Iranian-backed ransomware gang resurfaces with bigger payouts for anti-Israel and U.S. attacks

A new variant of the Pay2Key ransomware, now operating under the name Pay2Key.I2P, has re-emerged, offering cybercriminals larger payouts to target organizations in Israel and the United States. The development marks a troubling escalation in the use of ransomware-as-a-service (RaaS) platforms as geopolitical weapons.

According to security researchers at Morphisec, the revamped Pay2Key operation is offering 80% profit shares - up from 70% - to affiliates aligned with Iran or willing to attack its adversaries. This incentive structure points not only to financial motivation but a clear ideological alignment with Iranian cyber warfare objectives.

Linked to Iran’s Fox Kitten APT

Pay2Key.I2P is believed to be operated by, or closely linked to, Fox Kitten (aka Lemon Sandstorm), a state-sponsored Iranian advanced persistent threat (APT) group known for its cyberespionage campaigns. Researchers also note that the ransomware appears to incorporate features of Mimic ransomware, enhancing its obfuscation and persistence mechanisms.

“Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime,” said Morphisec’s Ilia Kulmin. “With ties to Fox Kitten and Mimic, and an 80% profit incentive for Iran’s supporters, this RaaS operation threatens Western organizations with advanced, evasive ransomware.”

A ransomware like no other before

What makes Pay2Key.I2P particularly unique is that it’s the first known RaaS platform to operate fully within the Invisible Internet Project (I2P), a privacy-focused network similar to Tor but harder to monitor.

While some malware families have used I2P for command-and-control (C2) traffic, Pay2Key.I2P goes further by hosting its entire infrastructure on the network, enhancing its resilience and evasion from law enforcement and cybersecurity defenders.

Swiss cybersecurity firm PRODAFT highlighted this evolution in a March 2025 alert, which was later amplified by Pay2Key’s own X (formerly Twitter) account, a rare example of a ransomware operation publicly engaging in online propaganda.

51 victims and $4M in ransoms

Since its re-emergence in February 2025, Pay2Key.I2P has reportedly compromised at least 51 organizations, collecting over $4 million in ransom payments. Some individual operators made up to $100,000.

While many victims have not been named, researchers note that Israeli and American businesses are the primary targets.

Call to action for defenders

The reactivation of Pay2Key comes amid growing geopolitical tension after the US bombed 3 Iranian nuclear sites. And it’s not an isolated event.. Nozomi Networks, a firm focused on OT security, recently reported 28 Iranian-linked cyberattacks between May and June 2025, many aimed at transportation and manufacturing sectors in the U.S.

Consequently, U.S. and Israeli organizations, particularly those in healthcare, manufacturing, critical infrastructure, and finance, are being urged to:

• Harden endpoint and server defenses

• Monitor for unusual access to I2P nodes

• Disable macros and script execution by default

• Update known vulnerable software

• Prepare for rapid incident response and data recovery