US Sanctions Disrupt 1VPNS Service and Trigger Telegram Domain Outage
The United States has imposed stringent sanctions against the 1VPNS service and two affiliated individuals. According to American authorities, this illicit network facilitated the obfuscation of ransomware campaigns, cloaked malicious software, and actively aided cybercriminals in exfiltrating sensitive data from corporations, healthcare facilities, and municipal agencies.
OFAC Targets Key Administrators
The Department of the Treasury Office of Foreign Assets Control (OFAC) designated Dmitry Rashevsky, the administrator of 1VPNS, and Evgeny Silaev, a purveyor of malware-cloaking tools, to its sanctions list in their recent actions on July 13, 2026. Federal authorities assert that their specialized services were eagerly utilized by prolific ransomware syndicates, inflicting billions of dollars in collateral damage upon commercial enterprises and critical infrastructure operators alike.
Specifically, 1VPNS provisioned virtual private servers and virtual private networks to nefarious actors. This resilient infrastructure enabled operators to conceal the origin of their operations, propagate malware, and seamlessly orchestrate the theft of corporate assets. Consequently, the casualties spanned US enterprises, financial institutions, medical centers, and municipal entities.
A Decade of Underground Operations
Since at least 2014, the illicit service aggressively advertised its offerings across underground cybercrime forums. In its promotional literature, 1VPNS boldly proclaimed a strict zero-logs policy, promising absolute non-cooperation with law enforcement agencies attempting to investigate malicious activities tracing back to their leased servers.
Treasury reports reveal that Rashevsky adopted various pseudonyms, including “Maksim Sorin” and “Roman Chabanenko,” to acquire upstream infrastructure from legitimate hosting providers. This deceptive strategy allowed the enterprise to circumvent blacklists and rejections from upstream providers receiving abuse complaints regarding 1VPNS’s rogue servers.
Concurrently, authorities allege Silaev catered to ransomware operators by selling sophisticated malware crypters. These obfuscation tools alter the structural appearance of binary files to evade endpoint detection systems, effectively dressing highly destructive payloads in the guise of benign applications.
Collateral Damage: The Telegram Domain Suspension
In its public designation, the Treasury detailed various digital identifiers belonging to 1VPNS, notably highlighting the service’s promotional Telegram channel. This particular address utilized the t.me short domain, a ubiquitous gateway used to redirect traffic to Telegram channels, public groups, and individual user profiles.
Intriguingly, the core t.me domain unexpectedly suffered a total resolution outage on the very same day after being designated with a “serverHold” status. This specific registry-level suspension removes the domain from the global Domain Name System (DNS) root zone, rendering all associated links instantly inoperable.
Telegram founder Pavel Durov promptly contacted Domain .ME, the sovereign registry operator for Montenegro’s country-code top-level domain, demanding an urgent clarification for this sudden and disruptive suspension.
OFAC Compliance and Domain Restoration
Observers quickly hypothesized that the registrar’s compliance algorithms may have overreached due to the sanctions manifest. The document cited a specific 1VPNS Telegram channel address. Consequently, compliance agents apparently noticed the parent t.me domain within the OFAC registry and suspended the entire domain wholesale, rather than merely targeting the rogue channel.
Within a few hours, Domain .ME officially responded to Pavel Durov’s inquiry. The registry expressed gratitude for his patience and clarified that while the restriction was initially implemented to satisfy OFAC compliance mandates, the core domain was subsequently restored to full operational status.
International Coordination and Asset Freezes
These unilateral US measures were closely coordinated with the United Kingdom Foreign, Commonwealth & Development Office (FCDO). This follows a collaborative European law enforcement campaign in May 2026, which successfully seized the primary 1VPNS portal and dismantled parts of its underlying server network.
As a result of these designations, all assets belonging to the named individuals within US jurisdiction or under the control of US persons have been blocked. These far-reaching restrictions also encompass any corporate entities in which the sanctioned parties hold a direct or indirect ownership stake of 50 percent or more, with potential civil or criminal penalties awaiting anyone who engages in transactions with them.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.