Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.

Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.

Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.

Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

The 43-year-old pleaded guilty to engaging in a global ransomware scheme with co-conspirators beginning in November 2020. Ptitsyn and alleged associates distributed Phobos ransomware to other co-conspirators who broke into victim networks, often with stolen credentials, to steal and encrypt data, which they used to extort victims for payment.

Phobos ransomware administrators operated a site to coordinate the sale and distribution of Phobos ransomware to co-conspirators. Affiliates who successfully attacked victims with the ransomware paid $300 to administrators for a unique decryption key.

Ptitsyn controlled multiple cryptocurrency wallets that received thousands of decryption key fees from affiliates who used Phobos to extort victims. He received 25% of the decryption key payment and sometimes received a portion of ransomware payments. 

“Ptitsyn and others were responsible for dozens of ransomware attacks against U.S. victims, including health care companies, hospitals, educational institutions, and providers of essential services,” federal prosecutors said in a stipulation of facts in his plea agreement. 

Phobos ransomware victims paid a collective amount of $30 million in ransoms, based on the value at the time of payment, according to court records. Victims also suffered losses of at least $9.3 million from Phobos ransomware attacks, including a U.S. educational institution that reported losses exceeding $4 million. 

“Ptitsyn and other members of the Phobos ransomware conspiracy launched ransomware attacks against more than 1,000 victims around the world, including at least 890 victims located in the United States,” prosecutors said.

Officials provided details about 15 unnamed U.S. victims that paid a combined $536,000 in ransoms at the time of payment. Victims included a Maryland-based company that provided accounting and consulting services to federal agencies, an Illinois-based contractor for the Departments of Defense and Energy, and a children’s hospital in North Carolina.

You can read the facts entered into court records as part of Ptitsyn’s plea agreement below.

The post Phobos ransomware leader pleads guilty, faces up to 20 years in prison appeared first on CyberScoop.

Polish officials arrested a 47-year-old man accused of participating in ransomware attacks as an affiliate for the Phobos ransomware group, the country’s Central Bureau for Combating Cybercrime said Tuesday.

Authorities did not name the man who was arrested during a raid on his apartment in the Małopolskie province, but said he faces up to five years in prison for his alleged crimes.

The arrest is the latest in a series of coordinated law enforcement actions targeting people involved with Phobos ransomware attacks, which were also carried out by the 8base ransomware group. Polish officials said they identified the suspect through the “Phobos Aetor” operation, a Europol-led effort involving agencies across Europe, Asia and North America that took place in February 2025.

Officials accused the 47-year-old man of possessing credentials, credit card numbers and IP addresses for servers that may have been used to conduct various attacks. He also had tools that could breach servers and used encrypted messaging platforms to communicate with others linked to Phobos, police said. 

During the raid, police said they seized a computer and multiple mobile phones that were used to commit cyberattacks. The unnamed suspect was charged with producing, obtaining and sharing computer programs used to illegally obtain information stored on IT systems.

Phobos ransomware had claimed more than 1,000 victims globally and received more than $16 million in extortion payments by February 2025, according to the Justice Department. Victims of Phobos ransomware attacks, which date back to at least November 2020, include hospitals, schools, non-profit organizations, and a company that contracted with the Defense Department, officials said.

Malicious activity linked to Phobos significantly declined when Russian national Evgenii Ptitsyn, the alleged developer and administrator of Phobos ransomware, was extradited from South Korea to the United States in November 2024.

Ptitsyn, also known as “derxan” and “zimmermanx,” was charged with multiple counts of cybercrime, including wire fraud, wire fraud conspiracy, conspiracy to commit computer fraud and abuse, extortion in relation to hacking and causing intentional damage to protected computers. 

Pretrial motions for his case are due this week in the U.S. District Court of Maryland.

The post Polish authorities arrest alleged Phobos ransomware affiliate appeared first on CyberScoop.