Authorities in Thailand, Switzerland, and the United States have dismantled a major ransomware operation, arresting four European nationals in Phuket who allegedly stole $16 million through cyber extortion.
The suspects, linked to the Phobos ransomware group, were apprehended in a series of coordinated raids conducted under Operation PHOBOS AETOR on February 10, 2025.
The arrests were led by Thailand’s Cyber Crime Investigation Bureau (CCIB) in collaboration with Immigration Police and Region 8 Police. The suspects—two men and two women—were detained at four separate locations. Authorities seized over 40 pieces of digital evidence, including mobile phones, laptops, and digital wallets, crucial for ongoing investigations into the group’s activities.
The crackdown was the result of a joint law enforcement effort initiated after urgent international cooperation requests from Swiss and U.S. authorities. Interpol had issued warrants for the suspects, who had entered Thailand as part of a transnational cybercriminal operation. The four individuals are now facing charges of Conspiracy to Commit an Offense Against the United States and Conspiracy to Commit Wire Fraud.
The arrested individuals are believed to have orchestrated ransomware attacks against more than 1,000 victims worldwide, including 17 Swiss companies targeted between April 30, 2023, and October 26, 2024. Using Phobos ransomware, the hackers gained unauthorized access to victims’ networks, encrypted their files, and demanded cryptocurrency payments in exchange for decryption keys. Additionally, they exfiltrated sensitive data and threatened to publish it if ransoms were not paid. To evade detection, the group reportedly used cryptocurrency mixing services to obscure financial transactions linked to their illicit gains.
Phobos ransomware and the 8Base connection
Phobos ransomware has been a persistent threat since its emergence in 2019, operating under a ransomware-as-a-service (RaaS) model. It is often distributed via compromised Remote Desktop Protocol (RDP) access, enabling attackers to infiltrate networks and deploy encryption payloads. One of its known affiliates, 8Base ransomware, has been linked to numerous cyberattacks using the Phobos strain. Cybersecurity researcher Kevin Beaumont first reported a seizure banner appearing on the 8Base ransomware site, signaling law enforcement action against the threat actors.
While the takedown of these operators and the apparent seizure of the 8Base ransomware site mark a significant victory for law enforcement, Phobos ransomware itself remains an active threat. As for the remaining 8Base operators, similar disruptions in the past have shown that ransomware groups often rebrand or regroup under new names to evade law enforcement while continuing their extortion activities.
Cyberattack at Lee Enterprises Disrupting Operations Nationwide
Leave a Reply