An international law enforcement operation has led to the arrests of suspected core members of the prolific DoppelPaymer ransomware operation.
German and Ukrainian police, working with law enforcement partners including Europol and the U.S. Federal Bureau of Investigation (FBI), said they took action last month against the notorious group blamed for numerous large-scale attacks since 2019.
German police said they raided the house of a German national believed to have played a “major role” in the DoppelPaymer ransomware group. At the same time, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a core member of the Russia-linked ransomware operation. The authorities say they are analyzing the equipment seized during the raids to determine the suspects’ exact role and links to other accomplices.
German police have also released arrest warrants for three additional suspects based in Russia: Igor Turashev, Igor Garshin and Irina Zemlyanikina. Turashev, who is also wanted by the FBI for his alleged role in the sanctioned Evil Corp hacking group, is accused of “having committed acts of blackmail and computer sabotage in particularly serious cases.”
German police said DoppelPaymer had targeted at least 601 companies worldwide, including a total of 37 organizations in Germany. Europol added that victims in the United States — the exact number of which was not shared — paid out at least €40 million (about $42.5 million) to the gang between May 2019 and March 2021.
One of the most serious attacks DoppelPaymer carried out by the gang targeted University Hospital in Düsseldorf. The subsequent failure of critical systems caused delays in emergency treatment, including the death of a 78-year-old patient, possibly the first death caused by ransomware.
Other DoppelPaymer victims include Visser, a parts manufacturer for Tesla and SpaceX; Kimchuk, a medical and military electronics maker; and manufacturing giant Foxconn.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
DopplePaymer ransomware, which was the subject of an FBI warning in December 2020, is believed to be the successor to BitPaymer, a similar variant of ransomware linked to Evil Corp. According to reports, DoppelPaymer has since rebranded to “Grief.”
Updated with more from German authorities.
