{ "id": "67048d90-1c59-4b3c-943c-e361f7f96bdd", "created_at": "2026-04-06T00:21:37.797707Z", "updated_at": "2026-04-10T03:20:37.664777Z", "deleted_at": null, "sha1_hash": "da4b67cb73603aa7064d8b31bd0c5be5d4057ebe", "title": "DoppelPaymer ransomware group suspects identified", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 621374, "plain_text": "DoppelPaymer ransomware group suspects identified\r\nBy Pieter Arntz\r\nPublished: 2023-09-19 · Archived: 2026-04-05 14:34:33 UTC\r\nThe German police in cooperation with the US Secret Service have executed search warrants against suspected\r\nmembers of the DoppelPaymer ransomware group in Germany and Ukraine.\r\nIn March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support\r\nfrom Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two\r\nsuspects and seized computer equipment.\r\nSince then, cybercrime group specialists from the North Rhine-Westphalia State Criminal Police Office (LKA\r\nNRW), together with the Cybercrime Central and Contact Point (ZAC NRW), carried out another targeted strike\r\nagainst people associated with the criminal network.\r\nTwo men in particular became the focus during blockchain investigations by the LKA NRW and the US Secret\r\nService. They are a 44-year-old Ukrainian who apparently held a key position within the organization and a 45-\r\nyear-old man from southern Germany who is suspected of having received suspicious funds, possibly originating\r\nfrom ransomware attacks.\r\nCryptocurrency investigators use specialized strategies to track down criminals. The investigators use tools to\r\ncollect evidence, trace funds through the blockchain, and try to determine who converted them into fiat currencies.\r\nAlthough cryptocurrency is anonymous, that doesn’t mean it’s untraceable. All the transactions are recorded on a\r\npublic ledger, which provides a treasure trove of data to search, analyze, and categorize.\r\nhttps://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified\r\nPage 1 of 2\n\nArticle continues below this ad.\r\nOver the last years, DoppelPaymer claimed responsibility for a high-profile ransomware attack on Kia Motors\r\nAmerica. The gang was also responsible for a costly attack on the St. Lucie County sheriffs department, the\r\nDutch Institute for Scientific Research (NWO), and the Illinois Attorney General’s office. Other victims attacked\r\nby DoppelPaymer in the past include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in\r\nCalifornia, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.\r\nSince March of 2021, DoppelPaymer has been missing from our monthly ransomware reviews, and the last known\r\nleak site address we had on record for them has been taken offline.\r\nDuring their active period (2017 – 2021), more than 600 victims worldwide were extorted, some of them up to\r\ndouble-digit millions. The investigations by the German authorities, which have been ongoing since 2020, led to\r\nthe international public search for Igor Olegovich Turashev and Igor Garshin in March 2023. Both of these\r\nsuspects are currently on EUROPOL’s “Most-Wanted” list. The suspicion against a third person could not be\r\nsufficiently substantiated during further investigations, so the public search was withdrawn.\r\nSource: https://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified\r\nhttps://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.malwarebytes.com/blog/news/2023/09/doppelpaymer-ransomware-group-suspects-identified" ], "report_names": [ "doppelpaymer-ransomware-group-suspects-identified" ], "threat_actors": [], "ts_created_at": 1775434897, "ts_updated_at": 1775791237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/da4b67cb73603aa7064d8b31bd0c5be5d4057ebe.pdf", "text": "https://archive.orkl.eu/da4b67cb73603aa7064d8b31bd0c5be5d4057ebe.txt", "img": "https://archive.orkl.eu/da4b67cb73603aa7064d8b31bd0c5be5d4057ebe.jpg" } }