Top members of DoppelPaymer Ransomware gang arrested

Authorities have arrested two suspected members of the DoppelPaymer ransomware gang in Germany and Ukraine, believed to be high-value members of the cybercrime syndicate.
The DoppelPaymer ransomware gang was involved in targeted ransomware attacks against Visser Precision, the custom part supplier for high-profile firms in the automotive and aeronautics sectors.

In a joint operation launched by the Ukrainian National Police and the German Regional Police, with support from the FBI, the Dutch Police, and Europol’s Joint Cybercrime Action Taskforce (J-CAT), core members of the DopplePaymer ransomware gang were arrested.

The arrests took place on February 28th, 2023. Europol deployed three experts to Germany for cross-checking operational information against the agency’s databases and conducting crypto tracing and extended investigations operational and forensic analysis.

During the operation, a German citizen’s house was raided and extensive searching was carried out in the Ukrainian cities of Kyiv and Kharkiv. During the investigation, a Ukrainian national was also interrogated on suspicion of holding a crucial position in the ransomware group.

The forensic analysis of the confiscated equipment is currently underway. Europol formed a Virtual Command Post for connecting investigators and experts from the USA, Germany, the Netherlands, and Europol in real-time.

Authorities analyzing the seized equipment (Image: Europol)

DoppelPaymer Ransomware Targeted High-Profile Firms

As reported by, the DoppelPaymer ransomware gang is involved in targeted, large-scale attacks against many prominent firms. Visser Precision, a part supplier for Boeing, SpaceX, Lockheed Martin, and Tesla, is among the targets of the notorious ransomware DoppelPaymer.

The hackers targeted the Colorado-based precision parts manufacturer and leaked some of their data on a website. They also asked for a ransom and have been threatening to leak sensitive data of Visser Precision’s clients.

The leaked data includes non-disclosure agreements the manufacturer of the US-based parts signed with SpaceX and Tesla. This criminal cybersecurity incident was confirmed by Visser. The company stated that the incident allowed unauthorized access by attackers who encrypted and stole sensitive data. Visser launched an investigation to detect security loopholes that had caused the hack.

It is worth noting that Visser’s business operations were not impacted and are functioning normally. The company did not disclose how the attackers managed to invade its computer networks.

The attackers behind this ransomware reportedly targeted 37 firms in Germany, and their US victims had paid 40 million between May 2019 and March 2021.

About DoppelPaymer Malware

CrowdStrike, a cybersecurity firm, reported that this file-encrypting malware first surfaced in April 2019. Its code is quite similar to BitPaymer ransomware, which is linked to a Russian cybercrime group called Indrik Spider aka Evil Corp.

It was formed in 2014 by the defunct GameOver Zeus criminal gang’s affiliates. The malware tactics are similar to a Windows-based banking malware, Dridex, equipped with a botnet and info-stealing capabilities.

“However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of Indrik Spider have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation,” CrowdStrike report read.

The attacks were enabled by Emotet malware, whereas DoppelPaymer was distributed via different channels, such as spam or phishing campaigns, in which the attached documents (VBScript or JavaScript) contained the malware.

In response to the news, Mark Lamb, CEO of, told, “This is another impactful collaboration from law enforcement, tackling a major ransomware gang not long in the wake of the takedown of the Hive ransomware gang.”

“DoppelPaymer has been causing havoc and costing organisations millions for over three years, and it relied on two of the world’s most notorious malware variants – Emotet and Dridex – to initially target businesses before executing the ransomware,” Mark added.

Mark warned that “with DoppelPaymer being a ransomware-as-a-service operation, it is likely there will be many more perpetrators behind the threat that will need to be caught before we can say goodbye to the ransomware for good.”

Mark also hopes that “the seized infrastructure should provide significantly more intelligence to law enforcement and it’s likely others behind the threat will face the heavy hand of the law very soon.”

  1. Cl0p ransomware gang members arrested
  2. Egregor ransomware gang members arrested in Ukraine
  3. Ransomware gang with $42m laundering caught by Ukraine
  4. Cardiologist developed Jigsaw v.2 and Thanos Ransomware
  5. Husband and wife ransomware operators arrested in Ukraine
Related Posts