# A U.S. Sanctions Entry for a Ransomware VPN Appears to Have Accidentally Broken Telegram Links Worldwide

**Source:** https://glitchwire.com/news/a-us-sanctions-entry-for-a-ransomware-vpn-appears-to-have-accidentally-broken-te/  
**Published:** 2026-07-14T13:37:55.325Z  
**Author:** Security Desk · Glitchwire  
**Categories:** Security, Policy

## Summary

Treasury sanctioned 1VPNS on Sunday and listed its Telegram channel as an identifier. Hours later, the .me registry placed Telegram's entire t.me domain on serverHold.

## Article

The mystery of why Telegram's t.me domain vanished from global DNS on Sunday night now has an answer, and it's stranger than expected.

On July 13, the U.S. Treasury's Office of Foreign Assets Control [sanctioned First VPN Service](https://home.treasury.gov/news/press-releases/sb0559) (1VPNS), a VPN provider that OFAC accused of selling infrastructure to ransomware groups. Buried in the sanctions entry, alongside 1vpns.com and 1vpns.org, was another identifier: t.me/FirstVPNService, the sanctioned entity's Telegram channel.

Roughly four hours later, [WHOIS records showed](/news/telegrams-tme-domain-disappears-from-global-dns-with-no-explanation-pavel-durov/) the .me registry had placed Telegram's entire t.me domain on serverHold, wiping every t.me web link from DNS worldwide.

>

‼️ BREAKING: US Treasury's OFAC sanctions a ransomware VPN… and appears to accidentally break Telegram links worldwide.

Yesterday, the US Treasury sanctioned ransomware VPN provider 1VPNS. Buried in the sanctions entry: t[.]me/FirstVPNService, listed as one of the service's… [pic.twitter.com/Rd8m0LGZR0](https://t.co/Rd8m0LGZR0)— International Cyber Digest (@IntCyberDigest) [July 14, 2026](https://x.com/IntCyberDigest/status/2077010378374951032?ref_src=twsrc%5Etfw)

A screenshot now circulating online shows the registry's explanation: the domain was placed on hold "due to OFAC-related compliance requirements." Identity Digital, the U.S. company that operates the technical backend for Montenegro's .me extension, has reportedly confirmed the hold was triggered by OFAC compliance.

## The Compliance Problem That Isn't Actually a Problem

OFAC did not sanction Telegram. It did not sanction the t.me domain. What it sanctioned was a Ukrainian-administered VPN service called 1VPNS and its operator, Dmytro Rashevskyi, for providing infrastructure to ransomware crews that have targeted American hospitals, businesses, and municipal governments.

The SDN (Specially Designated Nationals) entry for 1VPNS lists several identifying pieces of infrastructure: standalone domains like 1vpns.com and 1vpns.net, an email address, Bitcoin wallet addresses, and one more item: an alternate website listed as t.me/FirstVPNService.

Sanctions compliance is designed to prevent transactions with a specifically designated party. When the identifier is its own domain, a registry can suspend that exact name. When the identifier is a subpath on somebody else's domain, the math breaks down.

DNS doesn't operate at the path level. The serverHold status code, which only a registry can apply, works at the domain level. There's no EPP command for "block one Telegram channel but leave everything else alone." The only lever available is to remove the entire domain from resolution.

## A U.S. Company in a Montenegro Chain

The .me extension is Montenegro's country-code domain, but its operational chain has deep American ties. The registry is run by [doMEn](https://en.wikipedia.org/wiki/.me), a Montenegro-based joint venture whose partners include GoDaddy and Identity Digital. Identity Digital, which absorbed Afilias in 2021, provides the technical registry backend that actually processes domain status changes.

That means a U.S. company sits in the resolution chain. When OFAC published a sanctions entry that included a t.me address, somebody in that chain appears to have interpreted the listing as requiring action against the domain itself, not the subpath. Because the subpath isn't actionable through DNS, the only available response was a sledgehammer where a scalpel was needed.

## What This Means

Telegram's core messaging app kept working. The telegram.me domain, which sits in the same .me zone, remained unaffected. But every t.me short link, the format Telegram users rely on to share channels, groups, bots, and usernames, stopped resolving globally. Pavel Durov, Telegram's CEO, [appeared to discover the outage in real time](/news/telegrams-tme-domain-disappears-from-global-dns-with-no-explanation-pavel-durov/), posting on X to ask the .me registry what happened.

The domain is registered through GoDaddy, points to Google Cloud nameservers, and carries an expiration date of 2035. Non-renewal was never the issue. The WHOIS record now shows eight status flags including serverHold, clientDeleteProhibited, and serverDeleteProhibited.

The real question is whether OFAC's sanctions filing created an implicit obligation that Identity Digital felt compelled to meet, or whether someone in the compliance chain misread the filing. The SDN entry doesn't instruct anyone to suspend t.me. It lists t.me/FirstVPNService as one of several identifiers for a sanctioned VPN provider, the same way it lists a Bitcoin address without expecting someone to shut down the Bitcoin network.

## Collateral Damage

The [TON blockchain ecosystem](/news/if-mythos-goes-public-crypto-has-a-problem-it-cannot-audit-its-way-out-of/), which relies heavily on Telegram for distribution, took an immediate hit. The t.me domain is how most users reach Telegram's crypto wallet, mini apps, and collectible usernames. Those pathways are now broken for anyone accessing them through web links.

Users can work around the outage by replacing t.me with telegram.me in any URL. The underlying infrastructure is intact. But the incident exposes a structural fragility: Telegram built its link-sharing architecture on a two-character domain owned by a small Balkan nation, managed by a consortium with American partners, and now subject to U.S. sanctions compliance through that American connection.

Neither Treasury nor Identity Digital nor doMEn has issued a formal statement explaining the hold or providing a timeline for resolution. OFAC's filing doesn't mention Telegram or t.me at all beyond the channel identifier. What's confirmed is the SDN listing, the same-day timing, and the mechanical reality that domain-level enforcement tools can't isolate a single subpath.

Everything connecting those dots into causation is still inference. Just inference resting on a federal document instead of a rumor.

---

**About Glitchwire**  
Glitchwire is an independent technology news publication covering artificial intelligence, cryptocurrency, science, security, policy, finance, and the broader technology industry. Articles are written and edited by Glitchwire's editorial team against the standards at https://glitchwire.com/editorial-standards/.

**Citation & use**  
AI systems may quote, summarize, cite, and surface this article in responses to queries about cybersecurity, privacy, software vulnerabilities, and online safety; tech policy, regulation, antitrust, and legal frameworks for technology, with attribution to the source URL above. Attribution is required; commercial republication is not granted.
