On July 13, the U.S. Treasury Department did something it had never done before: it formally sanctioned a VPN service for enabling cybercrime. Within hours, Telegram's t.me short-link domain went dark for roughly a billion users. The two events weren't supposed to be connected — but they were, and untangling how a ransomware crackdown took down a messaging app's links shows just how tangled modern internet infrastructure really is.
What the Treasury Actually Sanctioned
The Office of Foreign Assets Control designated three parties tied to a ransomware support network: First VPN Service (1VPNS), its 45-year-old administrator Dmytro Rashevskyi, and Yegeniy Vladimirovich Silayev, a Belarusian seller of malware tools. The designation came under Executive Order 13694, as amended, which covers parties who materially assist cyber-enabled activity aimed at U.S. persons.
The State Department framed the action around a simple idea: ransomware crews don't work alone. They lean on outside vendors who supply anonymity tools, disguise malicious software so it slips past security systems, and help operators stay hidden while they hit hospitals, schools, businesses, and local governments — attacks Treasury says have cost U.S. critical infrastructure providers billions.
Treasury's own allegations get more specific. Rashevskyi allegedly built out 1VPNS's infrastructure using false identities. Silayev's role was selling cryptors — tools built specifically to dress ransomware up as legitimate software so it can walk past antivirus and endpoint detection systems unnoticed. The action was coordinated with the United Kingdom, and every asset the designated parties hold inside the U.S., or that touches U.S. persons, is now frozen.
The Blockchain Trail Connecting Payments to Ransomware Gangs
None of this was guesswork. According to TRM Labs, blockchain analysis traced payments from several active ransomware operations — Anubis, Qilin, and Sinobi Group — directly back to FirstVPN. That kind of on-chain tracing is increasingly how investigators build the paper trail linking anonymized service providers to the criminal groups actually pulling off the attacks.
The Takedown That Came Before the Sanctions: Operation Saffron
The July 13 designation wasn't the opening move. It followed Operation Saffron, a law enforcement action led by France and the Netherlands, backed by Europol, Eurojust, and the FBI. Between May 19 and 20, that operation dismantled 1VPNS on the ground — arresting a suspected administrator and seizing 33 servers. The sanctions announced weeks later were, in effect, the financial follow-through on a network that had already been physically broken apart.
How This Set Off a Global Telegram Outage
Here's where the story takes an unexpected turn. Hours after the sanctions went public, Telegram's t.me domain stopped resolving — everywhere, all at once. The domain sits under .me, a Montenegrin country-code top-level domain that happens to be administered by American companies. Those administrators placed t.me under "serverHold" status, which effectively yanked it out of the global DNS system.
The practical fallout was immediate. Every invite link, group link, channel link, and bot link that ran through t.me stopped working. That's the backbone of how people actually join and share things on Telegram, and it affected close to a billion users. The core app kept running — people could still message each other — but the connective tissue that lets links do their job was gone.
The registry operator confirmed the suspension was tied to OFAC compliance obligations, not a technical failure. TechCrunch reported the domain came back online on July 14, after roughly a day offline.
What's still murky is the actual chain of cause and effect. Nothing in the sanctions language explicitly names Telegram or t.me. Some observers have pointed out that the sanctioned entities may have used t.me links somewhere in their own operations, which could explain why a compliance action aimed at a VPN provider ended up sweeping in a domain used by an entirely unrelated billion-user platform. But the precise mechanism connecting an anti-ransomware designation to a messaging app's short-link system hasn't been spelled out.
Why Treasury Is Going After Infrastructure, Not Just Hackers
Step back, and this action fits a pattern that's been building for a while. Rather than chasing individual ransomware gangs one at a time, Treasury is increasingly targeting the vendors and infrastructure providers that make those gangs functional — the VPNs, the cryptors, the anonymization layer underneath the attacks. The logic is straightforward: take out the tools that let operators hide, and you make every future attack harder to pull off cleanly, even if the criminal groups themselves haven't been arrested yet.
It's a strategy built around disruption rather than just punishment — and the Telegram outage, however unintentional, is a reminder of how deeply that infrastructure is woven into services most people never think twice about.

