Russian national pleads guilty in U.S. court for administering Phobos ransomware

Evgenii Ptitsyn, a Russian national, pleaded guilty March 4, 2026, in federal court in Maryland to a wire-fraud conspiracy for his role as an administrator of the Phobos ransomware-as-a-service operation, prosecutors said. Ptitsyn was extradited from South Korea to the United States in November 2024 and is accused of overseeing the sale, distribution and day-to-day operation of the malware network that security officials say has struck more than 1,000 public and private entities worldwide.

U.S. authorities describe Phobos as a classic RaaS model in which administrators supply ransomware to affiliates who carry out intrusions, encrypt victims’ files and demand payment for decryption. The operation is alleged to have run since at least November 2020, with distribution coordinated through a Tor-based website and advertising on criminal forums and messaging platforms. Affiliates typically gained initial access through phishing campaigns or by exploiting Remote Desktop Protocol access.

Technical details in the Justice Department excerpts outline a systematic affiliate workflow: each deployment of Phobos was assigned a unique alphanumeric identifier to match victims to decryption keys, and affiliates were directed to pay fees to cryptocurrency wallets unique to each affiliate. BleepingComputer linked Phobos to the Crysis ransomware family and said the group accounted for about 11 percent of submissions to the ID Ransomware service between May 2024 and November 2024. News outlets report Ptitsyn advertised the service under darknet handles "derxan" and "zimmermanx."

The scale of Phobos and the sums at stake are a point of discrepancy among reporters. The Justice Department and related releases cited in several outlets state the operation received more than $16 million in ransom payments. A separate report attributed a higher figure — more than $39 million — to DOJ sources; that report includes a typographical error and the Department of Justice filings or the superseding indictment should be consulted to reconcile the difference.

Alongside Ptitsyn’s plea, the Justice Department unsealed charges and said coordinated international disruption led to the arrests of two other alleged operators, Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, and to technical measures against the group’s infrastructure. The DOJ materials note the involvement of allied law enforcement and defensive cyber partners in the operation.

The case drew public comment from the American Hospital Association. John Riggi, national advisor for cybersecurity and risk at the AHA, said: “This combined law enforcement operation led by the FBI and assisted by allied nations and, notably, the U.S. Department of Defense Cyber Crime Center is a big win for the 'good guys.' The Phobos ransomware-as-a-service organization conducted multiple attacks against U.S. hospitals that disrupted patient care and posed a risk to patient and community safety. Sustained enforcement operations such as this are crucial for deterrence purposes and to degrade the capability of foreign cyber terrorists to attack U.S. health care. It is also vital for U.S. health care and all ransomware victims to continue timely and robust cooperation with federal agencies to enable such operations.”

Sources report Ptitsyn’s age as 43; one outlet lists him as 42. The plea resolves criminal exposure for the admitted wire-fraud conspiracy, and further details including any sentencing schedule and the full financial accounting of ransoms are expected to be clarified in the court docket and in the DOJ’s superseding indictment and press materials. The prosecution illustrates continued international cooperation to disrupt ransomware supply chains and emphasizes the ongoing threat to hospitals, schools and nonprofits.