A 45-year-old foreign national has been arrested by Moldovan Police for allegedly taking part in a string of ransomware attacks that hit Dutch companies in 2021 — including a high-profile incident targeting the Netherlands Organization for Scientific Research (NWO). The suspect, whose identity has not been publicly disclosed, is wanted internationally for a series of cybercrimes, including ransomware deployment, extortion, and money laundering.
According to Moldovan authorities, the arrest was made following a raid at the suspect’s residence. Investigators confiscated more than €84,000 in cash, a digital wallet, multiple electronic devices (including two laptops, a mobile phone, and a tablet), six memory cards, six bank cards, and two external storage devices — evidence believed to be linked to the criminal operation.
One of the most damaging attacks attributed to the suspect was the February 2021 ransomware assault on NWO. In that attack, hackers encrypted key files, blocked access to network drives, and demanded a ransom. When the organization refused to pay, stolen internal documents were leaked online. The financial damage was estimated at approximately €4.5 million.
NWO later confirmed that some of their data had been stolen and published after they declined to meet the attackers’ demands, consistent with the tactics used by the DoppelPaymer ransomware group. The group is known for a double-extortion model — encrypting systems and threatening to leak data if ransom demands aren’t met.
DoppelPaymer: A Persistent Cyber Threat
The DoppelPaymer ransomware family first emerged in mid-2019 and has been linked to the earlier BitPaymer malware strain, based on similarities in source code and ransom note structure. The group has been responsible for attacks on hospitals, research institutions, manufacturing firms, and government agencies worldwide.
Law enforcement agencies have been stepping up efforts to dismantle the network. In March 2023, German and Ukrainian authorities launched coordinated raids against suspected members of the DoppelPaymer gang. Germany also issued arrest warrants for three individuals believed to be core members: Igor Olegovich Turashev, Igor Garshin (aka Igor Garschin), and Irina Zemlianikina.
The latest arrest in Moldova suggests that international pressure on ransomware syndicates is beginning to yield results — especially when operations cross borders and involve collaboration among law enforcement from multiple nations.
As cybercrime investigations continue, this case highlights how persistent ransomware threats remain and the critical importance of international cooperation in holding threat actors accountable.
