Russian Admin of Phobos Ransomware Pleads Guilty to Multi-Million Dollar Wire Fraud Conspiracy

Russian national Evgenii Ptitsyn pleads guilty to Phobos ransomware conspiracy after extorting $39 million from hospitals and schools worldwide.

By: AXL Media

Published: Mar 5, 2026, 4:09 AM EST

Source: The information in this article was sourced from BleepingComputer

Ransomware Administrator Admits to Orchestrating Global Cyber Extortion Campaign

Evgenii Ptitsyn admitted in federal court on Thursday to overseeing the daily operations of the Phobos ransomware family, a prolific criminal enterprise that has plagued public and private sectors for years. According to the Department of Justice, Ptitsyn acted as a central administrator for the ransomware-as-a-service (RaaS) model, which provided malicious software to criminal affiliates in exchange for a cut of the profits. Following his extradition from South Korea in late 2024, Ptitsyn's guilty plea marks a significant victory for international law enforcement. The gang’s activities were vast, accounting for approximately 11% of all global ransomware submissions during peak periods in 2024.

Darknet Marketing and Affiliate Structures Fueled Phobos Expansion

The Phobos operation relied on a sophisticated affiliate model, where Ptitsyn marketed the encryption tools on various darknet forums using the pseudonyms "derxan" and "zimmermanx." Affiliates were recruited to carry out the technical labor of breaching target networks, often utilizing stolen credentials to gain unauthorized access. Once inside, these criminals exfiltrated sensitive data and deployed the encryption payload to paralyze the victim's operations. According to court documents, Ptitsyn maintained a central cryptocurrency wallet that served as a clearinghouse for "decryption key fees," ensuring that the administration received a payment for every successful attack carried out by their associates.

Aggressive Extortion Tactics Targeted Schools and Healthcare Facilities

The impact of the Phobos syndicate extended far beyond financial loss, as the group frequently targeted vulnerable sectors such as hospitals, schools, and government agencies. When victims proved reluctant to pay the ransom, affiliates employed aggressive secondary extortion tactics, including threatening phone calls and emails to staff and customers. According to the indictment, the gang threatened to leak stolen files online if their demands were not met, causing significant distress to public institutions. This multi-layered approach to extortion was a hallmark of Ptitsyn’s management, which prioritized maximum pressure to ensure a steady stream of ransom payments.