ProBackend
active vulnerability exploitation
1 hour ago4 min read

OFAC Sanctions Ransomware Enablers as AI Cybersecurity Threats Escalate

The Treasury Department's OFAC sanctioned First VPN Service (1VPNS), its Belarusian administrator Dmytro Rashevskyi, and cryptor seller Yegeniy Silayev for supplying infrastructure and malware-evasion tools that enabled ransomware attacks causing billions in losses to U.S. critical infrastructure — a direct response to the escalating artificial intelligence cybersecurity threats landscape.

OFAC Hits the Ransomware Supply Chain

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) just sanctioned two individuals and one entity for enabling ransomware attacks against American organizations. Not the attackers themselves — the people who made their operations possible.

First VPN Service (1VPNS), a virtual private network provider that sold services directly to ransomware groups, was designated alongside its administrator Dmytro Rashevskyi. Separately, Belarusian national Yegeniy Vladimirovich Silayev was sanctioned for selling cryptors — tools that help ransomware and other malware evade detection by security software.

Here's what makes this interesting: under these sanctions, all property of the designated individuals and entities within U.S. jurisdiction is blocked, while U.S. persons and businesses are barred from transactions involving them. The action was coordinated with the United Kingdom's Foreign, Commonwealth & Development Office.

It's a clear signal. The U.S. isn't just going after the hackers anymore — it's targeting the entire ecosystem that keeps them operational.

OFAC Hits the Ransomware Supply Chain

The VPN That Powered Billions in Ransomware

First VPN Service surfaced back in 2014, and from day one it was advertising on cybercriminal forums with a pretty bold pitch: no logs of user activity or identities, and absolutely no cooperation with law enforcement.

Rashevskyi, the operator behind it all, allegedly used false identities — "Maksim Sorin" and "Roman Chabanenko" among them — to acquire infrastructure from hosting companies that would have otherwise refused service due to abuse complaints. Clever, sure, but it also meant every server 1VPNS ran was essentially invisible to the providers hosting it.

The scope of damage is hard to overstate. Europol said 1VPNS's name surfaced in nearly every major cybercrime investigation it supported. Victims of ransomware attacks involving 1VPNS infrastructure included U.S. businesses, hospitals, financial services firms, and municipal governments.

State Department spokesperson Thomas Pigott put it bluntly: "These actors supplied ransomware groups with tools to hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to U.S. critical infrastructure providers."

Billions. That's not a rounding error.

The VPN That Powered Billions in Ransomware

Operation Saffron: How They Took It Down

The sanctions didn't come out of nowhere. European law enforcement took down 1VPNS's website and infrastructure in May as part of a joint action dubbed "Operation Saffron," led by French and Dutch authorities with support from the FBI's Boston Field Office.

The investigation actually began back in December 2021, when law enforcement officers infiltrated the VPN's infrastructure and collected its user database before dismantling anything. That patience paid off — throughout the joint operation, authorities seized 33 servers linked to 1VPNS across 27 countries, arrested Rashevskyi, and exposed thousands of users associated with ransomware, fraud, and other malicious activity worldwide.

The timing here matters. The takedown happened months before the sanctions announcement, which suggests this was a coordinated effort between law enforcement and financial regulators. Take down the infrastructure first, then hit them where it hurts — their assets.

It's also worth noting that on the same day as these sanctions, the European Union and United Kingdom jointly sanctioned dozens of Russian individuals and entities for coordinating a network of hacking groups linked to cyberattacks across Europe. The pressure is building on multiple fronts.

Cryptors: The Missing Piece of the Puzzle

Silayev's role in this ecosystem is arguably more insidious than 1VPNS's. Cryptors — sometimes called crypters — are tools that help ransomware and other malware evade detection by security software. Think of them as the equivalent of a disguise for malicious code.

Without cryptors, much of today's ransomware would get caught by endpoint detection and response (EDR) systems before it could do any real damage. With them, attackers can slip past defenses that would otherwise stop them cold.

Officials estimate that ransomware operations using both 1VPNS infrastructure and Silayev's cryptors have caused billions of dollars in losses to businesses and critical infrastructure providers across the United States. Two separate enablers, working in parallel, creating a one-stop shop for ransomware operators.

This is where the broader picture of artificial intelligence cybersecurity threats becomes relevant. As AI tools make it easier to write, test, and deploy malware at scale, the people who sell the supporting infrastructure — VPNs for anonymity, cryptors for evasion — become just as critical to target as the attackers themselves.

What This Means for the Broader Threat Landscape

The sanctions against 1VPNS, Rashevskyi, and Silayev represent a shift in how the U.S. approaches cybercrime enforcement. Instead of chasing individual threat actors across jurisdictions, OFAC is targeting the business model that makes ransomware sustainable.

It's also a recognition that the artificial intelligence cybersecurity threats landscape is evolving faster than traditional enforcement can keep up. AI-powered tools are lowering the barrier to entry for ransomware operations, making it easier than ever for criminal groups to launch attacks. The people selling the infrastructure and tools are the force multipliers.

For security teams, the takeaway is straightforward: the threat isn't going away. If anything, it's getting more sophisticated and more distributed. The sanctions are a step in the right direction, but they're not a silver bullet.

What's clear is that the ecosystem supporting ransomware — from VPN providers to cryptor sellers to the hackers themselves — operates as an interconnected network. Disrupting one node helps, but you need to keep applying pressure across the whole chain.

More blogs