Russian Ransomware Administrator Pleads Guilty to Wire Fraud Conspiracy

Greenbelt, Maryland - A Russian national pled guilty in federal court today to a charge connected to a ransomware conspiracy.

Evgenii Ptitsyn, 43, administered the sale, distribution, and operation of Phobos ransomware. Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more than $39 million. Ptitsyn, who authorities extradited from South Korea in November 2024, pled guilty in federal court to wire fraud conspiracy.

Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the guilty plea with Assistant Attorney General A. Tysen Duva, Department of Justice (DOJ) - Criminal Division, Assistant Director Brett Leatherman, FBI Cyber Division, and Special Agent in Charge Jimmy Paul, FBI Baltimore Field Office.

According to the guilty plea, beginning in at least November 2020, Ptitsyn and others conspired to engage in an international computer hacking and extortion scheme that victimized public and private entities through the deployment of Phobos ransomware. As part of the scheme, Ptitsyn and his co-conspirators developed and offered access to Phobos ransomware to other criminals or "affiliates" to encrypt victims' data and extort ransom payments from victims. The administrators operated a darknet website to coordinate the sale and distribution of Phobos ransomware to co-conspirators and used online monikers to advertise their services on criminal forums and messaging platforms.

Affiliates then hacked into the victims' computer networks, often using stolen or otherwise unauthorized credentials; copied and stole files and programs on the victims' networks; and encrypted the original versions of the stolen data on the networks by installing and executing Phobos ransomware. Then affiliates extorted the victims for ransom payments in exchange for decryption keys to regain access to encrypted data by leaving ransom notes on compromised victims' computers and calling and emailing victims to initiate the ransom payment negotiations. Additionally, affiliates threatened to expose victims' stolen files to the public - or to the victims' clients, customers, or constituents - if the victims didn't pay.

After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators like Ptitsyn for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to the affiliate. From December 2021 to April 2024, the decryption key fees were then transferred from the unique affiliate cryptocurrency wallet to a wallet Ptitsyn controlled. Ptitsyn also received a portion of the ransomware payments made by victims.

Ptitsyn faces a maximum penalty of 20 years in prison for wire fraud count. Sentencing is set for Wednesday, July 15, at 2:30 p.m.

U.S. Attorney Kelly O. Hayes commended the FBI, along with law enforcement partners in South Korea, the United Kingdom, Japan, Spain, Belgium, Poland, Czech Republic, France, Romania, and Europol, and the U.S. Department of Defense Cyber Crime Center, for its work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorney Thomas M. Sullivan, along with Senior Counsel Frank Lin of the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS), who are prosecuting this federal case.

Additional details on protecting networks against Phobos ransomware are available at StopRansomware.govLinks to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link., including Cybersecurity and Infrastructure Security Agency Advisory AA24-060A.

For more information about the Maryland U.S. Attorney's Office, its priorities, and resources available to report fraud, please visit justice.gov/usao-md and justice.gov/usao-md/report-fraud.

# # #