Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

Moldovan authorities arrest suspect tied to DoppelPaymer ransomware attacks

Moldovan authorities announced the arrest of a 45-year-old foreign national suspected of involvement in the notorious DoppelPaymer ransomware attacks.

The individual, whose identity has not been disclosed, is accused of participating in ransomware operations, extortion, and money laundering schemes targeting organizations in the Netherlands. The arrest was carried out with support from Dutch law enforcement.

During a search of the suspect’s residence and vehicle, officials seized an array of digital and financial items, including laptops, portable drives, bank cards, and €84,800 (approximately $94,000) in cash. Among the alleged crimes is a ransomware attack on the Dutch Research Council (NWO), which reportedly resulted in losses of nearly €4.5 million (~$5 million).

The NWO attack, disclosed in February 2021, involved the DoppelPaymer ransomware, which encrypted files and exfiltrated data from the organization. The NWO refused to pay the ransom, leading to the public release of stolen documents.

DoppelPaymer first appeared in 2019 as a variant of BitPaymer ransomware, and has been linked to the cybercrime group TA505, also known as Evil Corp. The group has been implicated in numerous high-profile attacks across critical infrastructure, healthcare, education, and other sectors.

In one case, a DoppelPaymer-linked attack on a German hospital disrupted IT systems and was associated with a patient’s death.

Authorities in several countries, including Germany, Ukraine, the US, and the Netherlands, have coordinated operations against the ransomware gang, including a major raid in February 2023.

The suspect remains in custody and is awaiting extradition to the Netherlands.

Back to the list

Latest Posts

UNC6148 threat actor actively targets outdated and patched SonicWall devices

UNC6148 threat actor actively targets outdated and patched SonicWall devices

The group is using stolen credentials and OTP seeds to regain access to devices even after security updates have been applied.
17 July 2025
Google patches Chrome zero-day allowing sandbox escape

Google patches Chrome zero-day allowing sandbox escape

The flaw stems from insufficient validation of untrusted input in ANGLE and GPU.
16 July 2025
Ukrainian police dismantle major server network used for malware distribution

Ukrainian police dismantle major server network used for malware distribution

Authorities identified a 33-year-old French national as the organizer of the illegal operation.
16 July 2025