS infrastructure included hospitals, municipal governments, financial services firms, and other companies.

First VPN had operated since 2014 and advertised on cybercrime forums that it didn't keep logs or cooperate with law enforcement.

Rashevskyi allegedly used the false identities Maksim Sorin and Roman Chabanenko to purchase infrastructure from companies that may otherwise have rejected him following complaints about illegal activity originating from 1VPNS servers.

The VPN did more than simply conceal users' real IP addresses. Investigators say ransomware operators used its infrastructure to obscure the origin of attacks, deploy malware, and manage stolen data.

Silayev, who is not connected to First VPN, allegedly provided encryption and obfuscation services that made malicious files harder to identify and disable.

The sanctions freeze any property or interests belonging to the designated parties that are held in the United States or controlled by US persons. Americans are also generally prohibited from conducting transactions with them, while companies owned at least 50% by sanctioned individuals are similarly blocked. The measures can also intended to inflict significant reputational damage and discourage organizations outside the US from doing business with those targeted.

The action follows the May dismantling of First VPN during an international operation involving European authorities and the FBI. As reported at the time, investigators took down 33 servers, closed surface-web and Tor domains, searched a residence in Ukraine, and identified people who had paid for access to the service.

The move also resembles the Treasury's 2024 action against the operators of the 911 S5 botnet. That network used supposedly free VPN apps to turn millions of Windows PCs into residential proxies, allowing criminals to mask their locations while committing fraud.