Evgenii Ptitsyn, aka ‘derxan’ and ‘zimmermanx,’ a Russian national accused of administering the notorious Phobos ransomware operation, has been extradited from South Korea to the United States where he faces a 13-count indictment tied to international cybercrime.

Phobos ransomware has been linked to over 1,000 cyberattacks worldwide, including critical hits on US public and private entities. The attacks have reportedly extorted more than $16 million in ransom payments.

According to the indictment, Ptitsyn was a key player in the scheme overseeing the sale, distribution, and operation of the ransomware.

Starting in November 2020, Ptitsyn and co-conspirators allegedly developed and marketed Phobos ransomware to affiliates, with services advertised on dark web forums and encrypted messaging platforms.

As part of the scheme, affiliates would gain unauthorized access to victims’ networks, steal sensitive data, and encrypt files using Phobos ransomware. Victims were left with ransom notes demanding payment in exchange for decryption keys. Some affiliates escalated the pressure by threatening to leak the stolen data publicly if payments were not made.

Ptitsyn’s role allegedly included managing the darknet platform where ransomware licenses were sold and maintaining unique cryptocurrency wallets for transactions.

From December 2021 to April 2024, decryption key fees collected from affiliates were funneled into wallets controlled by Ptitsyn, the authorities said.

Ptitsyn faces charges including wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, causing intentional damage to protected computers, and extortion. If convicted, he could face several decades in prison.