Authorities in Poland have arrested a 47-year-old man suspected of involvement with the Phobos ransomware network. During the operation, police confiscated computers and mobile devices allegedly containing stolen login credentials, payment card details, and server access information.
The arrest was carried out by officers from the Central Bureau of Cybercrime Control in the Małopolska region, with support from units in Katowice and Kielce. The action forms part of “Operation Aether,” a coordinated international crackdown led by Europol targeting Phobos infrastructure and affiliates.
Digital Evidence and Encrypted Communications
According to investigators supervised by the District Prosecutor’s Office in Gliwice, a search of the suspect’s residence uncovered files containing usernames, passwords, credit card numbers, and server IP addresses. Authorities believe the data could have been used to breach systems and facilitate ransomware deployments.
Police also determined that the suspect allegedly communicated with members of the Phobos cybercrime group using encrypted messaging applications.
If convicted under Article 269b of Poland’s Criminal Code, which covers the production and distribution of hacking tools, the suspect could face up to five years in prison.
Operation Aether Targets Phobos Infrastructure
Phobos operates under a ransomware as a service model and is derived from the Crysis malware family. Despite receiving less publicity than some rival groups, Phobos has been responsible for numerous attacks on businesses worldwide and remains one of the most widely distributed ransomware strains.
Between May and November 2024, Phobos accounted for roughly 11 percent of submissions to the ID Ransomware tracking service. The U.S. Department of Justice has previously linked the group to breaches affecting more than 1,000 organizations globally, with ransom payments exceeding 16 million dollars.
Operation Aether has targeted multiple layers of the Phobos ecosystem, including administrators, backend infrastructure operators, and affiliates responsible for intrusions and encryption activities.
International Crackdown and Arrests
A major milestone in the investigation occurred in November 2024, when an alleged Phobos administrator was extradited to the United States. In February 2025, authorities seized 27 servers and arrested two suspected affiliates in Phuket, Thailand.
Earlier efforts also led to the arrest of a key Phobos affiliate in Italy in 2023. According to Europol, the broader operation involved agencies from 14 countries, with some nations simultaneously targeting both Phobos and the related 8-Base ransomware group.
Law enforcement agencies also warned more than 400 companies worldwide about ongoing or imminent ransomware threats as part of the coordinated action.
In July 2025, Japanese police released a free decryptor tool for victims of Phobos and 8-Base ransomware, offering affected organizations a way to recover encrypted files without paying ransom demands.
Ongoing Global Efforts Against Ransomware
The arrest in Poland highlights continued international cooperation against ransomware operations that rely on distributed affiliate networks and encrypted communication channels. Authorities stress that dismantling infrastructure, disrupting financial flows, and prosecuting key actors remain central strategies in reducing the global ransomware threat.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
