Poland arrests suspect linked to Phobos ransomware operation
Source: Bleeping Computer
Arrest of a suspect in Poland
Polish police have detained a 47‑year‑old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit‑card numbers, and server‑access data.
Officers from Poland’s Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce. The action is part of Operation Aether, a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates.
During a search of the suspect’s residence, investigators supervised by the District Prosecutor’s Office in Gliwice found files on his devices containing credentials, passwords, credit‑card numbers, and server IP addresses that could be used to gain unauthorized access to computer systems and facilitate ransomware attacks.
“This data could be used to carry out various attacks, including, among others, ransomware. After performing technical actions, it turned out that there was data on them that could be used to break electronic security,” the CBZC said. “In addition, according to information collected about the 47‑year‑old, using encrypted messengers, he contacted the Phobos crime group known for its ransomware attacks.”
Source
The suspect now faces charges under Article 269b of Poland’s Criminal Code for producing, acquiring, and distributing computer programs designed to unlawfully obtain information stored in IT systems (hacking tools). The maximum penalty is five years in prison if convicted.
Operation Aether targeting Phobos
Phobos is a long‑running ransomware‑as‑a‑service (RaaS) operation (derived from the Crysis ransomware family) that, despite receiving less media attention than other ransomware groups, has been responsible for many attacks on businesses worldwide and is considered one of the most widely distributed ransomware operations.
- Between May 2024 and November 2024, Phobos ransomware accounted for approximately 11 % of all submissions to the ID Ransomware service.
- The U.S. Justice Department has linked the gang to breaches at more than 1,000 public and private entities worldwide, with ransom payments totaling over $16 million.
Source
Operation Aether has targeted Phobos‑linked individuals at multiple levels of the operation, including backend infrastructure operators and affiliates involved in network intrusions and data encryption.
Key outcomes of the global police effort include:
- The extradition of the alleged Phobos administrator to the United States in November 2024.
Details - A massive disruption in February 2025, when police seized 27 servers and arrested two suspected affiliates in Phuket, Thailand.
Details - An earlier arrest of a key Phobos affiliate in Italy in 2023, further weakening the cyber‑criminal network.
“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks,” Europol said in February 2025. “This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both.”
Source
In July 2025, Japanese police released a Phobos and 8‑Base ransomware decryptor, allowing victims to recover their files for free.
Read more