Threat Actor Profile
Low Cybercriminal
Description

Pay2Key is ransomware that has been used by the threat actor Fox Kitten. The group seems to operate since July 2020, targetting mainly Israeli companies. Pay2Key has a darknet leak site to public stolen and sensitive information of their victims. Some of their victims: Intel - Habana Labs, IAI - Israel Aerospace Industries, Portnox - Network Security Solutions.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Pay2Key is ransomware that has been used by the threat actor '
                'Fox Kitten. The group seems to operate since July 2020, '
                'targetting mainly Israeli companies. Pay2Key has a darknet '
                'leak site to public stolen and sensitive information of their '
                'victims. Some of their victims: Intel - Habana Labs, IAI - '
                'Israel Aerospace Industries, Portnox - Network Security '
                'Solutions.\n',
 'firstseen': '2020-12-13T00:00:00+00:00',
 'group': 'pay2key',
 'has_negotiations': False,
 'has_ransomnote': False,
 'lastseen': '2021-09-09T23:46:57.658522+00:00',
 'locations': [{'available': False,
                'fqdn': 'pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion',
                'slug': 'http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/',
                'title': 'Pay2Key Leak Directory!',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 0,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': False,
                     'locations': [{'available': False,
                                    'fqdn': 'pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion',
                                    'slug': 'http://pay2key2zkg7arp3kv3cuugdaqwuesifnbofun4j6yjdw5ry7zw2asid.onion/',
                                    'title': 'Pay2Key Leak Directory!',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 0,
                     'ransomware_live_group': 'pay2key',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/pay2key',
                     'victims': 7,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/pay2key',
 'victims': 7,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home