Polish Cybercrime Police Arrest Man Linked to Phobos Ransomware Operation
Date: February 17, 2026
Author: Pierluigi Paganini
The Arrest of a Suspected Cybercriminal
In a significant move against cybercrime, authorities in Poland arrested a 47-year-old man believed to be associated with the notorious Phobos ransomware operation. This man’s arrest is part of a larger initiative led by the Central Bureau of Cybercrime Control (CBZC), which aims to dismantle ransomware networks operating within and beyond Polish borders.
Details of the Arrest
The CBZC reported that evidence of illegal activities was found on the suspect’s seized devices. According to a press release, this included sensitive data such as logins, passwords, and credit card information, which could potentially be used to breach various electronic systems. Furthermore, communications using encrypted messaging indicated a direct link between the suspect and the infamous Phobos criminal group, known for its ruthless ransomware attacks.
Police conducted a well-coordinated operation across two locations in Poland, leading to the seizure of computers and smartphones that contained incriminating evidence. The aim of the operation, dubbed “Operation Aether,” involved collaboration with various cybercrime units and was partly facilitated by Europol.
Phobos Ransomware: An Overview
The Phobos ransomware operation operates on a Ransomware-as-a-Service (RaaS) model, allowing affiliates to utilize its sophisticated malware for cyberattacks while splitting the ransom proceeds. This approach has led to over 1,000 reported victims globally, targeting a diverse range of organizations, including healthcare providers, educational institutions, and even government entities.
Ransom amounts linked to Phobos have reportedly exceeded $16 million, with average demands reaching about $54,000. These figures underline the lucrative, albeit illegal, nature of ransomware operations in the current digital landscape.
High-Profile Connections
The recent arrest adds to a growing record of actions against key individuals connected to Phobos. In a notable case from November 2024, Russian national Evgenii Ptitsyn, a suspected primary operator of the ransomware, was extradited from South Korea to face multiple cybercrime charges in the United States. Ptitsyn has been linked to the evolution and distribution of Phobos ransomware since its inception in late 2020.
Mechanisms of Operation
According to legal documents, Ptitsyn allegedly facilitated the operation of Phobos through underground darknet forums, where he sold the ransomware under various aliases. His operations typically followed the RaaS model, allowing other criminals to engage in ransomware attacks after purchasing decryption keys from him. This business model has proven to be immensely profitable, as it enables a broader network of criminals to capitalize on the ransomware while sharing a portion of the earnings with its developers.
The Impact of Ransomware
The rise of ransomware attacks, particularly those executed by organized groups like Phobos, reflects a troubling trend in cybercrime. Targets often experience devastating impacts due to data loss, financial strain, and damage to their reputation. The knock-on effects can extend beyond the immediate victims, influencing broader economic and social systems.
As the cyber landscape continues to evolve, law enforcement agencies are ramping up their efforts to curb rampant cybercrime and bring those responsible to justice. The Polish authorities’ recent actions represent just one facet of an ongoing global struggle against ransomware and related cyber threats.
For further updates on this developing story and more insights into cybercrime, follow @securityaffairs on Twitter or check the latest articles at SecurityAffairs.