The U.S. Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on July 13, 2026, against VPN provider FirstVPN Service (1VPNS), its administrator Dmytro Rashevskyi, and Belarusian national Yevgeniy Vladimirovich Silayev. The action marks an escalation in crypto-related enforcement, targeting the tools and infrastructure that enable ransomware attacks rather than just the attackers themselves.
According to OFAC and blockchain analytics firm TRM Labs, FirstVPN openly marketed its service to cybercriminals since 2014, promising a no‑logs policy and non‑cooperation with law enforcement. Ransomware groups including Anubis, Qilin, and Sinobi utilized FirstVPN to obscure the origins of their attacks. Silayev separately supplied a “cryptor” designed to disguise malware as benign files, helping malicious code evade security systems.
The sanctions were issued under Executive Order 14390 (March 2026) and the standing cyber‑sanctions authority of E.O. 13694. The United Kingdom coordinated parallel designations the same day. The action follows a May 2026 takedown of FirstVPN’s infrastructure by European authorities with FBI support.
OFAC listed five cryptocurrency addresses tied to FirstVPN itself across Bitcoin, Ethereum, Litecoin, and Tron, all linked to the high‑risk exchange Cryptomus. Rashevskyi’s individual listing includes fifteen addresses spanning Bitcoin, Ethereum, Tron, Litecoin, Dogecoin, Dash, Zcash, and Solana, revealing a broad diversification across eight blockchains. Silayev’s listing carried no attached addresses but still designates him for supplying obfuscation tools.
TRM Labs traced direct payments from ransomware groups to FirstVPN: the Anubis group sent $715 (split across December 2025 and March 2026), Qilin sent $120 in January 2026, and Sinobi sent $58 in February 2026. While small compared to typical ransomware demands, these on‑chain transfers confirm operational reliance on the VPN provider.
The designations signal that crypto enforcement is moving “up the infrastructure stack.” Rather than just targeting wallets or exchanges, regulators are now going after the anonymizing layers that facilitate attacks. Compliance teams have been advised to screen the newly listed addresses, and the market is watching for any ripple effects on liquidity, security, and platform operations.