CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phobos Ransomware Suspect Arrested in Poland

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

Timeline

  1. 05.03.2026 10:34 1 articles · 23h ago

    Phobos Ransomware Admin Pleads Guilty to Wire Fraud Conspiracy

    A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

    Show sources
    Open in new tab
  2. 17.02.2026 13:31 2 articles · 16d ago

    Phobos Ransomware Suspect Arrested in Poland

    Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand.

    Show sources
    Open in new tab

Information Snippets

  • Polish police arrested a 47-year-old man suspected of ties to the Phobos ransomware group.

    First reported: 17.02.2026 13:31
    1 source, 1 article
    Show sources

  • The arrest is part of "Operation Aether," a broader international effort coordinated by Europol.

    First reported: 17.02.2026 13:31
    1 source, 2 articles
    Show sources

  • The suspect was found with stolen credentials, credit card numbers, and server access data.

    First reported: 17.02.2026 13:31
    1 source, 2 articles
    Show sources

  • The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty.

    First reported: 17.02.2026 13:31
    1 source, 1 article
    Show sources

  • Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption.

    First reported: 17.02.2026 13:31
    1 source, 2 articles
    Show sources

  • The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand.

    First reported: 17.02.2026 13:31
    1 source, 1 article
    Show sources

  • A Russian national pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Phobos is a long-running ransomware-as-a-service (RaaS) operation linked to the Crysis ransomware family.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Phobos has been widely distributed through many affiliates, accounting for roughly 11% of all submissions to the ID Ransomware service between May 2024 and November 2024.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • The U.S. Department of Justice says the ransomware gang has collected ransom payments worth more than $39 million from over 1,000 public and private entities worldwide.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • 43-year-old Evgenii Ptitsyn was extradited from South Korea in November 2024 and was charged in the United States for overseeing the sale, distribution, and day-to-day operation of Phobos ransomware.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Ptitsyn and his accomplices began running the cybercrime operation no later than November 2020, selling access to the Phobos ransomware to criminal affiliates through a darknet website and advertising on criminal forums under the "derxan" and "zimmermanx" handles.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Affiliates broke into targets' networks (including schools, hospitals, and government agencies), often using stolen credentials, exfiltrated files, and encrypted sensitive data before demanding payment.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Affiliates paid a per-deployment fee to Ptitsyn in exchange for a decryption key, and Ptitsyn collected a cut of ransom payments made by victims.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • From December 2021 to April 2024, all decryption key fees were transferred from an affiliate cryptocurrency wallet to a single Phobos admin cryptocurrency wallet under Ptitsyn's control.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • "After a successful Phobos ransomware attack, affiliates paid approximately $300 to the Phobos administrators for a decryption key to regain access to the encrypted files," the indictment reads.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Ptitsyn has been scheduled for sentencing on July 15 and is now facing up to 20 years following his guilty plea to wire fraud conspiracy.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Earlier this year, Polish police detained a 47-year-old man suspected of ties to the Phobos ransomware, seizing computers and mobile phones containing stolen credentials, credit card numbers, and server access data, as part of "Operation Aether," an Europol-coordinated international effort targeting the Phobos ransomware gang.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Over the years, Operation Aether went after Phobos-linked individuals at multiple levels of the operation, including backend infrastructure operators and ransomware affiliates involved in network intrusions and data encryption.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

  • Other key results of this operation include a massive disruption in February 2025, when police detained two suspected affiliates and seized 27 servers, and the arrest of another affiliate in Italy in 2023.

    First reported: 05.03.2026 10:34
    1 source, 1 article
    Show sources

Similar Happenings

Ransomware extortion totals $2.1B from 2022 to 2024, FinCEN reports

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method.

Open in new tab

Conti Ransomware Member Extradited from Ireland to US

Oleksii Oleksiyovych Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States and appeared in a Tennessee court on charges related to the Conti ransomware operation. He is accused of conspiring to deploy Conti ransomware, extorting over $500,000 in cryptocurrency from victims in the Middle District of Tennessee, and publishing stolen information. The Conti ransomware operation has been linked to over 1,000 victims worldwide, with ransom payments exceeding $150 million as of January 2022. Lytvynenko faces charges that could lead to 25 years in prison, including 20 years for wire fraud conspiracy and 5 years for computer fraud conspiracy. He was arrested in July 2023 by Irish authorities and detained until his extradition. The Conti group, initially a ransomware operation, evolved into a larger cybercrime syndicate, controlling multiple malware operations. After shutting down, its members have infiltrated other cybercrime groups. The FBI estimates Conti's malware was used in more critical infrastructure attacks than any other ransomware variant.

Open in new tab

Volodymyr Tymoshchuk Charged for LockerGoga, MegaCortex, Nefilim Ransomware Operations

Ukrainian national Volodymyr Viktorovich Tymoshchuk has been charged for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations. Tymoshchuk is accused of orchestrating attacks on hundreds of companies, leading to millions of dollars in damages. He is also linked to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk faces multiple charges related to computer fraud, unauthorized access, and threatening to disclose confidential information. The U.S. Department of State is offering a reward of up to $11 million for information leading to his arrest. Additionally, Artem Aleksandrovych Stryzhak, a Ukrainian national, pleaded guilty to conducting Nefilim ransomware attacks targeting high-revenue businesses across the United States and other countries. Stryzhak was arrested in Spain in June 2024 and extradited to the U.S. on April 30, 2025. He admitted to computer fraud conspiracy charges and faces up to 10 years in prison, with sentencing scheduled for May 6, 2026. Stryzhak obtained access to the Nefilim ransomware code in June 2021 and targeted large corporations, using custom-tailored malware and threatening to leak stolen data unless ransom demands were met. Stryzhak asked a co-conspirator whether he should choose a different username to avoid detection by authorities. Nefilim ransomware has been rebranded as Fusion, Milihpen, Gangbang, Nemty, and Karma.

Open in new tab

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce. In a separate development, two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data. Jubair and Flowers are also facing additional charges related to attacks on other organizations, including SSM Health Care Corporation, Sutter Health, and U.S. courts.

Open in new tab

LockBit 4.0 Leak Exposes Disorganized Ransomware Ecosystem

LockBit 4.0's affiliate panel was compromised in May 2025, revealing a chaotic and disorganized ransomware ecosystem. The leak exposed thousands of chat messages, ransomware builds, and internal data, showing that affiliates operate with little oversight and vary widely in professionalism. The leak highlights the unpredictability and fragmentation of the ransomware-as-a-service (RaaS) landscape, making it harder for defenders to prepare and respond to attacks. The leak occurred on May 7, 2025, and included over 4,000 chat messages, thousands of ransomware builds, internal user tags, and cryptowallet data. The exposed communications revealed that affiliates often ignore victims, deliver broken decryption tools, and dodge payments to the LockBit platform. Some affiliates even targeted prohibited entities, including Russian state organizations. The leak underscores the difficulty in defending against such fragmented and unpredictable threats.

Open in new tab