A Russian national, Evgenii Ptitsyn, pleaded guilty to wire fraud conspiracy for administering the Phobos ransomware operation, which extorted over $39 million from more than 1,000 victims globally. Ptitsyn oversaw the ransomware-as-a-service model, selling access to affiliates who targeted entities like schools and hospitals, and he collected fees for decryption keys. The article also details "Operation Aether," an international law enforcement effort that disrupted the gang by making arrests and seizing infrastructure. The main topics covered are Ptitsyn's guilty plea and role, the Phobos ransomware operation's impact, and coordinated law enforcement actions against it.
A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation, which breached hundreds of victims worldwide.
Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family. Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.
The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million million from over 1,000 public and private entities worldwide.
43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United Statesfor overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.
According to court documents, Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.
The affiliates broke into targets' networks (including schools, hospitals, and government agencies), often using stolen credentials, exfiltrated files, and encrypted sensitive data before demanding payment. They also threatened victims who refused to pay the ransoms via email and phone calls with leaking their stolen data online and sending it to customers.
Affiliates paid a per-deployment fee to Ptitsyn in exchange for a decryption key, and Ptitsyn collected a cut of ransom payments made by victims. From December 2021 to April 2024, all decryption key fees were transferred from an affiliate cryptocurrency wallet to a single Phobos admin cryptocurrency wallet under Ptitsyn's control.
"After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads. "Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate."
Ptitsyn has been scheduled for sentencing on July 15 and is now facing up to 20 years following his guilty plea to wire fraud conspiracy.
Operation Aether targeting Phobos ransomware
Earlier this year, Polish police detained a 47-year-old man suspected of ties to the Phobos ransomware, seizing computers and mobile phones containing stolen credentials, credit card numbers, and server access data, as part of "Operation Aether," an Europol-coordinated international effort targeting the Phobos ransomware gang.
Over the years, Operation Aether went after Phobos-linked individuals at multiple levels of the operation, including backend infrastructure operators and ransomware affiliates involved in network intrusions and data encryption.
Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.
"As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks," Europol noted in February 2025. "This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries."
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
