Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation. Russian national Evgenii Ptitsyn pleaded guilty in the US to wire fraud conspiracy for his role in the Phobos ransomware scheme. The man was arrested in South Korea in 2024 and extradited to the United States. He […] Russian national Evgenii Ptitsyn (43) pleaded guilty in the U.S. for his role in the Phobos ransomware operation. Russian national Evgenii Ptitsyn pleaded guilty in the US to wire fraud conspiracy for his role in the Phobos ransomware scheme. The man was arrested in South Korea in 2024 and extradited to the United States. He helped sell and operate the ransomware platform used by affiliates to attack victims. Ptitsyn faces a maximum penalty of 20 years in prison for wire fraud count. The sentencing is set for July 15. According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments. The Russian national was allegedly involved in the development, sale, distribution, and operations of the ransomware. Evgenii Ptitsyn and others allegedly ran an international hacking scheme since November 2020, deploying Phobos ransomware to extort victims. Ptitsyn reportedly sold the ransomware on darknet forums under aliases like “derxan” and “zimmermanx,” enabling other criminals to encrypt data and demand ransom. Ptitsyn and his conspirators used a ransomware-as-a-service (RaaS) model to distribute their malware to a network of affiliates. Affiliates paid fees to administrators like Ptitsyn for decryption keys, with payments routed via unique cryptocurrency wallets from 2021 2024. “After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators like Ptitsyn for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to the affiliate.” reads the press release published by DoJ. “From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet Ptitsyn controlled. Ptitsyn also received a portion of the ransomware payments made by victims.” In February 2025, the U.S. Justice Department unsealed charges against Russian nationals Roman Berezhnoy and Egor Glebov for operating a Phobos ransomware group. Both were arrested in a coordinated international operation that also dismantled the group’s infrastructure and led to further arrests. In February, Polish authorities arrested a 47-year-old man suspected of involvement in cybercrime and linked him to the Phobos ransomware operation. Police said they discovered evidence of illegal activities on his seized devices. “Officers from the Central Bureau for Combating Cybercrime detained a 47-year-old man suspected of creating, acquiring, and sharing computer programs used to unlawfully obtain information stored in computer systems.” reads the press release published by Poland’s Central Bureau of Cybercrime Control (CBZC) police. “Officers secured files on the man’s computer containing digital data, such as logins, passwords, credit card numbers, and server IP addresses. This data could have been used to launch various attacks, including ransomware. Furthermore, the 47-year-old used encrypted messaging to contact the Phobos criminal group, known for its ransomware attacks.” In a joint operation by cybercrime units in Katowice and Kielce, Polish authorities arrested the man in the Ma opolska region over suspected links to the Phobos group. Investigators seized computers and mobile phones containing logins, passwords, credit card data, and server IP addresses that could be used to breach electronic systems and launch ransomware attacks. Evidence also showed he used encrypted messaging to communicate with members of the criminal network. He has been charged with creating and distributing tools for unlawful access to computer systems, an offense punishable by up to five years in prison. The case is overseen by the District Prosecutor’s Office in Gliwice. The arrest was part of Operation Aether, coordinated by Europol, which has targeted Phobos operators, affiliates, and infrastructure worldwide.Phobos Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, Phobos Operation)
Published: 2026-03-05T19:12:17