US charges Phobos ransomware admin after South Korea extradition

Evgenii Ptitsyn, a Russian national and suspected administrator of the Phobos ransomware operation, was extradited from South Korea and is facing cybercrime charges in the United States.

Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) widely distributed through many affiliates. Between May 2024 and November 2024, it accounted for roughly 11% of all submissions to the ID Ransomware service.

The Justice Department has linked the Phobos ransomware gang to breaches of over 1,000 public and private entities in the United States and worldwide, with ransom payments worth more than $16 million.

According to court documents, Ptitsyn and his co-conspirators allegedly developed and, starting in November 2020, provided Phobos affiliates with access to the ransomware payloads needed to encrypt the victims' systems and the platform used to extort ransom payments.

"The administrators operated a darknet website to coordinate the sale and distribution of Phobos ransomware to co-conspirators and used online monikers to advertise their services on criminal forums and messaging platforms. At relevant times, Ptitsyn allegedly used the monikers 'derxan' and 'zimmermanx,'" the Justice Department said.

Phobos affiliates allegedly hacked into the victims' networks using stolen credentials to steal files and deploy Phobos ransomware to encrypt their data.

They also left ransom notes and contacted victims through calls and emails, attempting to extort each victim and demanding ransom payments in exchange for decryption keys under the threat of leaking their stolen files online if they didn't pay.

​After attacks that resulted in a ransom payment, the affiliates paid Phobos administrators, including Ptitsyn, for the decryption keys. As the Justice Department said on Monday, each ransomware deployment had a unique alphanumeric string that linked it to the corresponding key, and the payments were directed to specific cryptocurrency wallets unique to each affiliate.

"From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet controlled by Ptitsyn," the Justice Department added.

Ptitsyn is charged in a 13-count indictment, including wire fraud, conspiracy to commit computer fraud, and extortion related to hacking. If convicted, he faces up to 20 years for each wire fraud count, 10 years for each hacking count, and five years for conspiracy charges.

"Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments," said Nicole M. Argentieri, the head of the Justice Department's Criminal Division.

"We are especially grateful to our domestic and foreign law enforcement partners, like South Korea, whose collaboration is essential to disrupting and deterring the most significant cybercriminal threats facing the United States."