A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide.

Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.

The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.

43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United Statesfor overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.

According to court documents, Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.

The affiliates broke into targets' networks (including schools, hospitals, and government agencies), often using stolen credentials, exfiltrated files, and encrypted sensitive data before demanding payment. They also threatened victims who refused to pay the ransoms via email and phone calls with leaking their stolen data online and sending it to customers.

Affiliates paid a per-deployment fee to Ptitsyn in exchange for a decryption key, and Ptitsyn collected a cut of ransom payments made by victims. From December 2021 to April 2024, all decryption key fees were transferred from an affiliate cryptocurrency wallet to a single Phobos admin cryptocurrency wallet under Ptitsyn's control.

"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads. "Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate."

Ptitsyn has been scheduled for sentencing on July 15 and is now facing up to 20 years following his guilty plea to wire fraud conspiracy.

Operation Aether targeting Phobos ransomware

Earlier this year, Polish police detained a 47-year-old man suspected of ties to the Phobos ransomware, seizing computers and mobile phones containing stolen credentials, credit card numbers, and server access data, as part of "Operation Aether," an Europol-coordinated international effort targeting the Phobos ransomware gang.

Over the years, Operation Aether went after Phobos-linked individuals at multiple levels of the operation, including backend infrastructure operators and ransomware affiliates involved in network intrusions and data encryption.

Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.

"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," Europol noted in February 2025. "This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries."