US Sanctions First VPN Service Used by Ransomware Gangs

US sanctions VPN used by ransomware groups

The US government has sanctioned First VPN Service (1VPNS), a VPN platform extensively used by ransomware groups. This move follows a major law enforcement operation dismantling 1VPNS infrastructure. Organisations must understand how this service enabled attacks, which indicators to monitor, and the implications for compliance.

Sanctions Announced Against First VPN Service and Its Operators

On 13 July 2026, the United States Treasury and State Departments announced sanctions targeting First VPN Service (1VPNS) and its two alleged administrators, Dmytro Rashevskyi and Yegeniy Vladimirovich Silayev. The action, coordinated with the UK government, aims to freeze assets and disrupt activities of the VPN service accused of abetting ransomware operators. According to officials, 1VPNS helped cybercriminals mask their activities, disguise malware, and evade detection, facilitating attacks on American municipalities, hospitals, schools, and businesses, with damages estimated in the billions.

  • Sanctions apply to all 1VPNS infrastructure and the named individuals.
  • US entities are prohibited from engaging in transactions with 1VPNS or its operators.
  • The UK imposed equivalent sanctions in a joint action.

This follows a long-running investigation into 1VPNS’s role in high-impact ransomware campaigns targeting critical sectors worldwide.

Timeline: From Law Enforcement Takedown to Sanctions

The takedown of 1VPNS was the result of a coordinated international effort:

  • 19–20 May 2026: Operation Saffron, led by Europol and Eurojust with FBI support, dismantles 1VPNS’s infrastructure. Authorities seize 33 VPN servers across 27 countries and take down its main domains. The alleged administrator is arrested during the operation.
  • 22 May 2026: Europol publicly announces the successful disruption of 1VPNS. Investigators gain access to the VPN’s user database, revealing at least 25 ransomware groups had used the service, including the notorious Avaddon gang.
  • 29 May 2026: The FBI’s Internet Crime Complaint Center (IC3) issues a detailed report on 1VPNS’s role in cybercrime, confirming its use in ransomware attacks, fraud, botnets, and network scanning schemes.
  • 13 July 2026: The US and UK formally announce sanctions against 1VPNS and its operators, prohibiting transactions and freezing assets related to the service.

This timeline demonstrates the extensive and coordinated nature of the response to 1VPNS’s enabling of criminal activity.

How 1VPNS Facilitated Ransomware and Cybercrime

First VPN Service was a so-called “bulletproof” VPN provider, openly advertised on cybercrime forums as a no-logs, privacy-focused service for hackers. It operated a network of 32–33 servers in 27 countries, supporting popular VPN protocols such as OpenVPN, WireGuard, Outline (Shadowsocks/V2Ray), VLESS/Reality, L2TP/IPSec, and PPTP. This wide protocol support allowed attackers to blend their traffic with legitimate VPN use.

Ransomware operators and other threat actors used 1VPNS to:

  • Conceal their true IP addresses during attacks, making attribution and blocking more difficult.
  • Bypass geofencing controls by appearing to operate from benign international exit nodes.
  • Conduct network reconnaissance, vulnerability scanning, and initial access operations behind anonymised infrastructure.
  • Operate and control botnets, launder malicious traffic, and facilitate fraud schemes with minimal risk of exposure.

The service’s popularity among cybercriminals was due to its strong privacy promises and lack of user activity logs. Law enforcement later revealed that, despite these claims, they were able to seize the user database and identify hundreds of criminal clients after the infrastructure takedown.

Indicators of Compromise and Technical Artefacts

Unlike a typical software vulnerability, the threat here was the abuse of a service. Key indicators linked to 1VPNS include:

  • Domains: 1vpns[.]com, 1vpns[.]net, 1vpns[.]org (now showing law enforcement seizure notices)
  • IP addresses: 33 server exit nodes used globally by 1VPNS (exact IPs available through law enforcement channels or threat intelligence feeds)
  • Network artefacts: Unusual VPN client connections to these IPs, especially using protocols like OpenVPN or WireGuard outside of normal business operations

There are no malware file hashes, as 1VPNS itself was not a malware distributor. However, network logs revealing traffic to these domains or exit nodes are strong evidence of possible criminal activity or attacker staging in the past.

Current Exploitation Status and Ongoing Risks

Before its May 2026 shutdown, 1VPNS was actively used by at least 25 ransomware groups, including major ransomware-as-a-service affiliates. The Avaddon gang and other actors targeting critical infrastructure were among its users. The service enabled both ransomware deployment and associated criminal activities, such as botnet management and fraudulent schemes.

Since Operation Saffron, 1VPNS has been offline and cannot currently be used by threat actors. However, the broader risk persists, as other “bulletproof” VPN or hosting services may fill the gap left by 1VPNS. Law enforcement is analysing seized user data and feeding intelligence into ongoing investigations, but organisations should remain alert for similar abuse of anonymising infrastructure.

Why This Event Matters for Organisations

The US and UK sanctions against 1VPNS mark a significant disruption of a key enabler for ransomware groups. For organisations, especially those with US or UK ties, this event has important compliance and security implications. Any historical use of 1VPNS infrastructure within your network may indicate previous compromise attempts or malicious activity. US-linked entities must also avoid any transactions with sanctioned parties.

Actions for UK and US-Linked Organisations

  • Review network logs for any connections to the known 1VPNS domains or server IPs.
  • Watch for follow-on advisories and updated indicators of compromise from law enforcement or threat intelligence providers.
  • Block any known 1VPNS infrastructure in firewall and endpoint controls.
  • Assess your sanctions compliance requirements when responding to ransomware incidents, especially if US connections exist.

Timely detection of past 1VPNS activity can aid in investigating potential breaches and supporting ongoing law enforcement efforts.

Originally reported by databreaches.net.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins

Related CyPro Services

  • Managed Detection and Response (MDR)

    Managed Detection and Response (MDR) is an end-to-end managed service designed to help organisations detect, analyse and respond to cyber threats quickly and effectively. It...
    View Service
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call