A 43-year-old Russian national pleaded guilty to wire fraud charges on Wednesday after U.S. prosecutors accused him of being a key figure in the Phobos ransomware gang. 

Evgenii Ptitsyn will be sentenced on July 15 and is facing a maximum penalty of 20 years in prison 

Ptitsyn and several others began using the Phobos ransomware in November 2020, attacking more than 1,000 organizations around the world. He was arrested in South Korea and extradited in November 2024.

The indictment of Ptitsyn revealed significant information about the group’s inner workings and victims.

Ptitsyn was the key developer behind Phobos and offered it to other cybercriminal affiliates who launched attacks on the gang’s behalf — taking a cut of all ransoms received. He marketed the ransomware on cybercriminal forums and ran the gang’s darknet website, where data stolen from victims was sold. 

Prosecutors accused Ptitsyn of being behind attacks on the California public school system — which paid a $300,000 ransom in 2023 — as well as multiple healthcare organizations and several companies.

U.S. prosecutors previously said operators of Phobos and a related strain called 8Base collected upwards of $16 million from victims worldwide dating back to 2019.

Law enforcement agencies in the U.S. and Europe have arrested and prosecuted multiple members of the group over the last two years, including a 47-year-old man detained in Poland three weeks ago. Several members were arrested and deported from Thailand last year. 

Last July, Japanese officials published a free Phobos ransomware decryption tool and a guide in English for organizations impacted by the group’s attacks.