Phobos Ransomware Admin Extradited From South Korea
Read also: Bitfinex hacker sentenced to 5 years in prison for the largest crypto heist in history, five Scattered Spider members indicted in the US, and more.
Thursday, November 21, 2024
Phobos ransomware admin extradited to the US from South Korea, faces decades in prison
Evgenii Ptitsyn, known online as “derxan” and “zimmermanx,” has been extradited from South Korea to the US to face charges related to his alleged involvement in running the Phobos ransomware operation. A Russian national, Ptitsyn allegedly managed the sale, distribution, and operation of Phobos ransomware, which has been linked to over 1,000 cyber-attacks worldwide, resulting in more than $16 million in ransom payments.
Starting in November 2020, Ptitsyn and his co-conspirators reportedly developed and marketed the ransomware to affiliates through Dark Web forums and encrypted messaging platforms. Affiliates used Phobos to infiltrate victims’ networks, encrypt files, and demand ransoms for decryption keys, often threatening to leak stolen data if payments were not made.
Authorities allege Ptitsyn managed the underground platform where ransomware licenses were sold and controlled cryptocurrency wallets used to collect payments. Between December 2021 and April 2024, he allegedly funneled affiliate payments into these wallets.
Ptitsyn faces charges including conspiracy to commit wire fraud, computer fraud and abuse, and extortion, carrying the potential for decades in prison if convicted.
Hackers behind the 2016 Bitfinex cryto heist that saw 120K bitcoin stolen sentenced to prison
Ilya Lichtenstein, 35, has been sentenced to five years in a US prison for laundering nearly 120,000 bitcoin stolen in the 2016 Bitfinex cryptocurrency hack, one of the largest crypto thefts in history.
Lichtenstein breached Bitfinex’s systems, authorized over 2,000 fraudulent transactions, and transferred the stolen money to his own wallet. He attempted to hide evidence by deleting logs and credentials from Bitfinex's network.
Lichtenstein and his wife, Heather Morgan, leveraged various laundering methods, including creating fake identities, using automated transaction software, converting cryptocurrencies (so called “chain hopping”), utilizing Dark Web markets and mixing services, and legitimizing funds through US-based business accounts. Morgan and Lichtenstein were arrested in February 2022. Morgan was sentenced to 18 months in prison.
In related news, Larry Dean Harmon, a mastermind behind the Helix cryptocurrency mixer tied to Dark Web illegal activities, has been sentenced to three years in US prison. He also agreed to forfeit over $400 million in assets, including cryptocurrency and real estate. From 2014 to 2017, Helix processed over 350,000 bitcoins (valued at $311 million at the time), anonymizing transactions often linked to drug trafficking and other crimes. Helix was integrated with Grams, a Dark Web search engine Harmon also managed, and provided APIs for use in underground marketplaces, facilitating large-scale money laundering operations.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
Five members of the Scattered Spider gang that caused millions in losses charged in the US
The US Department of Justice has charged five individuals linked to the infamous Scattered Spider gang responsible for a wave of aggressive hacks targeting multiple major companies. The defendants are accused of orchestrating phishing and social engineering schemes that resulted in the theft of millions of dollars, including cryptocurrency.
Between September 2021 and April 2023, the defendants allegedly conducted phishing attacks targeting employees of various companies. They sent mass SMS messages that appeared to come from the victims' employers or associated service providers, warning that accounts were about to be deactivated. The messages included links to fraudulent websites designed to mimic legitimate company portals, tricking victims into providing login credentials and other sensitive information.
Using the stolen credentials, the defendants allegedly accessed corporate systems to steal intellectual property, confidential work product, and personal information. They also allegedly used the stolen data to infiltrate cryptocurrency accounts and wallets, stealing millions in virtual currency.
Charges have been filed against Tyler Buchanan, 22, of Scotland; Ahmed Elbadawy, 23, of College Station, Texas; Joel Evans, 25, of Jacksonville, North Carolina; Evans Osiebo, 20, of Dallas; and Noah Urban, 20, of Palm Coast, Florida. If convicted, they face up to 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, and a mandatory two-year sentence for aggravated identity theft.
Authorities seize the PopeyeTools marketplace specializing in stolen credit cards, charge operators
The US authorities have dismantled PopeyeTools, an illicit online marketplace dedicated to selling stolen credit card data, personal information, and cybercrime tools, and unsealed criminal charges against its administrators.
Abdul Ghaffar, 25, and Abdul Sami, 35, both from Pakistan, along with Javed Mirza, 37, from Afghanistan, face charges of conspiracy to commit access device fraud, trafficking access devices, and solicitation to offer access devices.
Since its launch around 2016, PopeyeTools has facilitated the sale of sensitive financial data and tools to global users, including those involved in ransomware activities. It reportedly sold personal and financial information of at least 227,000 individuals, generating over $1.7 million in revenue.
In addition, the US authorities have seized the website domains and approximately $283,000 in cryptocurrency linked to Sami. The defendants each face up to 10 years in prison per charge if convicted.
A programmer convicted for running one of the largest pirate streaming services in the US
Yoany Vaillant, a Cuban citizen and US permanent resident, was convicted for his role in running Jetflicks, one of the largest illegal streaming services in the United States. Jetflicks offered a vast library of over 183 000 copyrighted television episodes.
Vaillant worked on automating the site's processes to acquire, process, and stream pirated content. He and his co-conspirators sourced infringing content from major piracy platforms like The Pirate Bay and RARBG and provided episodes to subscribers often within 24 hours of airing, causing millions in losses to copyright owners.
Vaillant is the last of eight defendants to be convicted in the case, with others already sentenced to up to nearly five years in prison. Sentencing hearing for Vaillant and his co-defendants is set for February 2025.
In a related case, two brothers, Chowdhury and Rahman, were charged with running another illegal streaming service, 247TVStream, which generated over $7 million in subscriber fees and caused an estimated $100 million in damages to copyright owners.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law. 
