Iran currency
Image: Ashkan Forouzani via Unsplash

Iranian ransomware group offers bigger payouts for attacks on Israel, US

An Iranian ransomware gang has ramped up operations amid heightened tensions in the Middle East, offering larger profit shares to affiliates who carry out cyberattacks against Israel and the U.S., researchers said.

The group, known as Pay2Key.I2P, is believed to be a successor to the original Pay2Key operation, which has been linked to Iran’s state-backed Fox Kitten hacking group. Fox Kitten has previously carried out cyber-espionage campaigns targeting Israeli and U.S. organizations.

According to a new report from cybersecurity firm Morphisec, Pay2Key.I2P has adopted a ransomware-as-a-service model and claims to have collected more than $4 million in payments over the past four months.

Since June, the group has offered affiliates an 80% cut of ransom proceeds — up from 70% — if they participate in attacks against Iran’s adversaries.

“Our brothers in Iran are being subjected to military aggression. We are ready to offer a favorable percentage for anyone engaged in an attack against the enemies of Iran,” the group said in a message posted on a darknet forum.

Morphisec said the group seems to be motivated by both money and ideology, and is trying to recruit members on Russian-speaking hacker forums. Researchers believe Pay2Key.I2P collaborates with operators of the Mimic ransomware, which uses code from the defunct Conti gang — whose tools were leaked after it publicly supported Russia’s invasion of Ukraine.

Pay2Key.I2P claims its affiliates have carried out more than 50 successful attacks as of late June, though it remains unclear how many targeted Israeli or U.S. organizations.

The campaign comes as U.S. officials warn of potential Iranian retaliation following an American airstrike on Iran’s nuclear facilities. Last year, U.S. agencies said Tehran was coordinating with ransomware gangs to target entities in the United States, Israel, Azerbaijan and the United Arab Emirates, and specifically pointed to Fox Kitten as a key threat actor.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.