Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said Evgenii Ptitsyn, a 43-year-old Russian national described as an administrator/leader behind the Phobos ransomware operation, pleaded guilty to wire fraud conspiracy tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized more than 1,000 organizations worldwide and extorted over $39 million, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in South Korea and later extradited to the United States; he faces a maximum of 20 years in prison.
Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a darknet site, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using stolen credentials—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for unique decryption keys and administrators took a cut of proceeds; Ptitsyn agreed to forfeit $1.77 million and pay at least $39.3 million in restitution. Additional context in coverage linked Phobos to related activity (including the 8Base strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a free Phobos decryption tool by Japanese authorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Sentencing scheduled for July 15
Following the guilty plea, the court scheduled Ptitsyn's sentencing for July 15, where he faces a maximum sentence of 20 years in prison.
Plea deal includes forfeiture and restitution terms
Under the plea agreement, prosecutors dropped several charges, while Ptitsyn agreed to forfeit about $1.77 million and pay at least $39.3 million in restitution.
Ptitsyn pleads guilty to wire fraud conspiracy
In U.S. federal court, Ptitsyn pleaded guilty to wire fraud conspiracy for his role in administering the Phobos ransomware scheme. Prosecutors said the operation used affiliates, stolen credentials, darknet infrastructure, and cryptocurrency payments to extort victims.
Ptitsyn extradited from South Korea to the U.S.
After his arrest, Ptitsyn was extradited from South Korea to the United States in November 2024, according to most reports, to face federal charges related to Phobos.
South Korea arrests Evgenii Ptitsyn
Ptitsyn was arrested in South Korea in May 2024 as part of the international law-enforcement case targeting the Phobos ransomware operation.
California school system pays $300,000 ransom
One disclosed victim example was a California public school system that paid a $300,000 ransom in 2023 following a Phobos attack.
Phobos extorts over 1,000 victims worldwide
Authorities said Phobos and its affiliates went on to compromise more than 1,000 organizations globally, including many U.S. healthcare, education, and essential-service entities, collecting more than $39 million in ransom payments.
Ptitsyn takes leadership role in Phobos
Court records cited by multiple reports say Evgenii Ptitsyn assumed a leadership role in the Phobos ransomware operation in January 2022, overseeing distribution and affiliate coordination.
Phobos ransomware activity begins
Prosecutors said Phobos ransomware activity began by November 2020, with the operation later growing into a global affiliate-based extortion scheme.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Russian man admits role in global Phobos ransomware attacks | brief | SC Media
scworld.com
Open sourcePhobos ransomware leader pleads guilty, faces up to 20 years in prison | CyberScoop
cyberscoop.com
Open sourcePhobos ransomware leader facing 20 years in prison after pleading guilty to hacking charges | The Record from Recorded Future News
therecord.media
Open sourceRussian Ransomware Administrator Pleads Guilty to Wire Fraud Conspiracy - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than **$100 million** via **business email compromise (BEC)** and romance scams, and a **Phobos** ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States. In the fraud case, **Derrick Van Yeboah** (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay **over $10 million** in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, **Evgenii Ptitsyn** (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the **Phobos** ransomware platform, which the U.S. DoJ says hit **1,000+** entities and extorted **$16+ million**; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to **20 years** in prison, with sentencing scheduled for July 15.
Mar 21, 2026
Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a **47-year-old man** in the Małopolska/Lesser Poland region on suspicion of involvement with the **Phobos ransomware** operation as part of **Europol-coordinated Operation Aether** targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (**CBZC**) seized devices and data investigators said could enable unauthorized access and ransomware activity, including **stolen credentials**, **passwords**, **credit card numbers**, and **server IP/access data**. Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used **encrypted messaging** to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to **five years** in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against **8Base**, described as a ransomware group believed to be connected to Phobos.
Mar 21, 2026
International Takedown Disrupts Phobos and 8Base Ransomware Networks
Authorities in a coordinated international operation arrested alleged key affiliates tied to the **Phobos** ransomware-as-a-service operation and the **8Base** extortion group, with enforcement actions reported across multiple jurisdictions including Thailand. The U.S. Department of Justice said Phobos affiliates were arrested as part of a broader disruption effort, while Europol described the suspects as central figures behind two of the most active ransomware threats targeting organizations worldwide. The crackdown also included the seizure of **8Base** infrastructure, including its leak site, dealing a visible blow to the group’s public extortion operations. Reporting from Europol and security outlets linked **8Base** closely to **Phobos**, indicating that investigators targeted both the malware supply chain and the actors using it to conduct intrusions, encrypt systems, and pressure victims into paying ransoms.
May 25, 2026