July 9, 2025 By Pierluigi Paganini
An Iranian ransomware group, Pay2Key.I2P, has intensified attacks on U.S. and Israeli targets, offering affiliates higher profits.
The Iranian ransomware group Pay2Key.I2P is stepping up attacks on U.S. and Israeli targets, luring affiliates with higher profit shares.
The ransomware gang is the successor to the original Pay2Key group and experts linked it to the Iran-nexus APT group Fox Kitten. Pay2Key.I2P now operates as a ransomware-as-a-service outfit.
Since launching in February 2025, Pay2Key.I2P has grown fast, aided by promotion on Russian and Chinese darknet forums and activity on X. The group has secured over 51 ransom payouts in just four months. While profit drives them, their strong ideological ties to Iran are clear, with a focus on Western targets. In June, they expanded their reach with a Linux version of their ransomware, broadening the scope of their cyberwarfare campaign.
