Federal prosecutors have unsealed criminal charges against Evgenii Ptitsyn, a 42-year-old Russian national, for allegedly running the Phobos ransomware operation that targeted over 1,000 organizations worldwide and extorted more than $16 million in ransom payments.
Ptitsyn made his first court appearance in Maryland on November 4 following his extradition from South Korea. He faces multiple charges including wire fraud conspiracy, computer fraud, and extortion related to hacking.
According to prosecutors, starting in November 2020, Ptitsyn and his associates operated a sophisticated ransomware scheme by developing and selling access to Phobos malware through darknet websites. Using online aliases "derxan" and "zimmermanx", Ptitsyn allegedly coordinated with criminal affiliates who would breach victim networks, steal sensitive data, and deploy the ransomware.
The operation's typical attack pattern involved affiliates compromising networks with stolen credentials, copying files, and encrypting victims' data using Phobos. They would then demand ransom payments in exchange for decryption keys while threatening to leak stolen information publicly if demands weren't met.
The indictment details how affiliates paid fees to administrators like Ptitsyn to obtain decryption keys after successful attacks. Each ransomware deployment had a unique identifier linked to specific decryption keys, with affiliates directed to send payments to designated cryptocurrency wallets. Between December 2021 and April 2024, these payments were allegedly transferred to wallets under Ptitsyn's control.
If convicted, Ptitsyn could face up to 20 years in prison for each wire fraud count, 10 years for computer hacking charges, and 5 years for conspiracy to commit computer fraud. The final sentence will be determined by a federal judge based on sentencing guidelines and other factors.
This case represents another step in international efforts to combat ransomware operations that continue to threaten organizations globally through sophisticated cyber extortion schemes.