This Iranian Backed Ransomware Group is Back With a Vengeance
You May Be the Target
A new chapter in cyber warfare is unfolding, and it’s one that businesses can’t afford to ignore. The Iranian-backed ransomware group known as Pay2Key has resurfaced in 2025 under a new name, Pay2Key.I2P, and with a more dangerous agenda than ever before.
Unlike traditional ransomware campaigns driven purely by profit, Pay2Key.I2P blends financial incentives with ideological motives. Affiliates are now offered up to 80% of ransom profits for targeting organizations in the United States and Israel, a clear signal that this is no longer just about money, it’s about geopolitics.
What makes this campaign especially alarming is its infrastructure. Pay2Key.I2P is the first known ransomware-as-a-service (RaaS) platform to operate directly on the https://geti2p.net/en/, a privacy-focused network designed for anonymous communication. This shift makes the platform harder to detect, disrupt, or trace.
Key Technical Advancements
The group has expanded its capabilities significantly, integrating AI features and broadening its attack surface:
- Advanced evasion techniques that disable Microsoft Defender
- Dual-format loader scripts to avoid detection
- A new Linux-targeted build released in June 2025
These enhancements make Pay2Key.I2P more versatile and harder to defend against, especially for organizations with mixed infrastructure.
Since its reappearance in February 2025, the campaign has claimed over 51 successful ransom payouts, totaling more than $4 million. Individual operators have reportedly earned upwards of $100,000, highlighting the effectiveness and profitability of this model.
Here are some quick stats on Pay2Key.I2P
- Launch Date: February 2025
- Total Ransom Payouts: Over $4 million
- Individual Operator Profits: Up to $100,000
- Profit Share for Affiliates: 80%
- Target Regions: United States and Israel
- Deployment Network: I2P (Invisible Internet Project)
- Linux Variant Released: June 2025
Recruitment and Ideological Incentives
The group’s recruitment strategy is equally concerning. Pay2Key.I2P has been openly advertised on Russian and Chinese darknet forums, offering $20,000 per successful attack. This democratization of ransomware deployment means that virtually anyone with minimal technical skill can become a threat actor.
- Open access to ransomware binaries
- Financial rewards tied to ideological targets
- Promotion on multiple darknet platforms
This model blurs the line between cybercrime and cyber warfare, making attribution and prevention more difficult than ever.
What Businesses Should Do
For small and mid-sized businesses, this evolution in ransomware tactics presents a new kind of risk. The convergence of state-sponsored cyber warfare and RaaS platforms means that no organization is too small or obscure to be targeted.
“The Pay2Key.I2P campaign is a wake-up call. It’s not just about ransomware anymore, it’s about ideology, anonymity, and scale. Businesses need to think beyond firewalls and start building cyber resilience,” says Steve Neverve, CEO and Founder of Nevtec.
To stay ahead, organizations should:
- Upgrade endpoint protection to a Managed Detection and Response solution like Sophos MDR
- Monitor darknet activity for emerging threats
- Educate staff on phishing and social engineering
- Patch systems promptly, especially Linux environments
Nevtec’s cybersecurity team is actively monitoring threats like Pay2Key.I2P and helping clients build resilient defenses. Whether you’re looking to assess your risk posture, implement advanced threat detection, or train your staff, our experts are here to help.
Click Here to schedule a security consultation and stay ahead of the next wave of cyber threats.
