Pay2Key.I2P: The Iranian Ransomware-as-a-Service Model Blending Ideology with Profit

July 11, 2025

In early 2025, a significant evolution in Iran-linked cyber operations emerged with the reappearance of Pay2Key under a new identity: Pay2Key.I2P. More than just a ransomware variant, this latest deployment signals a strategic shift in the modus operandi of Iranian-affiliated threat actors, merging state-aligned ideological objectives with financially motivated cybercrime at scale. Hosted entirely on the Invisible Internet Project (I2P)—a first for any known Ransomware-as-a-Service (RaaS) operation. This RaaS platform is not operating in isolation. It reflects a broader alignment between Iranian APTs like Fox Kitten (aka Lemon Sandstorm) and well-known ransomware crews such as BlackCat (ALPHV), RansomHouse, and NoEscape. Their collaborative infrastructure marks a turning point in how cyberwarfare intersects with global cybercrime markets. The report is offering insight into how ransomware is being weaponized not only for profit but also for state-backed digital confrontation.