Iranian Ransomware Group Pay2Key.I2P Escalates Attacks on US & Israel
According to a report by Morphisec, the Iranian threat group Pay2Key.I2P has intensified its operations amid escalating tensions in the Middle East. The group is now offering larger payouts to hacker affiliates who participate in attacks targeting infrastructure in the United States and Israel.
Experts believe that Pay2Key.I2P is a successor to the earlier Pay2Key campaign, which was previously linked to the Iranian state-sponsored group Fox Kitten—an entity known for conducting espionage operations against Israeli and American organizations in recent years. The new incarnation operates under a Ransomware-as-a-Service (RaaS) model, in which each participant in an attack receives a share of the ransom. Recently, the terms of participation in this scheme have become increasingly lucrative.
Since June, the affiliate share of ransom payments has been raised from 70% to 80%, provided that the target is an entity or organization based in a country deemed hostile to Iran. In a message posted on a darknet forum, the campaign’s organizers justified the change as a response to acts of aggression against Iran, calling the revised payout structure a “favorable offer” for those seeking to avenge the nation.
In the past four months alone, the group has amassed more than $4 million. Alongside financial incentives, Pay2Key.I2P exhibits strong ideological motivations, actively recruiting members through Russian-speaking cybercriminal forums. Reports have also emerged suggesting potential collaboration with operators of the Mimic ransomware, which was developed using leaked source code from the infamous Conti group.
According to statements from Pay2Key.I2P, by the end of June the group had carried out over 50 successful attacks. While the exact number of operations specifically targeting Israeli or American entities remains unconfirmed, the surrounding context indicates a deliberate escalation in cyber hostilities against these nations.
This surge in activity coincides with warnings from U.S. authorities regarding a possible Iranian retaliation following recent American airstrikes on facilities linked to Iran’s nuclear program. As early as 2024, U.S. agencies had reported that Tehran was coordinating with cybercriminal groups focused on attacking organizations in the U.S., Israel, Azerbaijan, and the UAE, with Fox Kitten continuing to be identified as one of the foremost threats.