Phobos ransomware administrator pleads guilty in US court

Key operator in global ransomware scheme admits to role in multimillion-dollar extortion campaign.

Guilty plea in long-running ransomware case

A 43-year-old Russian national has pleaded guilty in the United States to conspiracy to commit wire fraud for his alleged involvement in the infamous Phobos ransomware operation.

Evgenii Ptitsyn, arrested in South Korea in 2024 and later extradited, could now face a prison sentence of up to 20 years. Sentencing is scheduled for mid-July.

US prosecutors allege Ptitsyn played a pivotal role in sustaining the ransomware enterprise, which compromised more than 1,000 public and private sector organizations globally. Authorities estimate that the operation generated over $16 million in ransom payments during its active years.

Ransomware-as-a-Service (RaaS) model under scrutiny

According to court filings, Ptitsyn helped manage and promote Phobos as a ransomware-as-a-service (RaaS) platform. Under various monikers, he allegedly facilitated access to the malware for criminal affiliates who carried out attacks and extortion campaigns.

Investigators detailed a structured payment model in which affiliates paid administrators for decryption keys after successful attacks. Each deployment was tied to a specific identifier, and cryptocurrency wallets were used to channel proceeds. Prosecutors say funds were ultimately consolidated into wallets under Ptitsyn’s control, with administrators also taking shares of victim ransom payments.

International crackdown expands

Ptitsyn’s plea follows a wider international operation aiming to dismantle the Phobos network. Earlier this year, US authorities unsealed charges against two other Russians accused of operating within the same ecosystem. Their arrests were part of a coordinated action targeting the group’s infrastructure.

Polish law enforcement also detained a 47-year-old suspect believed to have supported the operation. Officers seized electronic devices containing credentials, financial data and server information, as well as evidence of encrypted communications with alleged Phobos members. The arrest formed part of Operation Aether, a Europol-backed initiative aimed at disrupting ransomware actors and their enablers across multiple jurisdictions.