Pierluigi Paganini May 13, 2025

A 45-year-old foreign man has been arrested in Moldova for allegedly participating in ransomware attacks on Dutch companies in 2021.

Moldovan police arrested a 45-year-old foreign man as a result of a joint international operation involving Moldovan and Dutch authorities. He is internationally wanted for multiple cybercrime, including ransomware attacks, blackmail, and money laundering, targeting Dutch companies.

One major attack hit the Netherlands Organization for Scientific Research, causing €4.5 million in damage. The experts linked the 2021 attack to the ransomware operation DoppelPaymer.

“He is wanted internationally for committing several cybercrimes (ransomware attacks, blackmail, and money laundering) against companies based in the Netherlands.” reads the press release published by Moldovan police. “In one of the cases, the suspect allegedly organized a “ransomware” cyberattack on the Netherlands Organization for Scientific Research (NWO), causing material damage worth approximately 4.5 million euros.”

On May 6, 2025, the Moldovan law enforcement searched the suspect’s home and car, seizing key evidence linked to cybercrimes, including €84,800 in cash, an e-wallet, laptops, a phone, a tablet, six bank cards, and multiple storage devices.

DoppelPaymer ransomware has been active since June 2019; in November 2020, Microsoft Security Response Center (MSRC) warned customers of the DoppelPaymer ransomware and provided useful information on the threat.

DoppelPaymer is based on the BitPaymer ransomware and the Dridex malware family, operators often use the EMOTET malware to spread it.

DoppelPaymer was distributed through various channels, such as phishing and spam messages. The operators behind this ransomware family rely on a double extortion scheme, the gang launched a leak site in early 2020. According to German authorities, at least 37 companies were hit with the ransomware, the most prominent victim being the University Hospital in Düsseldorf. The Europol states that in the US, victims payed at least 40 million euros between May 2019 and March 2021.

In March 2023, Europol announced that an international operation conducted by law enforcement in Germany and Ukraine, with the help of the US FBI and the Dutch police, targeted two key figures of the DoppelPaymer ransomware group.

“On 28 February 2023, the German Regional Police (Landeskriminalamt Nordrhein-Westfalen) and the Ukrainian National Police (Націона́льна полі́ція Украї́ни), with support from Europol, the Dutch Police (Politie) and the United States Federal Bureau of Investigations, targeted suspected core members of the criminal group responsible for carrying out large-scale cyberattacks with the DoppelPaymer ransomware.” reads the press release published by the Europol.

In March 2023, law enforcement authorities from Germany and Ukraine targeted suspected core members of a cybercrime group that has been behind large-scale attacks using DoppelPaymer ransomware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DoppelPaymer )