On July 13, 2026, the U.S. Department of the Treasury added Ukrainian citizen Dmytro Rashevskyi and the VPN service First VPN Service (1VPNS) under his control to the SDN sanctions list. In parallel, Belarusian citizen Yevhenii Silaiev, a seller of so-called "cryptors"—programs that disguise malware as legitimate software and hide it from antivirus detection—was also sanctioned.
Twelve years in the shadows
According to OFAC, since 2014, First VPN has sold anonymization infrastructure to extortionists, fraudsters, and criminals who attacked American companies, hospitals, and local government agencies. The service was advertised on Russian-language criminal forums—Exploit.in and XSS.is—as a tool that "does not cooperate with any judicial authorities, does not store data, and is not subject to any jurisdiction." This promise made it popular among at least 25 ransomware groups.
Rashevskyi operated under several aliases—"JOBBERJOBBER777," "RASHDV7," "Johny Walker," and others. OFAC also added his cryptocurrency wallets in Bitcoin and Ethereum to the sanctions list, allowing authorities to track and block further movement of funds.
Operation Saffron: what happened before sanctions
The sanctions are a continuation, not a beginning. In May 2026, French and Dutch law enforcement officers, with the support of Europol and Eurojust, conducted Operation Saffron: on May 19–20, 33 servers were seized, domains were removed (1vpns.com, 1vpns.net, 1vpns.org and their .onion versions), searches were conducted in Ukraine, and the service's administrator was questioned.
"First VPN became deeply rooted in the cybercriminal ecosystem and featured in almost every major investigation that Europol supported."
— Europol, press release from May 21, 2026
Investigators obtained access to the service's user database—and 506 of them have already been identified thanks to data provided by Romanian company Bitdefender.
How much money flowed through the service
Analytics company TRM Labs, which tracked First VPN's blockchain activity before sanctions, established direct payments from ransomware groups. Specifically, the Anubis ransomware group transferred $715 to the service in December 2025 and March 2026. The amount is small—but it confirms a transactional link between the VPN operator and specific criminal groups, which is critical for prosecution.
OFAC notes: groups that used Rashevskyi's and Silaiev's services caused American businesses and critical infrastructure billions of dollars in losses. Attacks affected hospitals—meaning it is not just about corporate financial losses, but also risks to patients.
Why this matters for cybercrime economics
This case demonstrates a shift in sanctions logic: for the first time, OFAC is broadly striking not at attack perpetrators, but at infrastructure providers—those who sell anonymity as a service. According to Bitdefender, each such takedown increases operational costs for the next service:
"New anonymization services will appear. But each such takedown shortens the operational window for the next one and raises the barrier for those accustomed to ready-made solutions."
— Bitdefender, comment on Operation Saffron
- Asset freezing—any U.S. or U.S.-connected assets of Rashevskyi are blocked
- Transaction bans—American individuals and companies cannot conduct any business with him
- Cascading effect—clients of 1VPNS whose data is already with investigators have been notified: their identities have been established
In parallel, criminal proceedings are underway: Rashevskyi was already questioned in May, and cryptocurrency addresses on the sanctions list allow investigators to continue tracking fund movements even after the service's takedown.
If American prosecutors succeed in obtaining extradition or securing a conviction in absentia, the case will set a precedent for prosecuting suppliers of "criminal infrastructure as a service"—a category that previously existed in a legal gray zone.