International Takedown Disrupts Phobos and 8Base Ransomware Networks
Authorities in a coordinated international operation arrested alleged key affiliates tied to the Phobos ransomware-as-a-service operation and the 8Base extortion group, with enforcement actions reported across multiple jurisdictions including Thailand. The U.S. Department of Justice said Phobos affiliates were arrested as part of a broader disruption effort, while Europol described the suspects as central figures behind two of the most active ransomware threats targeting organizations worldwide.
The crackdown also included the seizure of 8Base infrastructure, including its leak site, dealing a visible blow to the group’s public extortion operations. Reporting from Europol and security outlets linked 8Base closely to Phobos, indicating that investigators targeted both the malware supply chain and the actors using it to conduct intrusions, encrypt systems, and pressure victims into paying ransoms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Polish police arrest suspect in Phobos ransomware investigation
Polish authorities arrested a 47-year-old man in connection with the Phobos ransomware operation. The arrest represented a new follow-on law-enforcement action after the February 2025 international crackdown on Phobos and 8Base.
International operation publicly announced against Phobos and 8Base
Europol, the U.S. Department of Justice, and partner agencies publicly disclosed a coordinated international crackdown on Phobos and 8Base, detailing arrests, infrastructure seizures, and the disruption of the ransomware operations. The announcement marked the formal public attribution of the action to a multinational law-enforcement effort.
US unseals charges against alleged Phobos ransomware administrator
The U.S. Department of Justice announced criminal charges against an alleged Phobos administrator tied to the ransomware scheme. The case formed part of the broader international disruption effort targeting the group's operators and affiliates.
Four alleged Phobos/8Base operators arrested in Thailand
Thai authorities arrested four individuals accused of carrying out ransomware attacks using Phobos and 8Base. The suspects were described as key affiliates or figures tied to the operations.
International authorities seize 8Base leak and negotiation infrastructure
As part of a coordinated disruption, law enforcement seized websites used by the 8Base ransomware group, including its data-leak and negotiation portals. The takedown disrupted the group's public extortion infrastructure.
Alleged Phobos IT administrator extradited to the United States
An alleged IT administrator for the Phobos ransomware operation was extradited to the United States to face criminal proceedings. The extradition marked a concrete law-enforcement step against a suspected core operator before the broader public crackdown announced in February 2025.
8Base becomes a major Phobos-linked ransomware actor in 2024
Threat-intelligence and law-enforcement reporting identified 8Base as one of the most active ransomware groups of 2024 and linked it to the Phobos ransomware ecosystem. The group used Phobos ransomware in attacks against victims worldwide.
Phobos ransomware operation emerges and begins targeting organizations
Phobos became an active ransomware-as-a-service operation that went on to compromise more than 1,000 public and private entities worldwide, according to later law-enforcement reporting. The group caused losses exceeding $16 million through extortion demands and related damage.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Polish cops arrest 47-year-old man in Phobos ransomware raid
theregister.com
Open sourceCe business juteux autour du rançongiciel Phobos - ZDNET
zdnet.fr
Open sourceA deep dive into Phobos ransomware, recently deployed by 8Base group | Jason P.
linkedin.com
Open sourceDistrict of Maryland | Phobos Ransomware Affiliates Arrested in Coordinated International Disruption | United States Department of Justice
justice.gov
Open sourceKey figures behind Phobos and 8Base ransomware arrested in international cybercrime crackdown - Threat intelligence identifies Phobos and 8Base as among the most active ransomware groups of 2024 | Europol
europol.europa.eu
Open sourceAll your 8Base are belong to us as ransomware crew busted
theregister.com
Open sourceAlleged Phobos ransomware IT admin extradited to US
theregister.com
Open sourceOffice of Public Affairs | Phobos Ransomware Administrator Extradited from South Korea to Face Cybercrime Charges | United States Department of Justice
justice.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said **Evgenii Ptitsyn**, a 43-year-old Russian national described as an administrator/leader behind the **Phobos** ransomware operation, pleaded guilty to **wire fraud conspiracy** tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized **more than 1,000 organizations** worldwide and extorted **over $39 million**, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in **South Korea** and later extradited to the United States; he faces a **maximum of 20 years** in prison. Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a **darknet site**, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using **stolen credentials**—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for **unique decryption keys** and administrators took a cut of proceeds; Ptitsyn agreed to forfeit **$1.77 million** and pay at least **$39.3 million** in restitution. Additional context in coverage linked Phobos to related activity (including the **8Base** strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a **free Phobos decryption tool** by Japanese authorities.
Mar 21, 2026
Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a **47-year-old man** in the Małopolska/Lesser Poland region on suspicion of involvement with the **Phobos ransomware** operation as part of **Europol-coordinated Operation Aether** targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (**CBZC**) seized devices and data investigators said could enable unauthorized access and ransomware activity, including **stolen credentials**, **passwords**, **credit card numbers**, and **server IP/access data**. Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used **encrypted messaging** to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to **five years** in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against **8Base**, described as a ransomware group believed to be connected to Phobos.
Mar 21, 2026
International Law Enforcement Takedown of LeakBase Cybercrime Marketplace
An international law-enforcement operation involving the **FBI**, **Europol**, and authorities across **14 countries** seized infrastructure used by **LeakBase**, a major cybercrime marketplace/forum used to trade stolen data, exploits, and hacking services. Investigators reportedly seized LeakBase domains, displayed seizure banners, executed search warrants, and made arrests; forum data (including user accounts, messages, and IP logs) was preserved to support follow-on investigations and deterrence efforts. Separate reporting in the same news cycle described other unrelated cyber developments, including Europol-led disruption of the **Tycoon2FA** phishing-as-a-service platform (used for adversary-in-the-middle MFA bypass), a guilty plea tied to the **Phobos** ransomware operation, a newly documented China-linked espionage cluster (**CL-UNK-1068**) targeting critical sectors in Asia, an unverified **ShinyHunters** extortion claim against *Woflow*, suspected DPRK-linked intrusions against cryptocurrency firms, and a pro-Iranian/pro-Palestinian ransomware ecosystem shift from **Sicarii** to **BQTLock**. Those items do not materially change the core LeakBase takedown but indicate continued pressure on cybercrime infrastructure alongside ongoing ransomware and espionage activity.
Mar 21, 2026