US Sanctions on a Criminal VPN Took Down Telegram's t.me Domain Worldwide

17.07.2026 3
US Sanctions on a Criminal VPN Took Down Telegram's t.me Domain Worldwide

For roughly a day in mid-July, every t.me link on the planet simply stopped working. Channels, group invites, bots, mini-apps - billions of shared links went dead at once, while the Telegram app itself kept running as if nothing had happened. The cause turned out to be almost absurd: US sanctions against a criminal VPN service whose contact channel happened to live on t.me. One compliance decision by a small domain registry in Montenegro was enough to knock out a core piece of infrastructure for a platform with over a billion users.

What happened to t.me

On July 13, 2026, the US Treasury's Office of Foreign Assets Control (OFAC) sanctioned First VPN Service, a VPN operation built for cybercriminals, along with its administrator, Ukrainian national Dmytro Rashevskyi. The sanctions listing included the service's public Telegram channel - written out as a full t.me address.

The next day, DomainME, the registry that operates Montenegro's .me top-level domain, placed the entire t.me domain on serverHold. That status is applied at the registry level, above the registrar, the DNS provider and the domain owner: the domain is removed from the DNS zone entirely, so no lookup anywhere in the world can resolve it. Every t.me link died globally, regardless of Telegram's own flawless infrastructure.

The VPN service behind the sanctions

First VPN Service was no ordinary provider. According to the FBI, the service had operated since 2014, was advertised almost exclusively on criminal dark web forums, and was used by at least 25 ransomware groups, as well as botnet operators and fraudsters. It is the same operation whose infrastructure the FBI and Europol dismantled earlier this year - the OFAC listing was the financial follow-up to that takedown.

The irony is hard to miss: sanctions aimed at a service that gave cover to ransomware gangs ended up disabling a communication tool for a billion ordinary users. The criminals lost a Telegram channel; everyone else lost their links.

Durov found out from X

Telegram received no advance notice. Founder Pavel Durov learned about the cause from public posts and appealed to the registry directly on X: "Hey @domainME, t.me links stopped working. Can you look into it?" WHOIS records at the time showed the domain registered until 2035 - expiration was ruled out, and no official explanation existed for hours.

Users who knew the trick could simply replace t.me with telegram.me in any link - Telegram's alternate domain was not mentioned in the sanctions filing and kept working throughout the outage.

Resolution in about a day

The hold was lifted after Telegram confirmed it had removed links to the sanctioned VPN service from its platform. DomainME stated that it works closely with law enforcement "in accordance with applicable laws, including sanctions requirements" - in other words, the registry saw a t.me address in an OFAC filing and suspended the whole domain rather than risk a compliance violation. Total downtime: roughly 19 to 24 hours.

Why this case matters

This is a precedent with implications far beyond Telegram. The DNS system has a built-in kill switch that sits above platforms, hosting providers and even national governments: the registry of a country-code domain. Montenegro's registry - operating under US sanctions pressure - switched off the link infrastructure of the world's largest messaging platforms overnight, by accident, with no notification.

Telegram has already lived through state-level blocking, from India's nationwide ban that pushed millions toward predatory VPN apps to the ongoing legal siege of its founder in France. But those were deliberate acts by governments against a platform. The t.me incident shows something new: a platform's infrastructure can be collateral damage of a sanctions filing that has nothing to do with it.

Important: the outage affected only the t.me short-link domain. Telegram's apps, messages and core infrastructure were never compromised or blocked - and the sanctioned First VPN Service has no relation to legitimate consumer VPN providers.

For ordinary users, the lesson is about resilience. When a single DNS entry can erase billions of links, the tools that keep you connected regardless of DNS-level decisions become part of basic digital hygiene. A trustworthy VPN will not fix a serverHold - but in the growing list of scenarios where access to a platform is cut at the network level, whether by a state block or an overzealous intermediary, an encrypted tunnel remains the most reliable way to reach the services you rely on.

Conclusion: the t.me blackout was resolved in a day, but the precedent stays. A single line in a sanctions filing, processed by a cautious registry, disabled the link system of a billion-user platform - no court, no notice, no appeal. Internet infrastructure has chokepoints most users never think about, and this July the world got a live demonstration of how easily one of them can be pulled.
Tags: telegram vpn sanctions dns censorship blocking internet freedom privacy

Read also