t.me shortlinks went down 1 day after OFAC sanctioned 1VPN Service
Telegram link routing briefly broke because a sanctioned VPN operator was tied to t.me infrastructure.

Telegram’s t.me shortlinks stopped working for about a day after the US Office of Foreign Assets Control (OFAC) sanctioned First VPN Service (1VPNS) on July 13. Once Telegram confirmed it removed links and affiliations tied to 1VPNS, the.ME registry restored the t.me domain suspension on July 14.
Telegram’s t.me shortlinks were knocked offline for roughly a day after the US Treasury’s OFAC sanctioned First VPN Service (1VPNS) on July 13. The.ME domain registry says t.me stopped working while Telegram verified that links associated with the sanctioned VPN had been removed.
Telegram, which uses t.me shortlinks to share links to channels, groups, and profiles, ended up in a classic “platform layer meets compliance reality” moment. Founder and CEO Pavel Durov publicly asked the.ME domain registry to look into the issue, and Domain.Me confirmed the disruption was connected to sanctions requirements. In the end, the suspension was removed after Telegram provided confirmation on July 14 that it had removed its links and affiliations with 1VPNS.
Here’s the part that matters for operators, investors, and anyone building network-adjacent products: this wasn’t a content moderation decision. It was a domain suspension tied to sanctions-linked infrastructure, and it played out at the infrastructure-routing level. When the.ME registry suspended the t.me domain, users across Telegram reported that t.me links were borked. Telegram says it removed links and affiliations associated with 1VPNS, and Domain.Me says it works closely with law enforcement to monitor and mitigate issues across the.ME domain in accordance with applicable laws, including sanctions requirements.
OFAC’s designation provides the missing connective tissue. OFAC sanctioned 1VPNS for “selling services to ransomware groups and other cybercriminals,” and it also designated the service’s administrator, Dmytro Rashevskyi, along with additional sanctions tied to malware-related tools. The sanctions announcement also included a Telegram channel using the t.me domain as identified infrastructure tied to 1VPNS. Domain.Me’s statement ties the suspension directly to that identification: because a Telegram channel using t.me was among the infrastructure “identified infrastructure,” the t.me domain was suspended.
The Register notes the registrar did not name the specific Telegram channel or group identified as 1VPNS infrastructure. But the reporting points to a reasonable inference: if the service ran its own Telegram channel or account, and that group had its own t.me link included verbatim in the OFAC announcement, then those link targets could plausibly trigger domain-wide disruption. In other words, the incident likely wasn’t that Telegram “was in business with ransomware.” It’s that a sanctions-linked endpoint in Telegram’s ecosystem was reachable through t.me, and the registry response to OFAC designation ran through the domain.
Why is this scenario worth your attention? Because it shows how sanctions can ripple through ecosystems in non-obvious ways, even for mainstream communication platforms. The broader story around 1VPNS is also grim and well documented in the source. After European law enforcement agencies took 1VPNS infrastructure offline in May, authorities said the service, administered from Dnipro, Ukraine, had been used by at least 25 ransomware groups, including Avaddon, for reconnaissance and intrusions. Europol’s European Cybercrime Centre head Edvardas Šileris said at the time that criminals saw the VPN as a gateway to anonymity and that law enforcement action proved them wrong. He also said taking it offline removed a critical layer of protection criminals relied on to operate, communicate, and evade enforcement.
According to the source, the FBI supported a France and Netherlands-led takedown and described 1VPNS as advertised almost exclusively on criminal dark web forums, used for activity beyond ransomware. The service allegedly enabled scammers, botnet traffic, denial-of-service attacks, scanning operations, and more since it began operating around 2014. OFAC’s July 13 move, therefore, wasn’t a random compliance footnote. It was another step in a wider enforcement arc that targets cybercriminal enablement services, not just the end malware.
OFAC also sanctioned Yevgeniy Vladimirovich Silayev for selling “cryptors,” tools designed to disguise ransomware and other malware so they evade detection by security software. The sanctions announcement, as summarized in the source, says ransomware groups used both services, causing billions of dollars in losses to US businesses and critical infrastructure providers. Gene Lange, senior counselor to the Secretary of the Treasury and performing the duties of the Under Secretary for Terrorism and Financial Intelligence, framed the goal as disrupting the cybercriminal ecosystem and protecting the American people. The key operational takeaway is that Treasury is applying pressure not just to attackers, but to services and supply-chain components that let them scale.
For decision-makers at platforms, registries, and adjacent infrastructure providers, the strategic stakes are immediate. Sanctions can translate into domain-level actions that affect user experience and reliability, even if the platform believes it has removed offending affiliations quickly. The Telegram case shows a tight loop: OFAC designates 1VPNS, t.me links break, Telegram confirms removal, and the.ME registry restores the suspension. In other words, the “time to verification” window matters. Boards and executives should assume that compliance events can become availability events. In a world where users trade access links like currency, even a one-day disruption tied to sanctions-linked infrastructure can become a reputational and operational pressure test. And as OFAC keeps using “every available tool” to target the cybercriminal ecosystem, expect more of these cross-layer collisions between law enforcement, registries, and global messaging networks.
This story's Key Insights and Take-aways are locked.
Create a free account to unlock Executive Actions for one credit.
Register to UnlockAlways free for Executives Club members. Join the Club
More in Business

Epic and Google drop settlement bid, forcing rival Android app stores by July 22
Google told the court it is ready to carry third-party app stores starting Wednesday, July 22.

SK Hynix opens at $170, raises $26.5B, and tops foreign IPO records
In Friday's Wall Street debut, SK Hynix turns AI RAM demand into a $26.5B fundraising moment that rewrites comps.

China lands a reusable Long March booster, a first that matches SpaceX and Blue Origin
A barge landing and net-based recovery move China from theory to proof, reshaping the reusability race and satellite ambitions.

