Authorities in Moldova have arrested a man suspected of helping run DoppelPaymer Ransomware operations. The 45-year-old foreign national is accused of targeting Dutch institutions through cyberattacks, data theft, and extortion.
Law enforcement searched the suspect’s home and car during the arrest. They seized two laptops, a mobile phone, a tablet, several storage drives, memory cards, bank cards, and an electronic wallet. Police also recovered nearly €85,000 in cash.
Investigators say the suspect played a major role in the 2021 ransomware attack on the Dutch Research Council (NWO). That breach caused around €4.5 million in damages. The NWO refused to pay any ransom, and the hackers later leaked stolen data online.
The DoppelPaymer Ransomware operation has deep roots. It first appeared in 2019 as a modified version of BitPaymer, which itself was linked to a cybercrime group called TA505—also known as Evil Corp. That group is infamous for deploying banking malware like Dridex and Locky.
Over the years, DoppelPaymer has hit hospitals, schools, and even vital infrastructure. Victims are often locked out of their systems, pressured to pay ransoms, and threatened with public leaks of sensitive data.
In response, global law enforcement began working together. In February 2023, agencies in Germany and Ukraine, backed by the FBI and Europol, raided locations tied to the DoppelPaymer Ransomware gang. Just a month later, Europol said it had identified eleven members of the group. Several were detained, though three senior figures—Igor Turashev, Irina Zemlianikina, and Igor Garshin—remain at large, believed to be in Russia.
The suspect now in custody awaits extradition to the Netherlands. Dutch authorities are expected to charge him in connection with the NWO attack and other ransomware incidents.
This arrest is seen as a major win in the ongoing fight against ransomware-as-a-service (RaaS) networks. It shows how international cooperation is closing in on once-elusive cybercriminals.
