The US Treasury's Office of Foreign Assets Control struck hard at the ransomware ecosystem on July 13, 2026, designating First VPN Service (1VPNS) and its administrator Dmytro Rashevskyi. The action also targeted Yevgeniy Vladimirovich Silayev, accused of selling cryptors to hide malware. But the ripple effect was unexpected: hours later, the .me registry placed the t.me domain on serverHold, making all Telegram web links unreachable globally. App users experienced no disruption, but the web version of the popular messaging service remained offline for hours, raising questions about DNS infrastructure fragility.
The OFAC Designation and the Telegram Connection
According to the Treasury press release, 1VPNS operated from Dnipro, Ukraine, providing VPN services to ransomware groups, causing billions of dollars in losses. The provider advertised no-logs and refusal to cooperate with law enforcement. The SDN (Specially Designated Nationals) entry listed the Telegram channel t.me/FirstVPNService among known websites. Shortly after, the .me registry disabled the entire t.me domain, likely for sanctions compliance. However, OFAC did not sanction Telegram or the t.me domain itself, only the channel's presence. The move highlighted a single point of failure: a registry can directly affect the availability of platforms with billions of users.
Sponsored Protocol
The Role of the .me Registry and Global Consequences
The t.me domain is registered through GoDaddy with an expiry in 2035, ruling out non-renewal. The .me registry, operated by Montenegro-based doMEn, applied the serverHold status, which removes the domain from global DNS. Telegram founder Pavel Durov publicly asked for clarification, but neither doMEn nor backend provider Identity Digital issued a statement. This incident shows how a single URL in a sanctions list can disrupt web services of a platform used by roughly one billion people. Companies relying on country-code domains like .me must reassess concentration risks.
Sponsored Protocol
Sanctions Targeting the Ransomware Ecosystem
The sanctions mark a strategic shift: Treasury is hitting not only criminal groups but the entire enabling layer, including VPNs and cryptors. The FBI released an advisory to help defenders detect 1VPNS-related activity. Blockchain analytics firm TRM Labs traced on-chain payments from the Anubis ransomware group to 1VPNS, confirming the service's key role. This action, coordinated with European law enforcement and the UK, demonstrates growing international focus on cybercrime infrastructure. For insights into risks associated with sensitive digital services, see the article on Satya Nadella warning companies about proprietary AI models.
Sponsored Protocol
The incident raises crucial questions about DNS resilience. A compliance error or automated procedure may have caused the block, but the fact remains that a single registry can isolate an entire platform. For further details, refer to the original analysis on International Cyber Digest.
Source: https://www.internationalcyberdigest.com/ofac-sanctions-possibly-took-down-telegrams-t-me