Polish police have detained a 47-year-old man suspected of ties to the Phobos ransomware group and seized computers and mobile phones containing stolen credentials, credit card numbers, and server access data.
Officers from Poland’s Central Bureau of Cybercrime Control (CBZC) arrested the suspect in the Małopolska region in a joint operation involving units from Katowice and Kielce. The action is part of “Operation Aether,” a broader international effort coordinated by Europol and targeting Phobos ransomware infrastructure and affiliates.
During a search of the suspect’s residence, investigators supervised by the District Prosecutor’s Office in Gliwice found files on his devices containing credentials, passwords, credit card numbers, and server IP addresses that could be used to gain unauthorized access to computer systems and facilitate ransomware attacks.
Police officers have also determined that the suspect had used encrypted messaging applications to communicate with the Phobos cybercrime organization.
“This data could be used to carry out various attacks, including, among others, ransomware. After performing technical actions, it turned out that there was data on them that could be used to break electronic security,” the CBZC said on Tuesday. “In addition, according to information collected about the 47-year-old, using encrypted messengers, he contacted the Phobos crime group known for its ransomware attacks.”
The suspect now faces charges under Article 269b of Poland’s Criminal Code for producing, acquiring, and distributing computer programs designed to unlawfully obtain information stored in IT systems (hacking tools), and faces a maximum prison sentence of five years if found guilty.
Operation Aether targeting Phobos
Phobos is a long-running ransomware-as-a-service (RaaS) operation (derived from the Crysis ransomware family) that, despite receiving less media attention than other ransomware groups, has been responsible for many attacks on businesses worldwide and is considered one of the most widely distributed ransomware operations.
Between May 2024 and November 2024, Phobos ransomware accounted for approximately 11% of all submissions to the ID Ransomware service. The U.S. Justice Department has also previously linked this ransomware gang to breaches at more than 1,000 public and private entities worldwide, with ransom payments totaling more than $16 million.
Operation Aether has targeted Phobos-linked individuals at multiple levels of the operation, including backend infrastructure operators and affiliates involved in network intrusions and data encryption.
For instance, a key outcome of this global police operation was the extradition of the alleged Phobos administrator to the United States in November 2024, and a massive disruption in February 2025, when police seized 27 servers and arrested two suspected affiliates in Phuket, Thailand.
Another key Phobos affiliate was arrested in Italy in 2023, further weakening the cybercriminal network behind the ransomware group.
“As a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks,” Europol said in February 2025. “This complex international operation, supported by Europol and Eurojust, involved law enforcement agencies from 14 countries. While some countries focused on the investigation into Phobos, others targeted 8Base, with several participating in both.”
In July 2025, the Japanese police also released a Phobos and 8-Base ransomware decryptor that allows victims to recover their files for free.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
