Pay2Key is once again coming into focus. This Iranian-backed ransomware-as-a-service (RaaS) reemerges just as tensions boil over again between Israel, Iran, and the United States. This cybercrime operation entices affiliates with significantly higher payouts. They are especially going after organizations in Israel and the U.S. as cyber warfare ramps up.
Since October 2020, Pay2Key has consistently harassed and intimidated Israeli businesses. Essentially, they take advantage of security vulnerabilities that are already known to the world to stage their attacks. The operators have been quickly refining their ransomware builder. Now, it can focus on Linux systems and its established Windows OS. The Windows version is delivered as a self-extracting archive, which makes it even more deployable.
Pay2Key’s recent resurgence, coinciding with some of the most hotly contested geopolitical wars in recent memory. In retaliation, the ransomware group replied on a Russian darknet forum through the account “Isreactive.” Back on February 20th, 2025, we debuted this forum post, heralding a $20,000 bounty per attack. They painted a clear picture of the game-changing financial incentive fueling their production. According to Ilia Kulmin, a cybersecurity expert, “Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.”
Pay2Key’s methods are part of a trend toward more advanced methods of ransomware. This model stands in stark contrast to conventional RaaS models. In this scenario, firms pocket the full ransom for attacks that get through successfully and only pay the attackers their portion. This move fosters a distributed ecosystem where ransomware developers profit from the success of attacks as opposed to just tool sales.
Additionally, the ransomware’s infrastructure advantages from being hosted on the Invisible Internet Project (I2P), which poses an additional cybersecurity challenge. PRODAFT noted, “While some malware families have used I2P for command-and-control communication, this is a step further – a Ransomware-as-a-Service operation running its infrastructure directly on I2P.” This deployment is another example of the perilous intersection of Iranian state-sponsored cyber warfare and global cybercrime.
Beyond purely targeting Israeli firms, Iranian threat actors linked to Pay2Key have ramped up efforts against U.S. organizations. Famous hacking collectives such as MuddyWater, APT33, and Fox Kitten have all been responsible for attacks on American companies. Nozomi Networks reported detecting 28 cyber attacks associated with Iranian actors, such as Pay2Key, between May and June 2025.
As these threats develop, cybersecurity professionals are warning organizations to be on the lookout for new firefighting vulnerabilities. “Industrial and critical infrastructure organizations in the U.S. and abroad are urged to be vigilant and review their security posture,” stated Nozomi Networks.