Every link that begins with t.me stopped working around the world on Monday, July 13, when Telegram’s short-link domain was placed in serverHold at the .me registry, a status applied at the registry level that removes a domain from the global DNS entirely. Browsers now return NXDOMAIN for t.me, as if it had never existed, which breaks every invite, group, and channel link that Telegram’s roughly one billion users pass around. Telegram’s app kept running and the older telegram.me still resolves, but the short links the service is built on went dark. The most likely trigger is not a court order or a hack. It appears to be a US Treasury sanction, reaching a Montenegrin country-code domain that is, in practice, run by American companies.
What Actually Broke
The mechanism matters. A serverHold is imposed by the registry, not the registrar, and ICANN’s own documentation is blunt that it pulls a domain out of name resolution regardless of how the owner’s infrastructure is configured. Telegram could not fix this from its side. No public explanation came from Telegram, the .me registry, or Identity Digital, the US company that operates the domain’s technical backend. Telegram founder Pavel Durov surfaced the outage on X by tagging the registry directly: “Hey @domainME, t.me links stopped working. Can you look into it?” A public plea to the registry suggests the company received no advance notice. For a platform whose entire link ecosystem, including the on-ramp to its TON crypto network, runs on t.me, a silent registry suspension is close to a worst case.
The Sanction Behind It
On July 13, the day t.me was suspended, the US Office of Foreign Assets Control sanctioned First VPN Service (1VPNS), a VPN provider that Treasury says sold anonymizing infrastructure to ransomware groups. OFAC also designated its administrator, Dmytro Rashevskyi, and a Belarusian “cryptor” supplier, Yevgeniy Silayev, in an action coordinated with the United Kingdom and following a European takedown of 1VPNS’s servers in May. Treasury’s case describes a service advertised on cybercrime forums since 2014, marketed on a promise to keep no logs and refuse cooperation with investigators. According to domain-industry reporting, the sanctions listing named a t.me address, t.me/FirstVPNService, as an identifier of the group, yet it was the whole domain, not that single path, that went dark. No party has publicly confirmed that the sanction and the suspension are connected, but the timing and the listing point strongly toward it.
Why a US Sanction Reaches a Montenegrin Domain
.me is the country-code top-level domain for Montenegro, which makes the reach of a US sanction into it counterintuitive at first. The answer is in the plumbing. The registry operator, doMEn, is a Montenegro-based venture whose partners include two US companies, GoDaddy and Identity Digital, and it is Identity Digital that runs the technical backend, having absorbed the former .me operator Afilias in 2021. A sanctions regime binds US persons and companies. When the entity that can technically flip a domain to serverHold is American, an OFAC designation does not need Montenegro’s cooperation to take effect. The flag on the TLD is Montenegrin; the hands on the registry are, functionally, US-regulated.
One URL, a Whole Domain, and the Proportionality Question
That is where the story stops being about Telegram and starts being about the domain system. If the trigger was a single sanctioned URL under t.me, the response was to suspend the entire domain and every link beneath it, rather than the one path that was named. It is the domain-scale version of a debate this publication has followed through ICANN’s DNS Abuse work: whether enforcement should act on the specific offending resource or the whole registration it sits under. The specific path could only be pulled by Telegram itself; the registry’s only lever is the whole domain, and it used it. Applied to a domain that underpins a billion people’s links, all-or-nothing is a very large blast radius for one listed address. If that is what happened, the precedent is the uncomfortable part: it would show that a sanctioned identifier anywhere under a domain, on a ccTLD whose operator answers to US law, could take the whole domain offline with no notice and no public order, and that the affected party’s most visible recourse is to tag the registry on social media and wait.
Sources
- Treasury Sanctions Malware and Infrastructure Providers Supporting Ransomware Attacks Against Americans (July 13, 2026) - US Department of the Treasury (official)
- VPN Service Favored by Ransomware Groups Is Sanctioned by US - The Record (Recorded Future News)
- Cybercrime Link as t.me Gets Taken Down - Domain Incite
- Telegram's t.me Domain Stops Working; Durov Asks the Domain Registry - MediaNama
- .me Delegation Record (ccTLD manager: Government of Montenegro) - IANA (authoritative)
- .me (operator doMEn; partners GoDaddy and Identity Digital, formerly Afilias) - ICANNWiki