ctipilot.ch
← Back to the live brief
NOTABLEupdateNATOA1incident

US and UK sanction First VPN Service (1VPNS), its administrator and a Belarusian cryptor seller — the sanctions follow-through on the Swiss-assisted Operation Saffron takedown

discovered 2026-07-14 04:45 UTCrun 2026-07-14T0409Z-intel3 sourcesmulti-source

UPDATE · originally covered Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed (2026-05-22)

The May 2026 Operation Saffron takedown of First VPN Service (1VPNS) — the Russian-language, no-log criminal anonymisation service in which Switzerland sat on the Eurojust joint investigation team — has now drawn coordinated sanctions. On 2026-07-13 the US Treasury's Office of Foreign Assets Control, in an action coordinated with the UK's Foreign, Commonwealth & Development Office, designated 1VPNS and its administrator Dmytro Rashevskyi (who used false identities including "Maksim Sorin" and "Roman Chabanenko" to buy infrastructure from providers that would otherwise have refused him), and separately a Belarusian national, Yegeniy Silayev, who sells "cryptors" (US Treasury, 2026-07-13). Treasury frames cryptors as tools "built specifically to make malware stealthier and more effective by disguising it as harmless files" (US Treasury, 2026-07-13) — designating the obfuscation-service vendor as a distinct enabling layer beneath the ransomware payload and the affiliate, not just the anonymisation infrastructure. The designations were made under Executive Order 13694 as amended; the FBI confirms the underlying takedown was led by France's BL2C and the Dutch NHTC "with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg," and that at least 25 ransomware groups, including Avaddon, used the service for reconnaissance and intrusions (FBI Boston, 2026-06-09).

Treasury describes the concrete abuse pattern: ransomware groups purchased 1VPNS infrastructure and used it "to hide the origins of their attacks, deploy malware, and manage exfiltrated data" — an external commercial VPN used as an anonymising relay in front of the operators' own reconnaissance, delivery and exfiltration traffic (US Treasury, 2026-07-13).

OFAC is designating two individuals and one entity enabling ransomware actors' and other cybercriminals' malign activities, notably ransomware attacks against Americans.

cryptors are built specifically to make malware stealthier and more effective by disguising it as harmless files

US Department of the Treasury (OFAC) 2026-07-13

This takedown was conducted by France's Direction Régionale de la Police Judiciaire Brigade de Lutte Contre la Cybercriminalité (BL2C), and the Dutch National Police, National High Tech Crime Unit (NHTC), with assistance from Ukraine, the United Kingdom, Switzerland, and Luxembourg.

FBI Boston Field Office 2026-06-09

ATT&CK mapping

2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Stealth TA0005
T1027.002Obfuscated Files or Information: Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.

overlap matrix · ATT&CK page ↗

Command and Control TA0011
T1090.002Proxy: External Proxy

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.