USA

OFAC Sanctions Possibly Took Down Telegram's t.me

OFAC Sanctions Possibly Took Down Telegram's t.me

The US Treasury's Office of Foreign Assets Control (OFAC) on July 13, 2026 designated First VPN Service, also known as 1VPNS, a VPN provider based in Dnipro, Ukraine that Treasury says sells anonymization services primarily to ransomware groups and other cybercriminals. OFAC also designated the service's administrator, Dmytro Rashevskyi, and separately sanctioned Yevgeniy Vladimirovich Silayev, a Belarusian national accused of selling "cryptors," tools that disguise malware so security products fail to detect it.

According to the Treasury press release, ransomware groups using these services have caused billions of dollars in losses to US businesses and critical infrastructure providers. Treasury says 1VPNS has advertised on cybercrime forums since 2014, telling customers it keeps no logs and refuses to cooperate with law enforcement. Rashevskyi allegedly used false identities, including "Maksim Sorin" and "Roman Chabanenko," to buy infrastructure from companies that would otherwise have refused his business over abuse complaints.

The designations follow a May 2026 operation in which European law enforcement, supported by the FBI's Boston Field Office, dismantled 1VPNS's website and infrastructure. The action was coordinated with the United Kingdom's Foreign, Commonwealth and Development Office, which announced its own sanctions against cybercriminals the same day. Blockchain analytics firm TRM Labs said it has traced direct on-chain payments to the service from the Anubis ransomware group.

Then the strange part. The Specially Designated Nationals (SDN) entry for First VPN Service lists five websites: 1vpns.com, 1vpns.net, 1vpns.org, 1jabber.com, and t.me/FirstVPNService, the service's Telegram channel.

At 19:24 UTC the same day, roughly four hours after the announcement, WHOIS records show the .me registry placed the entire t.me domain on serverHold. That status, which only a registry can apply, removes a domain from global DNS entirely. Every t.me link stopped resolving in browsers worldwide. Telegram's apps continued working, and the parallel telegram.me domain, which sits in the same .me zone, still resolves, indicating the action targeted the t.me registration specifically. The domain is registered through GoDaddy with an expiry in 2035, ruling out non-renewal.

Telegram founder Pavel Durov publicly asked the registry to look into the outage, tagging its account on X. As of publication, that post is the company's only visible response.

Whether the sanctions entry triggered the hold is not confirmed. Reports circulating on social media attribute the suspension to OFAC-related compliance requirements, but neither doMEn, the Montenegro-based operator of the .me registry, nor its backend provider Identity Digital, nor Treasury has issued a statement. One point is worth stating plainly: OFAC did not sanction Telegram or the t.me domain. An SDN entry identifies a designated party's known web presence. It does not designate the domains that host those pages.

Compliance

If the hold was a compliance response to the sanctions listing, a single URL in an OFAC entry effectively severed the web link infrastructure of a platform with roughly a billion users. Registries sit above registrars and hosting providers in the DNS hierarchy, and the .me zone also serves short-link domains for PayPal, WordPress, and Meta's apps. A registry that can silently drop a major platform's domain over a compliance concern, or an error, is a single point of failure that most companies running services on country-code domains have not priced in.

The sanctions themselves also mark a continuing shift in strategy. Treasury is targeting the enabling layer of the ransomware economy, the VPNs and cryptors that operations depend on, rather than individual crews. The FBI has released an advisory describing 1VPNS tactics to help defenders detect related activity.



International Cyber Digest

Get the ICD Newsletter

Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.

Subscribe Send a tip