Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than $100 million via business email compromise (BEC) and romance scams, and a Phobos ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States.
In the fraud case, Derrick Van Yeboah (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay over $10 million in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, Evgenii Ptitsyn (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the Phobos ransomware platform, which the U.S. DoJ says hit 1,000+ entities and extorted $16+ million; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to 20 years in prison, with sentencing scheduled for July 15.
Timeline
Mar 6, 2026
Derrick Van Yeboah pleads guilty in $100 million fraud case
Van Yeboah pleaded guilty to conspiracy to commit wire fraud for his role in a fraud ring that stole over $100 million from U.S. victims. He agreed to pay more than $10 million in restitution and is scheduled for sentencing on June 3, 2026.
Mar 5, 2026
Evgenii Ptitsyn pleads guilty in U.S. Phobos case
Ptitsyn pleaded guilty in the United States to wire fraud conspiracy for his role in the Phobos ransomware operation. He faces up to 20 years in prison, with sentencing scheduled for July 15, 2026.
Aug 1, 2025
Derrick Van Yeboah extradited to the United States
In August 2025, Ghanaian national Derrick Van Yeboah was extradited to the United States alongside named accomplices for his alleged role in the fraud ring. Prosecutors linked him to more than $10 million in victim losses.
Feb 1, 2025
U.S. unseals charges against two alleged Phobos operators
In February 2025, U.S. authorities unsealed charges against alleged Phobos operators Roman Berezhnoy and Egor Glebov. The action marked another public step in the broader crackdown on the ransomware operation.
Jan 1, 2024
Poland arrests Phobos-linked suspect in Operation Aether
Polish authorities arrested a 47-year-old suspect linked to the Phobos ransomware operation as part of the Europol-coordinated Operation Aether. The report cites this as a separate law enforcement action against the group.
Jan 1, 2024
Phobos suspect Evgenii Ptitsyn arrested in South Korea
Russian national Evgenii Ptitsyn was arrested in South Korea in 2024 for his alleged role in the Phobos ransomware operation. U.S. authorities later extradited him to face wire fraud conspiracy charges.
Jan 1, 2024
Phobos ransomware operation targets over 1,000 entities worldwide
U.S. authorities said the Phobos ransomware-as-a-service operation was used to develop, sell, distribute, and operate ransomware attacks against more than 1,000 public and private entities globally. The campaign allegedly extorted over $16 million from victims.
Jan 1, 2016
Fraud ring uses BEC and romance scams against U.S. victims
A Ghana-based fraud ring began targeting Americans in 2016 using business email compromise and online romance scams to trick victims and businesses into wiring money. Prosecutors said the operation continued through May 2023 and ultimately caused more than $100 million in losses.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Phobos Ransomware Administrator Evgenii Ptitsyn Pleads Guilty in U.S. Case
U.S. prosecutors said **Evgenii Ptitsyn**, a 43-year-old Russian national described as an administrator/leader behind the **Phobos** ransomware operation, pleaded guilty to **wire fraud conspiracy** tied to a global ransomware-and-extortion scheme. Court filings and DOJ statements cited in reporting say Phobos and its affiliates victimized **more than 1,000 organizations** worldwide and extorted **over $39 million**, with victims including U.S. healthcare providers, hospitals, educational institutions, and other essential services. Ptitsyn was arrested in **South Korea** and later extradited to the United States; he faces a **maximum of 20 years** in prison. Authorities described Phobos as an affiliate-driven operation in which administrators developed and distributed the ransomware, coordinated sales via a **darknet site**, and advertised services on criminal forums/messaging platforms, while affiliates typically gained access to victim networks—often using **stolen credentials**—to steal and encrypt data and then demand payment for decryption. Reporting also described a fee/revenue model in which affiliates paid administrators for **unique decryption keys** and administrators took a cut of proceeds; Ptitsyn agreed to forfeit **$1.77 million** and pay at least **$39.3 million** in restitution. Additional context in coverage linked Phobos to related activity (including the **8Base** strain) and noted prior law-enforcement actions against other alleged members, as well as the release of a **free Phobos decryption tool** by Japanese authorities.
1 months ago
Cybercrime Prosecutions: ATM Jackpotting Deportations and Ransomware Guilty Plea
U.S. authorities reported multiple enforcement actions against financially motivated cybercrime. In South Carolina, two Venezuelan nationals convicted in an **ATM jackpotting** scheme will be deported after serving their sentences; prosecutors said they physically accessed older ATM models, connected a laptop, and installed malware that bypassed security controls to force cash-out until the machines were emptied. The activity impacted banks across several southeastern states, with court-ordered restitution of **$285,100** and **$126,340** respectively, and investigators said evidence from the case contributed to a broader Nebraska indictment of dozens of individuals tied to a larger ATM-theft conspiracy. Separately, a Russian national, **Ianis Aleksandrovich Antropenko**, pleaded guilty in federal court to **conspiracy to commit money laundering** and **conspiracy to commit computer fraud and abuse** for leading a ransomware operation that targeted at least 50 victims over a four-year period ending in August 2022; he faces up to **25 years** in prison, financial penalties, restitution, and forfeiture, and the plea acknowledges potential immigration consequences. A third item describes convicted Bitcoin thief **Ilya Lichtenstein** seeking post-release work in cybersecurity, but it is not tied to the ATM jackpotting or Antropenko ransomware case and does not add incident-specific threat intelligence.
1 months ago
Guilty Plea of Yanluowang Ransomware Initial Access Broker
Aleksei Olegovich Volkov, a Russian national, pleaded guilty in the United States to charges related to his role as an initial access broker (IAB) for the Yanluowang ransomware group. Volkov provided access to at least seven U.S. organizations between July 2021 and November 2022, enabling the deployment of ransomware that resulted in ransom demands ranging from $300,000 to $15 million. He received a percentage of the ransom payments, including $94,259 from a $500,000 ransom and $162,220 from a $1 million ransom, and was ordered to pay nearly $9.2 million in restitution to affected organizations. Volkov's activities were uncovered through digital forensics, including chat logs, cryptocurrency records, and social media accounts, and he was extradited to the U.S. after being apprehended in Rome. The indictment and plea agreement detail Volkov's collaboration with co-conspirators, his use of aliases such as "chubaka.kor," and his involvement in negotiating ransom payments and providing network credentials to the Yanluowang group. The attacks affected a range of U.S. businesses, including engineering firms, banks, and telecommunications providers, with some victims able to restore from backups and avoid ransom payments. Volkov faces up to 53 years in prison for charges including access device fraud, aggravated identity theft, and conspiracy to commit money laundering and computer fraud.
1 months ago