{
	"id": "708b57aa-46e4-47fc-a831-e10c5eaba404",
	"created_at": "2026-04-06T00:18:09.924495Z",
	"updated_at": "2026-04-10T03:20:54.406472Z",
	"deleted_at": null,
	"sha1_hash": "62b727b0db2f73aeea3a92243a044d78aed98aca",
	"title": "Core DoppelPaymer ransomware gang members targeted in Europol operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2489433,
	"plain_text": "Core DoppelPaymer ransomware gang members targeted in Europol\r\noperation\r\nBy Bill Toulas\r\nPublished: 2023-03-06 · Archived: 2026-04-05 17:32:38 UTC\r\nEuropol has announced that law enforcement in Germany and Ukraine targeted two individuals believed to be core members\r\nof the DoppelPaymer ransomware group.\r\nThe operation consisted in raiding multiple locations in the two countries on February and was the result of a coordinated\r\neffort that also involved Europol, the FBI and the Dutch Police.\r\nTwo suspects detained\r\n\"German officers raided the house of a German national, who is believed to have played a major role in the DoppelPaymer\r\nransomware group,\" Europol informs in a press release published today.\r\nhttps://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe agency notes that \"despite the current extremely difficult security situation that Ukraine\" due to the Russian invasion,\r\npolice officers in the country \"interrogated a Ukrainian national who is also believed to be a member of the core\r\nDoppelPaymer group.\"\r\nGerman officers raided one location - the house of the German national believed to have had a \"major role in the\r\nDoppelPaymer ransomware group.\" In Ukraine, the police searched two locations - in Kiev and Kharkiv.\r\nElectronic equipment has been seized and investigators and IT experts are examining it for forensic evidence.\r\nThree experts from Europol have also been deployed to Germany to cross-check operational information with information\r\nfrom Europol's databases and to help with analysis, crypto tracing, and forensic work.\r\n\"The analysis of this data and other related cases is expected to trigger further investigative activities,\" Europol says. This\r\nwork may reveal other members of the ransomware group as well as affiliates that deployed the malware and ransomed\r\nvictims across the world.\r\nBoth the investigation and the legal procedures are ongoing at the moment.\r\nThree more DoppelPaymer suspects wanted\r\nGerman authorities believe that the DoppelPaymer ransomware operation involved five core members that maintained the\r\nattack infrastructure, the data leak sites, handled negotiations, and deployed the malware on breached networks.\r\nArrest warrants have been issued for another three suspects that law enforcement are currently looking for worldwide:\r\nIgor Garshin/Garschin - believed to be responsible for reconnaissance, breaching, and deploying the DoppelPaymer\r\nlocker on victim networks\r\nlgor Olegovich Turashev - believed to have had a major part in attacks against German companies, acting as the\r\nadmin of the infrastructure and malware used for intrusions\r\nIrina Zemlianikina - responsible for the initial stage of the attack, sending out malicious emails; she was also\r\nhandling the data leak sites, the chat system, and publishing the data stolen from the victims\r\nAccording to the German police, the five suspects are the \"masterminds\" of the DoppelPaymer ransomware gang and are\r\nconnected to Russia.\r\nDoppelPaymer ransomware\r\nThe DoppelPaymer ransomware operation emerged in 2019 targeting critical infrastructure organizations and large\r\ncompanies.\r\nIn 2020, the threat actor started to steal data from the victim networks and adopted the double extortion method by\r\nthreatening to publish the stolen files on a leak site on the Tor network.\r\nEuropol estimates that between May 2019 and March 2021, victims based in the United States alone paid DoppelPaymer at\r\nleast $42.4 million. The German authorities have also confirmed 37 cases where companies were targeted by the\r\nransomware gang.\r\nThe DoppelPaymer malware is based on the BitPaymer ransomware. The file-encrypting threat was delivered through\r\nDridex malware, which was pushed by the infamous Emotet botnet.\r\nThe infection vector was spear-phishing emails containing documents with malicious VBS or JavaScript code. The threat\r\nactor also used a legitimate tool, Process Hacker, to terminate security-related products running on the victim systems.\r\nAlthough the operation rebranded as \"Grief\" (Pay or Grief) in July 2021 in an attempt to escape law enforcement, attacks\r\nbecame more sparse.\r\nAmong DoppelPaymer's high-profile victims are Kia Motors America, the Delaware County in Pennsylvania (paid a\r\n$500,000 ransom), laptop maker Compal, the Newcastle University (files leaked), electronics giant Foxconn, and the Dutch\r\nhttps://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/\r\nPage 3 of 4\n\nResearch Council (NWO).\r\nTo force victims into paying the ransom, the operators of the DoppelPaymer ransomware threatened to wipe the decryption\r\nkeys if victims contracted professional negotiators to obtain a better price for recovering the locked data.\r\nHowever, the attack frequency decreased to the point that the gang no longer maintains the leak site.\r\nUPDATE [March 6, 11:10 AM EST]: Article updated with new information about three more suspects sought by law\r\nenforcement for their major role in the DoppelPaymer ransomware operation.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/\r\nhttps://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation/"
	],
	"report_names": [
		"core-doppelpaymer-ransomware-gang-members-targeted-in-europol-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62b727b0db2f73aeea3a92243a044d78aed98aca.pdf",
		"text": "https://archive.orkl.eu/62b727b0db2f73aeea3a92243a044d78aed98aca.txt",
		"img": "https://archive.orkl.eu/62b727b0db2f73aeea3a92243a044d78aed98aca.jpg"
	}
}