How greed and carelessness destroyed the king of darknet forums.
International hacker Evgeny Ptitsyn has pleaded guilty to cybercrime charges related to the Phobos ransomware group. The charges relate to his involvement in a fraudulent conspiracy involving wire transfers. Investigators believe Ptitsyn to be one of the administrators of this criminal infrastructure, which has been attacking organizations worldwide for several years.
Phobos operates using the ransomware-as-a-service model and is associated with the Crysis malware family. The group's partners distributed the malware to various targets, while the platform's creators provided the infrastructure and received a share of the payments. According to ID Ransomware, Phobos accounted for approximately 11 percent of user requests for malware samples between May and November 2024.
The US Department of Justice estimates the total amount of compensation paid to the attackers at more than $39 million. Over a thousand organizations, both public and private, were affected by the attacks.
Evgeny Ptitsyn, now 43, was in South Korea. In November 2024, the country's authorities handed him over to the United States . Investigators believe he was responsible for the sale, distribution, and day-to-day operation of the malicious platform.
Case materials indicate that the criminal scheme had been active since at least November 2020. Ptitsyn and his accomplices sold access to Phobos to other cybercriminals through a darknet website and advertised the service on shadow forums under the pseudonyms "derxan" and "zimmermanx."
The group's partners infiltrated the victims' networks, targeting schools, hospitals, and government agencies. The attackers often used stolen credentials to gain access. After the breach, the criminals copied files, encrypted systems, and demanded ransom. Organizations that refused to pay were threatened with the publication of the stolen data and the distribution of information to clients.
For each malware launch, the partners paid the administrators approximately $300 for a decryption key. The funds were transferred in cryptocurrency. The investigation established that from December 2021 to April 2024, payments for the keys were deposited into a single crypto wallet controlled by Ptitsyn.
Sentencing is scheduled for July 15. The maximum penalty for conspiracy to commit fraud is 20 years in prison.
The investigation into Phobos' activities is ongoing as part of the international Operation Aether, coordinated by Europol. In early 2026, Polish police detained a 47-year-old suspect associated with the group. During the search, law enforcement officers seized computers and mobile phones containing stolen credentials, bank card numbers, and server information.
In recent years, the operation has affected participants at various levels of the Phobos infrastructure , from server administrators to partners involved in hacking and data encryption. Results include a major operation in February 2025, which resulted in the arrest of two suspects and the seizure of 27 servers, as well as the arrest of one of the participants in the scheme in Italy in 2023. Law enforcement agencies also warned more than 400 companies worldwide about impending ransomware attacks.
International hacker Evgeny Ptitsyn has pleaded guilty to cybercrime charges related to the Phobos ransomware group. The charges relate to his involvement in a fraudulent conspiracy involving wire transfers. Investigators believe Ptitsyn to be one of the administrators of this criminal infrastructure, which has been attacking organizations worldwide for several years.
Phobos operates using the ransomware-as-a-service model and is associated with the Crysis malware family. The group's partners distributed the malware to various targets, while the platform's creators provided the infrastructure and received a share of the payments. According to ID Ransomware, Phobos accounted for approximately 11 percent of user requests for malware samples between May and November 2024.
The US Department of Justice estimates the total amount of compensation paid to the attackers at more than $39 million. Over a thousand organizations, both public and private, were affected by the attacks.
Evgeny Ptitsyn, now 43, was in South Korea. In November 2024, the country's authorities handed him over to the United States . Investigators believe he was responsible for the sale, distribution, and day-to-day operation of the malicious platform.
Case materials indicate that the criminal scheme had been active since at least November 2020. Ptitsyn and his accomplices sold access to Phobos to other cybercriminals through a darknet website and advertised the service on shadow forums under the pseudonyms "derxan" and "zimmermanx."
The group's partners infiltrated the victims' networks, targeting schools, hospitals, and government agencies. The attackers often used stolen credentials to gain access. After the breach, the criminals copied files, encrypted systems, and demanded ransom. Organizations that refused to pay were threatened with the publication of the stolen data and the distribution of information to clients.
For each malware launch, the partners paid the administrators approximately $300 for a decryption key. The funds were transferred in cryptocurrency. The investigation established that from December 2021 to April 2024, payments for the keys were deposited into a single crypto wallet controlled by Ptitsyn.
Sentencing is scheduled for July 15. The maximum penalty for conspiracy to commit fraud is 20 years in prison.
The investigation into Phobos' activities is ongoing as part of the international Operation Aether, coordinated by Europol. In early 2026, Polish police detained a 47-year-old suspect associated with the group. During the search, law enforcement officers seized computers and mobile phones containing stolen credentials, bank card numbers, and server information.
In recent years, the operation has affected participants at various levels of the Phobos infrastructure , from server administrators to partners involved in hacking and data encryption. Results include a major operation in February 2025, which resulted in the arrest of two suspects and the seizure of 27 servers, as well as the arrest of one of the participants in the scheme in Italy in 2023. Law enforcement agencies also warned more than 400 companies worldwide about impending ransomware attacks.
