Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a 47-year-old man in the Małopolska/Lesser Poland region on suspicion of involvement with the Phobos ransomware operation as part of Europol-coordinated Operation Aether targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (CBZC) seized devices and data investigators said could enable unauthorized access and ransomware activity, including stolen credentials, passwords, credit card numbers, and server IP/access data.
Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used encrypted messaging to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to five years in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against 8Base, described as a ransomware group believed to be connected to Phobos.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Investigators seize devices and cybercrime data in the Poland raid
During the raid, police seized a laptop or computer, multiple smartphones, payment cards, and other items, and reported finding stolen credentials, passwords, credit card numbers, server IP addresses, and related access data. Investigators said the materials could facilitate unauthorized access and ransomware attacks.
Polish police arrest and charge alleged Phobos affiliate
Poland's Central Bureau of Cybercrime Control arrested a 47-year-old man in the Małopolska region on suspicion of involvement with the Phobos ransomware operation. Authorities said he used encrypted messaging to communicate with the group and charged him with creating, obtaining, and sharing tools used for illegal access to IT systems.
Europol-led Operation Aether identifies a Polish Phobos suspect
A Europol-led multinational operation conducted in February 2025, referred to in reporting as Operation Aether, identified a suspect in Poland allegedly tied to the Phobos ransomware ecosystem. The operation targeted Phobos operators, affiliates, and infrastructure internationally.
Alleged Phobos administrator Evgenii Ptitsyn is extradited to the US
In November 2024, alleged Phobos developer and administrator Evgenii Ptitsyn was extradited from South Korea to the United States to face cybercrime charges tied to Phobos development and operations. Reporting says Phobos-linked activity declined after his extradition.
US authorities warn Phobos is hitting critical infrastructure
In February 2024, U.S. authorities warned that Phobos ransomware was affecting U.S. state, local, tribal, and territorial governments and other critical infrastructure organizations. The warning highlighted the growing operational impact of the ransomware-as-a-service group.
8Base ransomware activity increases as a Phobos-linked spinoff
The 8Base ransomware group, described as linked to the Phobos ecosystem, increased its activity in summer 2023 and claimed several high-profile victims. Later reporting connected 8Base to broader law-enforcement actions targeting Phobos infrastructure and affiliates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Polish police detain suspect linked to Phobos ransomware group | SC Media
scworld.com
Open sourcePolish authorities arrest alleged Phobos ransomware affiliate | CyberScoop
cyberscoop.com
Open sourcePolish cybercrime Police arrest man linked to Phobos ransomware operation
securityaffairs.com
Open sourcePolish cops arrest 47-year-old man in Phobos ransomware raid • The Register
theregister.com
Open source47-latek związany z grupą Phobos zatrzymany przez policjantów CBZC - Aktualności - Centralne Biuro Zwalczania Cyberprzestępczości
cbzc.policja.gov.pl
Open sourcePolish police detain alleged cybercriminal with Phobos ransomware ties | The Record from Recorded Future News
therecord.media
Open sourcePolish cops arrest 47-year-old man in Phobos ransomware raid • The Register
go.theregister.com
Open sourcePoland arrests suspect linked to Phobos ransomware operation - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said **Evgenii Ptitsyn**, a 43-year-old Russian national described as an administrator/leader behind the **Phobos** ransomware operation, pleaded guilty to **wire fraud conspiracy** tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized **more than 1,000 organizations** worldwide and extorted **over $39 million**, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in **South Korea** and later extradited to the United States; he faces a **maximum of 20 years** in prison. Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a **darknet site**, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using **stolen credentials**—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for **unique decryption keys** and administrators took a cut of proceeds; Ptitsyn agreed to forfeit **$1.77 million** and pay at least **$39.3 million** in restitution. Additional context in coverage linked Phobos to related activity (including the **8Base** strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a **free Phobos decryption tool** by Japanese authorities.
Mar 21, 2026
International Takedown Disrupts Phobos and 8Base Ransomware Networks
Authorities in a coordinated international operation arrested alleged key affiliates tied to the **Phobos** ransomware-as-a-service operation and the **8Base** extortion group, with enforcement actions reported across multiple jurisdictions including Thailand. The U.S. Department of Justice said Phobos affiliates were arrested as part of a broader disruption effort, while Europol described the suspects as central figures behind two of the most active ransomware threats targeting organizations worldwide. The crackdown also included the seizure of **8Base** infrastructure, including its leak site, dealing a visible blow to the group’s public extortion operations. Reporting from Europol and security outlets linked **8Base** closely to **Phobos**, indicating that investigators targeted both the malware supply chain and the actors using it to conduct intrusions, encrypt systems, and pressure victims into paying ransoms.
May 25, 2026
Poland Arrests Suspected DDoS Operator and Detains Defense Ministry Employee for Espionage
Poland’s Central Bureau for Combating Cybercrime (**CBZC**) arrested a 20-year-old suspected of conducting **global DDoS attacks** against high-profile and strategically important websites. Authorities said the suspect used a multi-layered botnet control architecture involving **C2 “stressers”** and **command-and-control nodes (CNC)**, and seized computer equipment allegedly used to host and distribute DDoS tooling; the suspect reportedly confessed to most charges, was released on bail after a formal statement, and faces up to five years in prison if convicted. Separately, Polish authorities detained a 60-year-old civilian employee in the Ministry of National Defense’s strategy and planning department on suspicion of **espionage** for a foreign intelligence service, with Polish officials indicating links to **Russian and Belarusian** services. Counterintelligence searched the suspect’s office and residence and seized phones, computers, and storage media; prosecutors filed espionage charges while officials cited “extensive evidence” and framed the case as part of broader **hybrid warfare** pressure on Poland, including sabotage, disinformation, and cyber activity attributed to Russia-linked actors.
Mar 21, 2026