Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than $100 million via business email compromise (BEC) and romance scams, and a Phobos ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States.
In the fraud case, Derrick Van Yeboah (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay over $10 million in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, Evgenii Ptitsyn (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the Phobos ransomware platform, which the U.S. DoJ says hit 1,000+ entities and extorted $16+ million; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to 20 years in prison, with sentencing scheduled for July 15.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Derrick Van Yeboah pleads guilty in $100 million fraud case
Van Yeboah pleaded guilty to conspiracy to commit wire fraud for his role in a fraud ring that stole over $100 million from U.S. victims. He agreed to pay more than $10 million in restitution and is scheduled for sentencing on June 3, 2026.
Evgenii Ptitsyn pleads guilty in U.S. Phobos case
Ptitsyn pleaded guilty in the United States to wire fraud conspiracy for his role in the Phobos ransomware operation. He faces up to 20 years in prison, with sentencing scheduled for July 15, 2026.
Derrick Van Yeboah extradited to the United States
In August 2025, Ghanaian national Derrick Van Yeboah was extradited to the United States alongside named accomplices for his alleged role in the fraud ring. Prosecutors linked him to more than $10 million in victim losses.
U.S. unseals charges against two alleged Phobos operators
In February 2025, U.S. authorities unsealed charges against alleged Phobos operators Roman Berezhnoy and Egor Glebov. The action marked another public step in the broader crackdown on the ransomware operation.
Poland arrests Phobos-linked suspect in Operation Aether
Polish authorities arrested a 47-year-old suspect linked to the Phobos ransomware operation as part of the Europol-coordinated Operation Aether. The report cites this as a separate law enforcement action against the group.
Phobos suspect Evgenii Ptitsyn arrested in South Korea
Russian national Evgenii Ptitsyn was arrested in South Korea in 2024 for his alleged role in the Phobos ransomware operation. U.S. authorities later extradited him to face wire fraud conspiracy charges.
Phobos ransomware operation targets over 1,000 entities worldwide
U.S. authorities said the Phobos ransomware-as-a-service operation was used to develop, sell, distribute, and operate ransomware attacks against more than 1,000 public and private entities globally. The campaign allegedly extorted over $16 million from victims.
Fraud ring uses BEC and romance scams against U.S. victims
A Ghana-based fraud ring began targeting Americans in 2016 using business email compromise and online romance scams to trick victims and businesses into wiring money. Prosecutors said the operation continued through May 2023 and ultimately caused more than $100 million in losses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said **Evgenii Ptitsyn**, a 43-year-old Russian national described as an administrator/leader behind the **Phobos** ransomware operation, pleaded guilty to **wire fraud conspiracy** tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized **more than 1,000 organizations** worldwide and extorted **over $39 million**, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in **South Korea** and later extradited to the United States; he faces a **maximum of 20 years** in prison. Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a **darknet site**, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using **stolen credentials**—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for **unique decryption keys** and administrators took a cut of proceeds; Ptitsyn agreed to forfeit **$1.77 million** and pay at least **$39.3 million** in restitution. Additional context in coverage linked Phobos to related activity (including the **8Base** strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a **free Phobos decryption tool** by Japanese authorities.
Mar 21, 2026
Cybercrime Prosecutions: ATM Jackpotting Deportations and Ransomware Guilty Plea
U.S. authorities reported multiple enforcement actions against financially motivated cybercrime. In South Carolina, two Venezuelan nationals convicted in an **ATM jackpotting** scheme will be deported after serving their sentences; prosecutors said they physically accessed older ATM models, connected a laptop, and installed malware that bypassed security controls to force cash-out until the machines were emptied. The activity impacted banks across several southeastern states, with court-ordered restitution of **$285,100** and **$126,340** respectively, and investigators said evidence from the case contributed to a broader Nebraska indictment of dozens of individuals tied to a larger ATM-theft conspiracy. Separately, a Russian national, **Ianis Aleksandrovich Antropenko**, pleaded guilty in federal court to **conspiracy to commit money laundering** and **conspiracy to commit computer fraud and abuse** for leading a ransomware operation that targeted at least 50 victims over a four-year period ending in August 2022; he faces up to **25 years** in prison, financial penalties, restitution, and forfeiture, and the plea acknowledges potential immigration consequences. A third item describes convicted Bitcoin thief **Ilya Lichtenstein** seeking post-release work in cybersecurity, but it is not tied to the ATM jackpotting or Antropenko ransomware case and does not add incident-specific threat intelligence.
Mar 21, 2026
US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced **Yaroslav Vasinskyi** (`Rabotnik`), a Ukrainian affiliate of the **Sodinokibi/REvil** ransomware operation, to **13 years and 7 months** in prison for his role in more than **2,500 attacks** that collectively sought over **$700 million** in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than **$16 million** in restitution. U.S. authorities said related forfeiture actions recovered assets including **39.89138522 Bitcoin** and **$6.1 million**, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution. In a separate but related enforcement action, **Deniss Zolotarjovs**, a Latvian national tied to the **Karakurt** extortion operation and linked by investigators to the broader **Conti** ecosystem, was sentenced to **102 months** in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than **54 companies worldwide**, including victims whose stolen records included sensitive medical information, and generated losses exceeding **$56 million** across 13 victims with roughly **$13 million** more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
May 25, 2026