Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Published
Key Takeaways
- Key Arrest: Polish police have detained a 47-year-old man in the Małopolska region for his alleged involvement with the Phobos ransomware group.
- International Effort: The arrest is part of Operation Aether, a coordinated international crackdown targeting Phobos developers and affiliates across Europe and beyond.
- Seized Assets: Authorities found files containing logins, passwords, credit card numbers, as well as encrypted comms linked to Phobos.
A 47-year-old suspect believed to be an affiliate of the notorious Phobos ransomware operation was detained in the Małopolska region as part of a coordinated action by police in Katowice and Kielce, Poland’s Central Bureau for Combating Cybercrime has announced.
Part of a Larger Cybercrime Operation
The individual, whose identity is yet to be revealed, is suspected of “creating, acquiring, and sharing computer programs used to unlawfully obtain information stored in computer systems.”
During the raid, officers found encrypted messages linking him to the notorious group and secured files containing logins, passwords, credit card numbers, and server IP addresses.
The victims include (specific reported cases):
- public schools in the USA (e.g., California, Connecticut),
- healthcare facilities (e.g., medical service providers in Maryland),
- a company contracting with the US Department of Defense.
This detention is part of Operation Aether, a broader European initiative to dismantle the Phobos infrastructure. This international effort has led to the arrest of both the ransomware's back-end developers and the affiliates responsible for conducting attacks, Polish Police said.
Implications for Cybersecurity Enforcement
The Phobos gang was known for attacking a wide range of entities and accepting smaller ransoms, making them a persistent threat. These coordinated actions disrupt operations and send a clear message that affiliates are not immune from prosecution.
The Polish cybercrime operation follows the extradition of the alleged Phobos administrator, Evgenii Ptitsyn, to the U.S. in 2024 and raids in Thailand that apprehended other key members.
Phobos and its related strain, 8Base, have collected millions from victims since 2019 by targeting critical infrastructure.
A law enforcement operation led to the arrest of four Russian nationals in early 2025, who were suspected of deploying Phobos ransomware. In 2023, an affiliate in Italy was arrested on a French warrant, and in 2024, a Phobos administrator was apprehended in South Korea and extradited to the U.S.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular