Polish cybercrime Police arrest man linked to Phobos ransomware operation

Officers from Poland’s Central Bureau of Cybercrime Control (CBZC) police arrested a 47-year-old man linked to the Phobos ransomware operation.

Polish authorities arrested a 47-year-old man suspected of involvement in cybercrime and linked him to the Phobos ransomware operation. Police said they discovered evidence of illegal activities on his seized devices.

“Officers from the Central Bureau for Combating Cybercrime detained a 47-year-old man suspected of creating, acquiring, and sharing computer programs used to unlawfully obtain information stored in computer systems.” reads the press release published by Poland’s Central Bureau of Cybercrime Control (CBZC) police. “Officers secured files on the man’s computer containing digital data, such as logins, passwords, credit card numbers, and server IP addresses. This data could have been used to launch various attacks, including ransomware. Furthermore, the 47-year-old used encrypted messaging to contact the Phobos criminal group, known for its ransomware attacks.”

In a joint operation by cybercrime units in Katowice and Kielce, Polish authorities arrested the man in the Małopolska region over suspected links to the Phobos group. Investigators seized computers and mobile phones containing logins, passwords, credit card data, and server IP addresses that could be used to breach electronic systems and launch ransomware attacks.

Evidence also showed he used encrypted messaging to communicate with members of the criminal network. He has been charged with creating and distributing tools for unlawful access to computer systems, an offense punishable by up to five years in prison. The case is overseen by the District Prosecutor’s Office in Gliwice. The arrest was part of Operation Aether, coordinated by Europol, which has targeted Phobos operators, affiliates, and infrastructure worldwide.

Phobos is an organized cybercrime group operating a ransomware-as-a-service (RaaS) model, providing its malware to affiliates who carry out attacks and share the profits. The group has targeted more than 1,000 victims worldwide, including U.S. public schools, healthcare providers, nonprofit organizations, government bodies, and private firms, even a contractor linked to the U.S. Department of Defense. According to the U.S. Department of Justice, ransom demands tied to Phobos exceeded $16 million. While the average demand was around $54,000, amounts varied widely. Exact earnings remain uncertain due to cryptocurrency payments and darknet activity.

In November 2024, Russian Phobos ransomware operator Evgenii Ptitsyn, suspected of playing a key role in the ransomware operations, was extradited from South Korea to the US to face cybercrime charges.

The Russian national was allegedly involved in the development, sale, distribution, and operations of the ransomware.

Evgenii Ptitsyn and others allegedly ran an international hacking scheme since November 2020, deploying Phobos ransomware to extort victims. Ptitsyn reportedly sold the ransomware on darknet forums under aliases like “derxan” and “zimmermanx,” enabling other criminals to encrypt data and demand ransom.

Ptitsyn and his conspirators used a ransomware-as-a-service (RaaS) model to distribute their malware to a network of affiliates. Affiliates paid fees to administrators like Ptitsyn for decryption keys, with payments routed via unique cryptocurrency wallets from 2021–2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)