An Iranian-backed ransomware-as-a-service (RaaS) operation, Pay2Key, has re-emerged with heightened aggression, targeting Israel and the United States. Operating under the new moniker Pay2Key.I2P, this financially motivated scheme is now offering significantly larger profit shares to cybercriminals, indicating a strategic escalation in cyber warfare aimed at geopolitical adversaries.
The updated ransomware service has been linked to the notorious Fox Kitten advanced persistent threat (APT) group, also known as Lemon Sandstorm. Security researchers note that Pay2Key.I2P appears to leverage or actively partner with the well-known Mimic ransomware, further enhancing its capabilities. This convergence of financially driven cybercrime with state-sponsored objectives presents a complex and evolving threat landscape for both private and governmental organizations.
Understanding the Pay2Key.I2P Threat
Pay2Key.I2P has demonstrated a clear ideological commitment alongside its financial pursuits. The group officially advertises an 80% profit share for affiliates who support Iran or participate in attacks against Iranian adversaries, a notable increase from the previous 70%. This suggests a direct alignment with the geopolitical tensions characterizing the region and a strategic effort to incentivize participation in politically motivated cyberattacks.
The group’s operations date back to at least October 2020, when they were observed targeting Israeli companies by exploiting known security vulnerabilities. The resurgence as Pay2Key.I2P in February 2025 has been particularly impactful, with reports indicating over 51 successful ransom payouts within its initial four months of operation. These attacks have reportedly generated more than $4 million in ransom payments, with individual operators potentially profiting up to $100,000.
Innovation in the Dark Web: I2P Integration
A significant development in the Pay2Key.I2P operation is its pioneering use of the Invisible Internet Project (I2P) for its RaaS infrastructure. This marks the first known instance of an entire RaaS platform being hosted on I2P. While some malware families have previously utilized I2P for command-and-control (C2) communication, this represents a more profound integration, establishing the core infrastructure of a criminal service within the anonymity-focused network.
Further blurring the lines between traditional RaaS models and this new approach, Pay2Key.I2P has been observed advertising on a Russian darknet forum. By allowing anyone to deploy the ransomware binary for a $20,000 payout per successful attack, the group has shifted its operational paradigm. This model allows the developers to capture the full ransom while sharing a portion with the attackers, fostering a more decentralized ecosystem where profit is directly tied to attack success rather than just tool sales.
Evolving Capabilities and Evasion Techniques
The ransomware builder has seen continuous refinement, with an option to target Linux systems being introduced as of June 2025. The Windows variant is delivered as a Windows executable encapsulated within a self-extracting (SFX) archive. This adaptability signals the threat actors’ intent to broaden their attack surface and maximize their impact across diverse environments.
Pay2Key.I2P also incorporates sophisticated evasion techniques designed to hinder detection and investigation. These methods include disabling Microsoft Defender Antivirus and the deletion of malicious artifacts deployed during an attack, thereby minimizing the forensic trail left behind. SonicWall Capture Labs has reported that some infection sequences have begun by leveraging portable executables disguised as Microsoft Word documents, which then execute cmd files to initiate the encryption process and deploy ransom notes.
The Geopolitical Dimension of Cyber Attacks
The emergence of Pay2Key.I2P underscores a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime. The U.S. government has previously highlighted the modus operandi of Iranian APTs in collaborating with ransomware crews like NoEscape, RansomHouse, and BlackCat (ALPHV). This latest development, with its direct ties to Fox Kitten and Mimic, and its significant profit incentives, poses a substantial threat to Western organizations.
These findings arrive amidst warnings from U.S. cybersecurity and intelligence agencies regarding retaliatory cyberattacks from Iran, following American airstrikes on three nuclear facilities. Operational technology (OT) security firms have noted increased targeting of transportation and manufacturing organizations in the U.S. by various Iranian hacking groups, including MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice. Between May and June 2025 alone, 28 cyberattacks attributed to Iranian threat actors were detected, emphasizing the urgent need for heightened vigilance in critical infrastructure sectors.
Industrial and critical infrastructure organizations are strongly advised to review their security postures and remain vigilant against potential threats. The ongoing evolution of the Pay2Key.I2P operation, its deep ties to Iranian state-sponsored activities, and its growing technical capabilities suggest that these attacks will likely continue to pose a significant cybersecurity challenge in the coming months.