Telegram's widely used t.me shortlinks experienced a complete outage lasting roughly one day after the .ME domain registry suspended the domain in response to US sanctions targeting a VPN service popular with cybercriminals. The disruption began on July 13, 2025, immediately after the US Office of Foreign Assets Control (OFAC) designated First VPN Service (1VPNS) as a sanctioned entity for providing services to ransomware operators and other threat actors. Service was restored on July 14 once Telegram verified it had removed all connections to the sanctioned VPN provider.
The .ME registry, operated by Domain.Me, took the enforcement action because a Telegram channel associated with 1VPNS was identified as part of the sanctioned infrastructure. While the registry did not specify which channel triggered the suspension, 1VPNS operated its own Telegram account with a t.me link that appeared in OFAC's sanction announcement. The registry stated it works closely with law enforcement to monitor the .ME domain space and comply with applicable laws, including sanctions requirements. Telegram founder Pavel Durov publicly requested the registry investigate the outage, leading to the swift resolution.
1VPNS had been a significant enabler of cybercriminal activity since approximately 2014, according to US and European authorities. The service was advertised almost exclusively on criminal dark web forums and provided anonymity for at least 25 ransomware groups, including Avaddon, for network reconnaissance and intrusions. European law enforcement agencies took the service's infrastructure offline in May 2025 during a France and Netherlands-led operation. Beyond ransomware, the FBI stated 1VPNS facilitated scams, botnet traffic, denial-of-service attacks, and scanning operations.
The July 13 OFAC designation targeted both 1VPNS and its Ukraine-based administrator, Dmytro Rashevskyi, located in Dnipro. The same announcement sanctioned Yevgeniy Vladimirovich Silayev for selling cryptors, which are tools designed to disguise malware and help it evade security software detection. Treasury officials stated that ransomware groups using these services have caused billions of dollars in losses to US businesses and critical infrastructure providers. Europol's European Cybercrime Centre emphasized that the takedown removed a critical layer of protection criminals depended on to operate and evade law enforcement.
Organizations should review their communication channels and verify that no sanctioned entities or infrastructure are associated with their domains or services. The incident demonstrates how sanctions enforcement can have broad collateral effects on legitimate users when sanctioned parties use popular platforms. Security teams should maintain awareness of OFAC designations affecting technology services and ensure compliance processes can quickly identify and remove connections to sanctioned entities to avoid similar disruptions.
Source: https://www.theregister.com/security/2026/07/16/telegram-shortlinks-knocked-offline-over-sanctioned-vpn-connection/5271964


