Exposed Phobos: How a Ransomware as a service moved millions and fell thanks to an international operation

The recent statement of guilt of a Russian citizen for his role in the administration of the Ransomware Phobos brings back to the fore how the digital criminal economies and the collateral damage they generate today work. According to judicial documents and police releases, this "Ransomware- as- a- service" (RaaS) operation infected hundreds of organizations around the world and would have raised tens of millions of dollars in rescue payments.

Phobos is not a new threat: security researchers have identified the family as a derivation of previous families such as Crysis / Dharma, and its business model revolves around the sale and rental of tools to third parties that execute the intrusions. A technical analysis published by Cisco Talos explains in detail the affiliate structure that allowed the proliferation of Phobos in clandestine forums and markets according to Talos. That architecture makes it easier for operators with different degrees of technique and organization to launch attacks without having to develop malware from scratch.

The charges against Evgenii Ptitsyn, who was extradited from South Korea in November 2024, describe an operation in which managers offered decryption keys in exchange for a fixed deployment payment, in addition to taking a rescue commission. The file collected by the indictment details that each deployment was assigned a unique alphanumeric identifier to match it with the corresponding decryption key, and that the commission transfers were drawn to a wallet controlled by the administrators according to judicial documents.

The figures that have gone beyond the various official communications are striking. The U.S. Public Prosecutor's Office and other sources estimate that the group behind Phobos raised more than $39 million and that the operation affected more than a thousand public and private entities. In addition, between May and November 2024, the samples sent to the ID Ransomware service pointed to Phobos as responsible for a significant part of the reported cases, giving an idea of their operational scope.

The operation of the Phobos ecosystem was typical of the RaaS model: administrators maintained the infrastructure, developed malware and sold or rented access and keys to affiliates who executed the intrusions. These members, according to the prosecution, penetrated networks through stolen credentials, lateral displacement and other techniques, and then encrypted critical data, exfiltered information and pressed victims through electronic and telephone channels to pay. The operation combined technological extortion with threats to filter or sell exfiltered data to third parties.

At the police level, the fall of key parts of the network has been the result of coordinated international research. Under the umbrella of the so-called "Operation Aether" - a joint action involving several European agencies and Eurojust - the authorities have arrested suspects in different countries, seized servers and devices and notified hundreds of companies about specific risks. Europol explained that these interventions included arrests in Poland and the seizure of infrastructure in February 2025, as well as related arrests in Italy in previous years according to Europol. These actions show that, although the gangs operate transnationally, cooperation between public prosecutors and security forces can disstructure their operations.

From the economic point of view, the scheme is simple but effective: the affiliations allowed less sophisticated operators to pay a fee for deployment - the prosecution mentions payments of about $300 per decipher key after an infection - and, in parallel, the administrators collected fractions of the rescue made by the victims. The use of cryptomonedas to channel these payments initially complicated traceability, but researchers managed to follow the trail of transfers between purse-holders until they had repetitive patterns that link administrators and affiliates.

Beyond figures and arrests, there are human and operational consequences. Health centres, schools and public bodies are among the victims described by the investigations. For these organizations the interruption is not just an immediate economic loss: the inability to access clinical records, files or administrative systems creates real risk to people and critical functions. The reputational impact and recovery costs - system restoration, forensic audits and defence reinforcement - often multiply the amount of the ransom paid or claimed.

Public charges against Ptitsyn and infrastructure dismantling measures are a reminder that the offensive against criminal networks goes on two fronts: on the one hand, the sustained improvement of cyberdefence by companies and administrations; on the other, international research that pursues operators and blocks their monetization channels. Incident and media organizations in the sector have covered the case in detail and technical context as Bleeping Computer, providing additional pieces on chronology and scope.

For security professionals and officials, the lessons are clear: the hygiene of credentials, the segmentation of networks, regular and proven backup, and multifactor authentication are measures that reduce the surface of attack and the possibility that initial access will become a crisis. At the same time, public-private cooperation in early detection and response makes it easier to alert potential victims before the damage is massive, as noted by the authorities involved in the operations against Phobos.

The case also raises questions about the long-term effectiveness of RaaS models: the ease with which digital violence is externalized and the cost-effectiveness of crime encrypted the problem after layers of anonymity and services. However, arrests and seizures show that these models are not immune to forensic investigation and coordinated legal action. The sentence for the prison administrator, set for July, will be another chapter in the judicial response to these operations.

If you want to review the original sources and deepen, the documents of the case and the notes of the agencies involved are publicly available: the judicial details accompanying the prosecution can be consulted at the published file, the technical analysis of the structure of Phobos is on the blog of Cisco Talos and Europol provides information on international coordination in their communications. These readings help to understand both the technical mechanism and the collective response needed to contain threats of this nature.