{
	"id": "b5ffd979-c7d2-493b-88fb-2f818b89f16f",
	"created_at": "2026-04-06T00:13:04.960651Z",
	"updated_at": "2026-04-10T03:33:15.60197Z",
	"deleted_at": null,
	"sha1_hash": "e6be7fd7fec0ca7546b2ba6d2109292bf7182a1f",
	"title": "Moldova arrests suspect linked to DoppelPaymer ransomware attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2885810,
	"plain_text": "Moldova arrests suspect linked to DoppelPaymer ransomware attacks\r\nBy Sergiu Gatlan\r\nPublished: 2025-05-12 · Archived: 2026-04-05 21:35:37 UTC\r\nMoldovan authorities have detained a 45-year-old suspect linked to DoppelPaymer ransomware attacks targeting Dutch\r\norganizations in 2021.\r\nPolice officers searched the suspect's home and car on May 6, seizing an electronic wallet, €84,800, two laptops, a mobile\r\nphone, a tablet, six bank cards, and multiple data storage devices.\r\nThe suspect remains in custody, while Moldovan prosecutors have initiated legal procedures to extradite him to the\r\nNetherlands.\r\nhttps://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe arrest resulted from a joint action involving Moldovan prosecutors, the country's Center for Combating Cybercrimes,\r\nand law enforcement in the Kingdom of the Netherlands.\r\nA Monday press release added that the suspect, described as a \"foreign citizen,\" had allegedly orchestrated a 2021\r\nransomware attack against the NWO (Dutch Research Council) that led to roughly €4.5 million in damages.\r\nThe NWO disclosed the incident on February 14, 2021, saying the attack forced it to shut down its grant application system.\r\nTen days later, the attackers published documents stolen from the council's network on DoppelPaymer's dark web leak site\r\nafter the NWO refused to pay a ransom demand.\r\nDoppelPaymer ransomware\r\nThe DoppelPaymer ransomware operation emerged in June 2019 after the Evil Corp cybercrime gang split, with some\r\nmembers creating a new ransomware gang that shared much of the same code as Evil Corp's BitPaymer.\r\nBesides using stolen files as leverage to force victims into paying ransoms as they did in NWO's case, DoppelPaymer\r\nransomware operators threatened to wipe decryption keys if victims contracted professional negotiators to obtain a better\r\nprice for recovering the encrypted data.\r\nAs the FBI warned in a 2020 private industry alert, \"Prior to infecting systems with ransomware, the actors' exfiltrate data to\r\nuse in extortion schemes and have made follow-on telephone calls to victims to further pressure them to make ransom\r\npayments.\"\r\nDoppelPaymer continued to attack large companies and critical infrastructure organizations through 2022, rebranding twice\r\nas Grief (a.k.a. Pay or Grief) and Entropy ransomware.\r\nLaw enforcement has targeted two other individuals believed to be core members of the DoppelPaymer ransomware group\r\nin March 2023 and issued arrest warrants for three other core members.\r\nThe gang's victims list includes high-profile companies and organizations worldwide, such as electronics giant Foxconn, Kia\r\nMotors America, Delaware County in Pennsylvania, laptop maker Compal, and Newcastle University.\r\nhttps://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks/"
	],
	"report_names": [
		"moldova-arrests-suspect-linked-to-doppelpaymer-ransomware-attacks"
	],
	"threat_actors": [
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434384,
	"ts_updated_at": 1775791995,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6be7fd7fec0ca7546b2ba6d2109292bf7182a1f.pdf",
		"text": "https://archive.orkl.eu/e6be7fd7fec0ca7546b2ba6d2109292bf7182a1f.txt",
		"img": "https://archive.orkl.eu/e6be7fd7fec0ca7546b2ba6d2109292bf7182a1f.jpg"
	}
}