Poland Arrests Suspect in Major Phobos Ransomware Operation
▼ Summary
– Polish police arrested a 47-year-old man suspected of ties to the Phobos ransomware group and seized devices containing stolen data like credentials and credit card numbers.
– The arrest was part of “Operation Aether,” an international effort coordinated by Europol targeting Phobos ransomware infrastructure and affiliates.
– Phobos is a significant ransomware-as-a-service operation linked to attacks on over 1,000 entities and more than $16 million in ransom payments.
– Operation Aether has led to multiple international arrests, server seizures, and warnings to over 400 companies about imminent ransomware attacks.
– Authorities have also developed a free decryptor for Phobos ransomware, allowing victims to recover their files.
Polish authorities have made a significant arrest in the ongoing international fight against ransomware, detaining a 47-year-old man believed to be connected to the Phobos ransomware group. The arrest, part of a coordinated effort known as “Operation Aether,” led to the seizure of computers and mobile phones containing a trove of stolen data, including passwords, credit card details, and sensitive server access information.
Officers from the Central Bureau of Cybercrime Control (CBZC) took the suspect into custody in the Małopolska region. The operation was a collaborative effort involving units from Katowice and Kielce, under the supervision of the District Prosecutor’s Office in Gliwice. A search of the individual’s home uncovered files on his devices that held credentials and server IP addresses. Investigators stated this data could be exploited to bypass electronic security and launch various cyberattacks, including ransomware deployments.
Police also confirmed the suspect used encrypted messaging applications to communicate with the Phobos cybercrime organization. He now faces serious charges under Polish law for producing, acquiring, and distributing tools designed for hacking. If convicted, he could receive a prison sentence of up to five years.
Operation Aether is a broad international initiative coordinated by Europol, specifically targeting the infrastructure and affiliates of the Phobos ransomware-as-a-service operation. Despite sometimes flying under the radar compared to other groups, Phobos is a major threat. It evolved from the Crysis ransomware family and is considered one of the most widely distributed ransomware operations globally.
The group’s impact is substantial. Between May and November of 2024, Phobos ransomware accounted for roughly 11% of all submissions to the ID Ransomware service. The U.S. Justice Department has linked the gang to breaches affecting over 1,000 public and private entities worldwide, with extorted payments exceeding $16 million.
This police action has targeted individuals at various levels within the Phobos ecosystem, from backend infrastructure operators to the affiliates who carry out network intrusions. Key milestones include the extradition of an alleged Phobos administrator to the United States in late 2024 and a major disruption in February 2025, when authorities in Thailand seized 27 servers and arrested two suspected affiliates.
The operation’s reach extends beyond arrests and seizures. Europol reported that, as a result of this work, law enforcement was able to warn more than 400 companies around the world about ongoing or imminent ransomware attacks. This complex effort involved agencies from 14 countries and also targeted the related 8Base ransomware group.
In a positive development for victims, Japanese police released a free decryptor for Phobos and 8Base ransomware in July 2025, providing a tool to recover locked files without paying a ransom. This arrest in Poland represents another step in dismantling a pervasive cybercriminal network that has inflicted significant financial damage across the globe.
(Source: Bleeping Computer)
