Suspect Connected to 2021 Dutch Ransomware Incident That Caused €4.5M in Damages
Moldovan law enforcement has arrested a 45-year-old foreign national believed to be connected to the DoppelPaymer ransomware attacks that targeted Dutch institutions, including the Dutch Research Council (NWO), in 2021.
The arrest took place on May 6 during a coordinated operation involving Moldovan prosecutors, the Center for Combating Cybercrimes, and authorities from the Netherlands.
Seized Evidence and Extradition Efforts
Authorities searched the suspect’s residence and vehicle, seizing:
- An electronic cryptocurrency wallet
- €84,800 in cash
- Two laptops
- A mobile phone and a tablet
- Six bank cards
- Multiple data storage devices
The suspect is currently in custody while Moldovan prosecutors begin extradition proceedings to transfer him to the Netherlands for prosecution.
2021 NWO Ransomware Attack
The individual is accused of orchestrating the February 2021 ransomware attack against the NWO, which caused an estimated €4.5 million in damages. The incident forced the NWO to shut down its grant application system.
On February 14, 2021, the council confirmed the breach. Ten days later, stolen internal documents were leaked on DoppelPaymer’s dark web site after the organization declined to pay the ransom.
DoppelPaymer’s Tactics and Origins
The DoppelPaymer ransomware operation surfaced in June 2019 after the Evil Corp gang split. A faction of its members launched DoppelPaymer using much of the same source code from BitPaymer, another ransomware tool previously associated with Evil Corp.
DoppelPaymer was known for:
- Exfiltrating sensitive data before encrypting systems
- Using that stolen data for extortion
- Threatening to delete decryption keys if victims hired negotiators
- Making follow-up phone calls to increase payment pressure
According to a 2020 FBI alert to private industry, these tactics were part of a calculated strategy to coerce victims into paying ransoms quickly.
Global Impact and Law Enforcement Action
DoppelPaymer operated actively until 2022, rebranding over time as Grief (Pay or Grief) and later as Entropy ransomware. The gang’s targets included multinational companies and critical infrastructure.
High-profile victims included:
- Foxconn
- Kia Motors America
- Delaware County, Pennsylvania
- Compal (laptop manufacturer)
- Newcastle University
Law enforcement operations against the group have intensified. In March 2023, authorities targeted two individuals believed to be central members of the gang and issued arrest warrants for three more.
The latest arrest in Moldova is part of this broader international crackdown on ransomware operators behind DoppelPaymer and its successors.
