Phobos ransomware admin pleads guilty to wire fraud conspiracy

Source: Bleeping Computer

Guilty plea and Phobos ransomware overview

A Russian national pleaded guilty to a wire‑fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide.

Phobos is a long‑running ransomware‑as‑a‑service (RaaS) operation linked to the Crysis ransomware family. Between May 2024 and November 2024, Phobos accounted for roughly 11 % of all submissions to the ID Ransomware service.

The U.S. Department of Justice reports that the gang has collected ransom payments worth more than $39 million from over 1,000 public and private entities worldwide.

• Evgenii Ptitsyn, 43, was extradited from South Korea in November 2024 and charged in the United States for overseeing the sale, distribution, and day‑to‑day operation of Phobos ransomware.
• Court documents show Ptitsyn and his accomplices began running the operation no later than November 2020, selling access through a darknet website and advertising on criminal forums under the “derxan” and “zimmermanx” handles.

Affiliates typically:

1. Breached target networks (schools, hospitals, government agencies) using stolen credentials.
2. Exfiltrated files, encrypted sensitive data, and demanded payment.
3. Threatened victims who refused to pay by leaking stolen data online and contacting victims directly.

Affiliates paid a per‑deployment fee to Ptitsyn for a decryption key, and Ptitsyn collected a cut of the ransom payments. From December 2021 to April 2024, all decryption‑key fees were transferred from an affiliate cryptocurrency wallet to a single Phobos admin wallet under Ptitsyn’s control.

“After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files,” the indictment reads. “Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate.”

Ptitsyn is scheduled for sentencing on July 15 and faces up to 20 years in prison following his guilty plea to wire‑fraud conspiracy.

Operation Aether targeting Phobos ransomware

Earlier this year, Polish police detained a 47‑year‑old man suspected of ties to the Phobos ransomware, seizing computers and mobile phones containing stolen credentials, credit‑card numbers, and server access data as part of Operation Aether, an Europol‑coordinated international effort against the gang.

Over the years, Operation Aether has targeted Phobos‑linked individuals at multiple levels, including backend infrastructure operators and ransomware affiliates involved in network intrusions and data encryption. Notable results include:

• A massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers.
• The arrest of another affiliate in Italy in 2023.

“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks,” Europol noted in February 2025. “This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries.”

Red Report 2026: Why ransomware encryption dropped 38 %

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download the analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.