OFAC sanctions 1VPNS admin plus Belarusian cryptor seller
OFAC designated 1VPNS, its Ukrainian admin Rashevskyi, and Belarusian cryptor seller Silayev on July 14 — the follow-on to May's Operation Saffron seizure.
The U.S. Treasury’s Office of Foreign Assets Control designated First VPN Service (1VPNS), its 45-year-old Ukrainian administrator Dmytro Rashevskyi, and Belarusian national Yegeniy Vladimirovich Silayev on July 14, per Treasury press release sb0559. 1VPNS is the same service whose 33 servers were seized across 27 countries in May under Operation Saffron, the French- and Dutch-led action that the FBI Boston Field Office supported. Silayev was designated separately for selling cryptors that helped ransomware operators conceal malicious binaries as safe programs, per The Hacker News’ summary of the State Department statement. Neither the Treasury announcement nor the two reporting outlets named specific ransomware families among 1VPNS’s or Silayev’s customers.
What actually changes for you
Sanctions are not a patch. They do three specific things that matter for defenders, and it’s worth being honest about which of those apply to your environment.
- Payment and hosting rails narrow. U.S. persons and entities are now prohibited from transacting with the designated parties, and secondary sanctions exposure applies to non-U.S. infrastructure providers who keep serving them. If your organization has ever paid a ransom routed anywhere near this ecosystem, the compliance question just got sharper — talk to counsel, not to me.
- The cryptor market lost a named seller. Silayev is now attribution-tagged. That doesn’t remove already-shipped cryptor builds from circulation, but it does raise the cost of new supply and gives detection engineering something concrete to hang IOCs on when Treasury or the FBI publish them. Watch for a follow-up cyber advisory; the sb0559 pattern usually gets one.
- 1VPNS is not “back up” in any operational sense. Its infrastructure was seized in May and its admin is now sanctioned. If your SOC is still logging 1VPNS-associated IP ranges in fresh incidents, that’s either stale infrastructure someone else is squatting on or a copy-cat rebrand — either way, worth verifying before you treat the hit as the same threat model.
The honest timeline
The takedown was May. The sanctions are July. Between those two dates, defenders got roughly two months of quieter 1VPNS-linked traffic and no formal attribution to hang detections on. That gap is normal — Treasury designations follow the evidence pack, not the news cycle — but it’s a reminder that “the servers are gone” and “the operators are burned” happen on different clocks, and only the second one shifts the risk calculus for organizations that were seeing this in incidents.
Priority call
If you handle ransomware IR or maintain a sanctions-screening posture, pull the OFAC SDN List update today, add Rashevskyi and Silayev to your screening data, and re-check any historical incident tickets that touched 1VPNS infrastructure for payment-flow implications. If you’re a general defender with no direct exposure, this one’s a note-to-file: another named node in the ransomware-enabling stack, another data point that the cryptor-as-a-service model is worth treating as its own threat category rather than folding into “the ransomware gang.” Neither one is patch work. Both are worth ten minutes to log properly.
Found this useful? Share it.


