US and UK sanction First VPN Service (1VPNS), its administrator and a Belarusian cryptor seller — the sanctions follow-through on the Swiss-assisted Operation Saffron takedown
UPDATE · originally covered Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed (2026-05-22)
The May 2026 Operation Saffron takedown of First VPN Service (1VPNS) — the Russian-language, no-log criminal anonymisation service in which Switzerland sat on the Eurojust joint investigation team — has now drawn coordinated sanctions. On 2026-07-13 the US Treasury's Office of Foreign Assets Control, in an action coordinated with the UK's Foreign, Commonwealth & Development Office, designated 1VPNS and its administrator Dmytro Rashevskyi (who used false identities including "Maksim Sorin" and "Roman Chabanenko" to buy infrastructure from providers that would otherwise have refused him), and separately a Belarusian national, Yegeniy Silayev, who sells "cryptors" (US Treasury, 2026-07-13). Treasury frames cryptors as tools "built specifically to make malware stealthier and more effective by disguising it as harmless files" (US Treasury, 2026-07-13) — designating the obfuscation-service vendor as a distinct enabling layer beneath the ransomware payload and the affiliate, not just the anonymisation infrastructure. The designations were made under Executive Order 13694 as amended; the FBI confirms the underlying takedown was led by France's BL2C and the Dutch NHTC "with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg," and that at least 25 ransomware groups, including Avaddon, used the service for reconnaissance and intrusions (FBI Boston, 2026-06-09).
Treasury describes the concrete abuse pattern: ransomware groups purchased 1VPNS infrastructure and used it "to hide the origins of their attacks, deploy malware, and manage exfiltrated data" — an external commercial VPN used as an anonymising relay in front of the operators' own reconnaissance, delivery and exfiltration traffic (US Treasury, 2026-07-13).
OFAC is designating two individuals and one entity enabling ransomware actors' and other cybercriminals' malign activities, notably ransomware attacks against Americans.
cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files
This takedown was conducted by France's Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Stealth TA0005
T1027.002Obfuscated Files or Information: Software Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Command and Control TA0011
T1090.002Proxy: External Proxy
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.
Sources
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.