The U.S. Treasury Department on Monday sanctioned First VPN Service, a virtual private network provider it says helped ransomware crews conceal their activity while attacking American hospitals, schools, municipalities and companies.
Treasury also sanctioned Dmytro Rashevskyi, a Ukrainian administrator for the service, and Yegeniy Vladimirovich Silayev, a Belarusian national accused of selling malware-obfuscation tools known as cryptors. Treasury said Silayev is not connected to First VPN Service.
The move cuts U.S. people and companies off from doing business with the designated parties. Sanctions also tend to poison commercial relationships outside the strict legal line, because banks, hosting companies and other vendors often decide the compliance risk is not worth the invoice.
What Treasury says First VPN did
According to Treasury, First VPN Service, also known as 1VPNS, gave ransomware groups infrastructure they could use to hide who they were, make malicious software look less suspicious and avoid detection. Treasury said those attacks caused billions of dollars in losses to U.S. critical infrastructure providers.
A VPN encrypts a user’s internet traffic and routes it through another server. Plenty of people use VPNs for ordinary privacy and security reasons. The same mechanism can also help criminals make traffic appear to originate somewhere else, frustrate abuse reports and keep investigators from tying activity back to a real person.
Treasury said Rashevskyi used false identities to purchase infrastructure from companies that might have rejected him because internet service providers had complained about illegal activity coming from First VPN servers. The department said Rashevskyi promoted the service as low-risk because it did not keep logs of customer identities or activity and because it refused to assist law enforcement investigations into illegal conduct traced to rented servers.
The Treasury notice did not name the ransomware groups alleged to have used First VPN Service. It said many such groups bought internet infrastructure from the service.
Earlier takedown and dark web marketing
The sanctions follow a May operation in which European law enforcement agencies and the FBI dismantled First VPN Service. Authorities said then that cybercriminals had used the service to conceal fraud, ransomware attacks and other illegal activity.
First VPN Service has operated since 2014, according to Treasury. The department said the service had been promoted on Russian cybercrime forums and dark web forums, including advertising aimed at botnet operators and scammers who wanted anonymity.
The separate designation of Silayev targets another layer of the ransomware supply chain. Treasury accused him of selling cryptors, tools or techniques that make malware harder for security products to recognize by disguising it as harmless files. In practice, that kind of service can help a criminal payload reach a victim’s machine before antivirus tools or network scanners flag it.
Treasury framed the action as part of a broader effort to hit the businesses and toolmakers that support ransomware crews, rather than only the people who deploy the ransomware. The theory is practical: if a provider supplies infrastructure to many gangs, disrupting that provider can create problems across several operations at once.
This story draws on original reporting from The Record.