US Sanctions First VPN Service and Cryptor Vendor Malware Over Ransomware Support

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has singled out two individuals and a VPN service provider for allowing malicious acts by ransomware actors and other cybercriminals, including ransomware attacks on Americans.
A VPN, called The first VPN service (1VPNS), is accused of providing his tools to ransomware groups, and its 45-year-old Ukrainian director, Dmytro Rashevskyi. The department also charged Yegeniy Vladimirovich Silayev, of Belarusian origin, with selling cryptos to help hide ransomware and other malware as safe programs to avoid detection by security tools.
The first VPN was dismantled in May 2026 as part of joint law enforcement by European and North American authorities for helping criminal actors to hide the origin of ransomware attacks, data theft, scanning, and denial of service attacks. The service has been operating since 2014, advertising that it does not keep logs of user identities or activities or cooperate with law enforcement to deal with illegal activity from servers it rents to customers.
According to the Treasury, several ransomware groups allegedly bought First VPN to attack US companies and institutions and hide their true origins, release malware, and control classified data. Victims of ransomware attacks involving VPN infrastructure included US businesses, financial services companies, hospitals and municipal governments.
Ransomware groups using services provided by targeted groups are suspected of causing billions of dollars in losses to American businesses and critical infrastructure providers, US officials said.
“Rashevskyi used false names, including ‘Maksim Sorin’ and ‘Roman Chabanenko,’ to purchase infrastructure from companies that may have refused to do business with him due to complaints of harassment from Internet service providers regarding illegal activity from 1VPNS servers,” the department said.
UK and EU Impose Sanctions on Russian People and Businesses
The revelations coincide with UK and EU sanctions against Russian cybersecurity networks “for their persistent and increasingly reckless efforts to sow chaos and disunity across Europe.” The sanctions target 24 individuals and businesses that create harmful cyber and hybrid activities, including operators involved in proxy networks linked to the Russian Intelligence Services (RIS).
This includes senior members of the leadership of Russia’s Main Intelligence Directorate (GRU) Vyacheslav Stafeyev, Ivan Senin, and Ivan Kasyanenko for their role in directing GRU cyber and hybrid threat operations. In parallel, Center 16 of the Federal Security Service (FSB) is said to have been responsible for the disturbing activities to destroy the Polish power grid late last year.
“The GRU Unit 29155 cyber division worked with cyber criminals, including the company IMPULS, to recruit hackers and computer experts from universities and higher education institutions in Russia,” the UK government said.
Penalties are also directed at the people behind Lumma Stealer so that hackers can collect sensitive information from compromised machines at scale. Russia is said to have used the hacker’s stolen information to conduct cyber espionage operations against global targets in support of the Kremlin’s goals.
“Cyber criminals , so-called hacktivists and private companies linked to Russia, including actors working under its orders, direction or control, have also committed, allowed and facilitated a number of malicious acts,” the EU said.
“We strongly condemn Russia’s behavior and abuse of this cyber ecosystem, targeting public services and critical infrastructure, causing disruptions and financial losses. By calling out Russia’s brutal behavior and imposing costs on those responsible for such activities, the EU underlines its determination to support accountability in the cyberspace.”
Russian State-Sponsored Targeting Following Routers
The sanctions also come in the wake of a new advisory issued by the US Federal Bureau of Investigation (FBI) regarding the exploitation by cyber actors of the FSB Center 16 of poorly configured and vulnerable network devices around the world to forcefully enter the sector’s networks of many critical infrastructures.
“Russian FSB Center 16 cyber actors mainly use scanning to identify poorly configured communication services, especially routers, for exploitation,” the agency said. “Players scan the Internet’s IP range with Simple Network Management Protocol (SNMP) active agents that accept common or default public strings for authentication.”

These scanners, used by proxies, include SNMP Set-Requests from a malicious IP address containing Object Identifiers (OIDs) that instruct the SNMP agent on misconfigured network devices to copy their configuration to a file and forward it to an attacker-controlled private server (VPS) or compromised FTP server.
The work also includes exploiting common vulnerabilities and exposures (CVEs) in Cisco devices, such as CVE-2018-0171 and CVE-2008-4128, as a means of detecting and exploiting poorly configured communication devices. The Cybersecurity and Infrastructure Security Agency (CISA) of the US has since added CVE-2008-4128 to its catalog known as Known Exploited Vulnerabilities (KEV), requiring the federal agency to implement fixes by July 16, 2026.



