A 47-year-old man suspected of working with the Phobos ransomware group has been arrested in Poland. Police also seized electronic devices that allegedly contain stolen data.
Officers from Poland’s Central Bureau of Cybercrime Control arrested the man in the Małopolska region. The operation involved cybercrime units from Katowice and Kielce and was part of “Operation Aether,” an international investigation led by Europol. The operation targets the infrastructure and members of the Phobos ransomware network.
During a search of the suspect’s home, police found computers and mobile phones containing login details, passwords, credit card numbers, and server IP addresses. Officials said the man communicated with other Phobos members through encrypted messaging apps.
He has been charged under Article 269b of Poland’s Criminal Code for creating and distributing software designed to illegally access computer systems. If found guilty, he could face up to five years in prison.
Phobos is a ransomware-as-a-service (RaaS) operation believed to be an evolution of the Crysis (Dharma) malware family. Although it is less well known than some other ransomware groups, it remains highly active. Between May and November 2024, it accounted for about 11% of cases reported to ID Ransomware. US authorities have linked the group to attacks on more than 1,000 public and private organizations worldwide, with ransom payments totaling over $16 million.
Operation Aether has targeted different levels of the Phobos network, including those who manage its technical infrastructure and affiliates who carry out attacks. In February 2025, four European hackers were arrested in a joint operation by Thai, Swiss, and US authorities in connection with Phobos. The US Department of Justice also charged two Russian nationals for allegedly operating the ransomware.
In November 2024, a suspected Phobos administrator was extradited to the United States, and another alleged affiliate was arrested in Italy in 2023.