Polish police have detained a 47-year-old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit card numbers, and server access data.
Officers from Poland's Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce. The action is part of "Operation Aether," a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates.
During a search of the suspect's residence, investigators supervised by the District Prosecutor's Office in Gliwice found files on his devices containing credentials, passwords, credit card numbers, and server IP addresses that could be used to gain unauthorized access to computer systems and facilitate ransomware attacks.
Police officers have also determined that the suspect had used encrypted messaging applications to communicate with the Phobos cybercrime organization.
"This data could be used to carry out various attacks, including, among others, ransomware. After performing technical actions, it turned out that there was data on them that could be used to break electronic security," the CBZC said on Tuesday. "In addition, according to information collected about the 47-year-old, using encrypted messengers, he contacted the Phobos crime group known for its ransomware attacks."
The suspect now faces charges under Article 269b of Poland's Criminal Code for producing, acquiring, and distributing computer programs designed to unlawfully obtain information stored in IT systems (hacking tools), and faces a maximum prison sentence of five years if found guilty.
Operation Aether targeting Phobos
Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) that, despite receiving less media attention than other ransomware groups, has been responsible for many attacks on businesses worldwide and is considered one of the most widely distributed ransomware operations.
Between May 2024 and November 2024, Phobos ransomware accounted for approximately 11% of all submissions to the ID Ransomware service. The U.S. Justice Department has also previously linked this ransomware gang to breaches at more than 1,000 public and private entities worldwide, with ransom payments totaling more than $16 million.
Operation Aether has targeted Phobos-linked individuals at multiple levels of the operation, including backend infrastructure operators and affiliates involved in network intrusions and data encryption.
... continue reading