DoppelPaymer Ransomware Core Members and Medicare Beneficiary Identifier Theft Conspirator Arrested

DoppelPaymer Ransomware Core Members Arrested in Europol-Driven Operation

Two persons alleged of being key DoppelPaymer ransomware group members were detained — one by the police in Germany and another by the Ukrainian Police officers and Ukraine German Regional Police. It is This organized law enforcement operation was led by Europol. The Federal Bureau of Investigation (FBI), and the Dutch Police (Politie) were also involved in the operation.

There were organized raids on several places in Germany and Ukraine leading to two apprehensions and the takeover of IT equipment believed to have been used in several global attacks. The equipment is with the forensic investigation team at this time.

DoppelPaymer ransomware initially came out in 2019. Since that time, ransomware is used in lots of cyberattacks on critical infrastructure organizations and firms, and private businesses. The ransomware is created from the BitPaymer ransomware, which is related to the Dridex malware family. The DoppelPaymer group and the Emotet malware group worked together and utilized the botnet for spreading ransomware payloads. The DoppelPaymer group also used phishing emails that have malicious attachments for getting preliminary access to victims’ systems. The DoppelPaymer group used double extortion tactics, which entails the exfiltration of sensitive data prior to encrypting files. It issued ransom demands in exchange for not exposing the stolen data on the group’s data leak websites and for getting the decryption keys in order to retrieve encrypted files.

DoppelPaymer was renamed as Grief in July 2021. From then on, attacks were done at a reduced level. Peak action happened at the end of 2019 and at the beginning 2020. Afterward attack level decreased to just a couple of attacks per month. Recently, attacks were carried out at a minimal level.

Although DoppelPaymer wasn’t one of the highly regarded ransomware operations, German authorities stated they know that there had been no less than 37 attacks in the country, which include one on University Hospital in Düsseldorf. According to the FBI, attacks in America produced $42 million in ransom payments from May 2019 to March 2021. The group was responsible for the attacks on Compal, Kia Motors America, Delaware County in Pennsylvania and Foxconn. The group’s main targets were thought to be companies in medical care, education, and emergency services.

The person detained in Germany is thought to be a key group member. Also, police authorities in Ukraine questioned another alleged key member, which resulted in raids on two locations in Kyiv and Kharkiv and the seizure of IT equipment.

Europol stated the data collected throughout this operation will probably result in more investigative activities. Law enforcement authorities in Germany think the DoppelPaymer operation got five key members who were in charge of preserving the group’s infrastructure and data leak websites, deploying the ransomware, and managing ransom talks. Arrest warrants were issued for the three people listed below:

Igor Garshin/Garschin -a suspect believed to be engaged in reconnaissance, breaching victim systems, and deploying DoppelPayme ransomware.

Igor Olegovich Turashev – a suspect believed to have played a key role in the cyberattacks in Germany. He is perhaps an admin in charge of the infrastructure and malware

Irina Zemlianikina – someone believed to be in charge of the preliminary steps of the attacks, which include delivering phishing emails, managing the chat system and data leak websites, and posting stolen information.

Russian national Turashev is likewise sought by the FBI for being part of the administration of the Dridex malware. Turashev was accused in November 2019 of conspiracy, bank fraud, wire fraud, conspiracy to commit fraud, and deliberate damage to a computer system. The FBI issued a warrant for his arrest in December 2019.

Man Involved in Medicare Beneficiary Identifier Trafficking Case Due for Sentencing

The Department of Justice has reported one prosecution case in relation to the Medicare Access and CHIP Reauthorization Act of 2015 that involves the theft and vending of Medicare Beneficiary Identifiers.

The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) mandated the Centers for Medicare and Medicaid Services (CMS) to take out Social Security numbers from all Medicare cards to protect against fraud, fight identity theft, and secure taxpayer dollars and substitute them with Medicare Beneficiary Identifiers. MACRA additionally made it unlawful to buy, sell, or transmit Medicare Beneficiary Identifiers with no appropriate authorization.

Unlike Social Security numbers, it’s not possible to use Medicare Beneficiary Identifiers by themselves for identity theft; nevertheless, they may be utilized for healthcare identity theft. The current prosecution of a man from Florida indicates that these unique identifiers are being stolen and offered for sale on the black market.

36-year-old Charles William McElwee from South Florida is a marketing expert and CEO of Lead Junkies LLC. He was detained for his suspected involvement in a plan to deceive Medicare and lately pled guilty to a conspiracy to trade the Medicare Beneficiary Identifiers plus other personally identifiable information (PII) of over 2.6 million recipients of Medicare in a $310,000 Medicare fraud scam.

In connection with the plea deal, McElwee pled guilty to a count of conspiring to MACRA violation and confessed that he and his co-conspirators employed data mining and social engineering strategies to acquire Medicare Beneficiary Identifiers plus other personal data that was then promoted and marketed on the internet. The data acquired and trafficked contained beneficiary names, birth dates, addresses, Medicare beneficiary ID numbers, and Social Security numbers. A number of the co-conspirators were foreign actors, such as those from the Philippines.

The HHS-OIG in Miami, and the FBI Miami field office investigated the case. Assistant U.S. Attorney Jon Juenger prosecuted the case. The sentencing of McElwee will be on April 7, 2023 with maximum of 5 years in the federal penitentiary.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.