The Iranian-linked ransomware-as-a-service (RaaS) group Pay2Key has made a return in the wake of heightened tensions between Iran, Israel, and the U.S., now rebranded as Pay2Key.I2P. The group is offering increased payouts to cybercriminals targeting the U.S. and Israel, with an 80% profit share—up from the previous 70%—for affiliates supporting Iran or participating in attacks against its perceived enemies. “Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.”
Security researchers from Morphisec have attributed this revived threat to the Iranian advanced persistent threat (APT) group Fox Kitten, also known as Lemon Sandstorm. Pay2Key.I2P is reportedly working closely with or integrating features of the Mimic ransomware. The operation appears to combine financial motivation with a political agenda, amounting to a form of cyber warfare aimed at Western targets.
Since its resurgence in February 2025, Pay2Key.I2P has claimed over 51 successful ransomware deployments, raking in more than $4 million in ransom payments and generating profits exceeding $100,000 for individual cyber operators. Notably, it is the first known RaaS platform to operate directly on the Invisible Internet Project (I2P), enhancing anonymity and resilience. “While some malware families have used I2P for [command-and-control] communication, this is a step further – a Ransomware-as-a-Service operation running its infrastructure directly on I2P,” PRODAFT noted.
The group has also shifted its business model. Rather than selling ransomware tools for a flat fee, it now posts on Russian darknet forums offering $20,000 payouts per successful attack. “This shift moves away from a simple tool-sale model, creating a more decentralized ecosystem, where ransomware developers earn from attack success rather than just from selling the tool,” according to Morphisec’s Ilia Kulmin.
The latest version of Pay2Key includes capabilities to target both Linux and Windows systems, with the latter deployed through a self-extracting archive. It employs advanced evasion tactics, such as disabling Microsoft Defender and removing attack traces to hinder forensic analysis.
“Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime,” Morphisec warned. The resurgence comes amid broader warnings from U.S. intelligence agencies, which have reported increased cyber threats from Iranian groups like MuddyWater, OilRig, Cyber Av3ngers, and Homeland Justice targeting critical infrastructure, particularly in the U.S.
OT security firm Nozomi Networks observed 28 Iranian-attributed cyberattacks between May and June 2025, urging organizations to review and strengthen their cybersecurity defenses.
 group Pay2Key has made a return in the wake of heightened tensions between Iran, Israel....){kind=link}