Iranian Ransomware Crew Blurs the Line Between Profit and Proxy Attacks

An Iranian ransomware group identified as Pay2Key.I2P has escalated its activity amid growing geopolitical tensions, offering larger profit cuts to affiliates who target Israeli and U.S. organizations, according to researchers.  

The group is considered a successor to the earlier Pay2Key operation, which has ties to the Iranian state-backed Fox Kitten group, known for previous cyber-espionage campaigns against U.S. and Israeli targets, The Record reports.

Operating under a ransomware-as-a-service (RaaS) model, Pay2Key.I2P claims to have collected over $4 million in ransom payments in just four months. In June, the group began offering affiliates an 80% share (up from 70%) for attacks against Iran’s adversaries. In a darknet forum post, the group cited military aggression against Iran as motivation for incentivizing cyberattacks with ideological undertones.

Researchers noted that Pay2Key.I2P is recruiting on Russian-speaking forums and appears to be collaborating with the operators behind Mimic ransomware, which incorporates code from the disbanded Conti gang. Pay2Key.I2P reportedly executed over 50 attacks by late June, though it’s unclear how many specifically targeted Israeli or U.S. entities.

This surge in activity coincides with warnings from U.S. officials about possible Iranian retaliation following an airstrike on Iran’s nuclear infrastructure. Authorities have previously linked Fox Kitten to state-coordinated ransomware campaigns across the U.S., Israel, Azerbaijan, and the UAE.

Takeaway: Pay2Key.I2P is a textbook example of how the lines between state-aligned threat activity and financially motivated cybercrime are getting fuzzier by the day.  

You’ve got a group running a Ransomware-as-a-Service model, offering 80% profit cuts to affiliates targeting the U.S. and Israel, while at the same time incorporating tactics that scream nation-state—like the use of wipers masquerading as ransomware.  

That’s not your average cash-grab crew. That’s geopolitics with a monetization layer.

This hybrid model is exactly what we should all be watching. On the surface, it looks like any other RaaS affiliate op, but scratch a little deeper and you see clear signs of ideological alignment, infrastructure overlap, and tooling borrowed straight from state-sponsored playbooks.  

These groups don’t have to choose between financial and political motives anymore—they can do both, and they are.

The kicker? Wipers, which used to be the calling card of state-linked sabotage campaigns, are now starting to show up in operations that still demand ransom. That’s a huge shift. As victims get smarter and stop paying just because their data was stolen, attackers are escalating.  

If data exfiltration and extortion don’t work, wiping everything might be the next pressure tactic to force a payout, and that’s a dangerous prospect.

Groups like Pay2Key.I2P show how nation-states are hijacking the ransomware ecosystem for cover. Just wrap an encryptor or a wiper in a ransom note, let it detonate, and point the blame at some criminal gang. It’s cheap, effective, and gives them perfect plausible deniability.  

This blur between espionage and extortion isn’t accidental; it’s the strategy. And the more these lines fade, the harder it gets to know whether you’re dealing with a ransom job or a geopolitical hit in disguise.

Halcyon is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to fill endpoint protection gaps and defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture and automated decryption, and exfiltration and extortion prevention.