Evgenii Ptitsyn, a Russian national accused of being a key figure in the Phobos ransomware operation, has been extradited from South Korea to the United States to face cybercrime charges. The Phobos ransomware, a ransomware-as-a-service (RaaS) platform stemming from the Crysis ransomware family, has been linked to over 1,000 cyberattacks globally, including breaches of U.S. public and private organizations. These attacks have reportedly generated more than $16 million in ransom payments between November 2020 and April 2024.

According to court documents, Ptitsyn and his accomplices allegedly developed Phobos ransomware and provided affiliates with tools to carry out attacks. They operated a darknet site for distributing the ransomware and used aliases such as “derxan” and “zimmermanx” to promote their services on criminal forums.

Phobos affiliates allegedly infiltrated networks using stolen credentials, encrypted victims’ systems, and demanded ransoms, threatening to leak stolen data if payments were not made. After ransom payments were collected, affiliates transferred fees to wallets controlled by Ptitsyn and other administrators.

The Justice Department revealed that from December 2021 to April 2024, funds from these ransom payments were funneled from affiliate wallets to Ptitsyn’s cryptocurrency accounts. Each ransomware deployment was uniquely tied to a decryption key, allowing administrators to control ransom negotiations and payments.

Ptitsyn faces a 13-count indictment, including charges of wire fraud, computer fraud conspiracy, and extortion, with potential sentences of up to 20 years for each wire fraud count, 10 years for each hacking charge, and five years for conspiracy.

Justice Department officials highlighted the operation’s impact on a wide range of victims, including schools, hospitals, nonprofits, and a federally recognized tribe. Nicole M. Argentieri, head of the Justice Department’s Criminal Division, emphasized the importance of international cooperation, particularly with South Korea, in combating major cybercriminal threats.