The Day Europol Finally Caught DoppelPaymer

Added: 2026-05-07

[00:00:00]On the morning of September 10th, 2020, [music] a hospital in Germany woke up and couldn't turn on its computers. Not some of them, all of them. 30 servers encrypted overnight. Patient records, surgical schedules, diagnostic systems, gone. And somewhere in the city, [music] a 78-year-old woman was being loaded into an ambulance pointed at the wrong hospital. She died before she got there.

[00:00:27]When investigators traced back what [music] happened, they found something that stopped them cold. The people who did this, the moment they found out it was a hospital, handed everything back.

[00:00:38][music] No payment, no conditions, just a decryption key, and then [music] silence. They panicked. But there's something nobody tells you about this story. [music] A prosecutor looked at all of it, the attack, the death, the chain of events, and said one thing before closing the case. It's only a matter of time. Five years later, in front of the United States Congress, someone [music] finally said what he meant. Before we get to the hospital, you need to understand who built [music] the weapon. DoppelPaymer had been running since 2019.

[00:01:12]By the time investigators [music] caught up with them, they had hit at least 601 victims across the world. American victims alone paid them over 40 million euros. They operated like a company, structured, professional, reportedly offering paid vacation to new recruits, connected to Russian criminal infrastructure, and operating by a loose [music] convention shared among several ransomware groups at the time. Hospitals were supposed to be off-limits. [music] That convention did not survive contact with a misconfigured server. The attack on Düsseldorf University Hospital didn't start in September 2020. [music] It started in December 2019. A vulnerability in a piece of software called Citrix, used by thousands of institutions worldwide, was discovered and published. Security researchers nicknamed it Shitrix. It allowed an attacker to get inside a network remotely with no username, no password, [music] no authentication at all, just a door left open. Citrix issued a patch in January 2020. The hospital applied it.

[00:02:21]Too late. Attackers had already slipped through before the patch arrived and planted a backdoor inside the hospital's network. Then they left. It sat there silently for 9 months. No alarms, [music] no alerts. Staff walked past it every day without knowing it existed. Those 9 months were December 2019 to September 2020, the entire first year of COVID.

[00:02:47]Every hospital in the world was overwhelmed. Security teams were stretched, staff were redeployed or burning out, and somewhere inside Düsseldorf's network, a door was open that nobody had time to look for. In September 2020, someone activated it.

[00:03:04]The hospital had done everything right.

[00:03:06]They patched when told to patch. They just patched 4 weeks after it mattered.

[00:03:12]September 10th, 2020, early morning, Düsseldorf. Staff arriving for their shifts found [music] nothing working.

[00:03:19]Screens dark, systems unresponsive. The tools they used to look up drug allergies, check surgical histories, monitor patients in real time, all of it gone. Everything that normally ran quietly in the background of a functioning hospital had simply stopped.

[00:03:37]They switched to paper. They made phone calls instead of pulling [music] up records. They worked around it because that is what hospital staff do. But working around it meant working blind.

[00:03:48]30 servers encrypted overnight. Patient records, surgical schedules, diagnostic systems, gone. Düsseldorf University Hospital had no choice but to shut down the emergency department entirely.

[00:04:02]Ambulances were told to go elsewhere.

[00:04:05]That morning, a 78-year-old woman collapsed with an aortic aneurysm. The ambulance that came for her was sent 30 km away. The journey took an hour longer than it should have. She died before she got there. When investigators got into the encrypted servers, they found a ransom note. It was addressed to Heinrich Heine University, not the hospital, the university next door. The attackers had made a mistake. They thought they were hitting a research institution. [music] They had encrypted a hospital instead.

[00:04:39]And somewhere in that hospital, a woman was being loaded into an ambulance pointed [music] at the wrong city.

[00:04:46]Police used the contact details in the ransom note to reach the attackers directly. They told them, "You didn't hit a university. You hit a hospital.

[00:04:56]Patients are in danger." The response was immediate. The attackers handed over the decryption key. No payment, no negotiation, no conditions. They gave it back for free [music] the moment they understood what they'd done. Then they went completely silent and have never been heard from since. By then, it was too late. A week after the attack, German police announced they had opened a homicide investigation, specifically >> [music] >> negligent homicide. The theory was straightforward. The attackers encrypted the hospital. The hospital diverted the ambulance. The woman died because of the diversion. The chain of events ran directly back to whoever typed the commands that locked those 30 servers.

[00:05:44]The New York Times called it the first known death from a cyber [music] attack.

[00:05:49]The BBC ran it the same way. Ransomware gangs had been hitting hospitals for years. Everyone in security had been saying it was only a matter of time.

[00:05:58][music] Now, it seemed they had their first confirmed victim. And for the first time, there was a real possibility that the people responsible would be charged [music] with killing her. But something happened in that investigation that nobody expected. The lead prosecutor was a man named Markus Hartmann. The investigation [music] ran for 2 months.

[00:06:21]Medical consultations, forensic analysis, a minute-by-minute reconstruction of that night. In November 2020, he gave his conclusion.

[00:06:30]The woman had been critically ill when the ambulance arrived. Her aneurysm was severe enough that she would not have survived even if she'd reached Düsseldorf University Hospital immediately. The hour-long diversion made no medical difference. She was already beyond saving. The homicide investigation [music] was dropped.

[00:06:47]Headlines ran again. The death wasn't caused by ransomware. The worst hadn't come true after all. Hartmann didn't see it that way. He told Wired, "Where the patient is suffering from a slightly less severe condition, the attack can certainly be a decisive factor." He wasn't saying the danger had passed. He was saying this woman had been too sick for the delay to matter, and that the [music] next patient might not be. He closed the case. Then he waited.

[00:07:14]DoppelPaymer kept going. In 2021, they hit the Netherlands Organization for Scientific Research, causing 4.5 million euros in damage.

[00:07:23]>> [music] >> They rebranded. They kept extorting. In February 2023, police in Germany and Ukraine, working with Europol and the FBI, arrested two suspected core members in simultaneous raids. Three others were named on international arrest warrants, Igor Turashev, Irina Vyacheslavovna Nikitina, Igor Garshin. All believed to be inside Russia. All three added to Europe's most wanted list. In May [music] 2025, a fourth suspect was caught in Moldova and is being extradited to the Netherlands.

[00:07:54]As of today, the three Russian nationals remain at large, and no court anywhere has [music] charged any of them with the death in Düsseldorf or any death anywhere. Because in most [music] countries, the law has no mechanism to do that. That's the gap Hartmann identified in 2020. Five years later, it was still open, and it had already been tested once America, a year before Düsseldorf. In July 2019, a woman named Teiranni Kidd arrived at Springhill Medical Center in Mobile, Alabama to give birth. She wasn't told that the hospital was in the middle of a ransomware attack. The fetal monitors weren't feeding data to the nurses' station. The wireless systems used to locate staff [music] were down. The records that should have flagged her daughter's condition, the umbilical cord wrapped around her neck, never reached the [music] doctor in time. Her daughter was born with severe brain damage. She died months later. Kidd filed a lawsuit, the first in the world claiming a ransomware attack had caused a patient's death. The hospital eventually settled for an undisclosed [music] amount. No criminal charges were ever filed against the attackers. Under the law as it existed, there was nothing to file. That case was in 2019.

[00:09:06]>> [music] >> Hartmann dropped the Düsseldorf case in 2020. And researchers had started trying to measure exactly what was living inside the gap between them. Academics at the University of Minnesota spent years studying the effect of ransomware attacks [music] on Medicare patients across the United States between 2016 and 2021. Their conclusion, somewhere between 42 and 67 patients likely died as a result of hospital ransomware attacks during that period. The study is disputed. It's not peer-reviewed. The causation is statistical rather than provable case by case. But that's exactly the point. The deaths were already happening. They were just happening in a way that left no fingerprints. No ambulance diversion to trace. No single victim to identify, just a signal in the mortality data.

[00:10:01]Something was making hospitals deadlier, and it lined up with the ransomware attacks. In February 2026, a ransomware gang hit the University of Mississippi Medical Center, the only level one trauma center in the state, the only children's hospital, the only organ transplant program. All 35 of its clinics closed simultaneously. Surgeries canceled, electronic [music] records offline for 9 days. A 55-year-old man drove 3 hours for chemotherapy and was turned away at the door. No deaths were confirmed, but unconfirmed [music] doesn't mean zero. 3 days after the Mississippi attack, a former FBI official named Cynthia Kaiser sat down in front of the House Homeland Security Committee.

[00:10:49]>> [music] >> She had spent two decades at the bureau, most recently as deputy assistant [music] director of the cyber division.

[00:10:56]She told Congress that hospital ransomware attacks had [music] nearly doubled in 1 year, 238 in 2024, 460 in 2025. [music] That the number of patient deaths was, in her assessment, almost certainly in the hundreds.

[00:11:13]>> [music] >> And she said that federal prosecutors should be empowered to evaluate, in cases where ransomware [music] actors targeted hospitals, where deaths resulted, where the actors had clear foreknowledge that lives were at risk, whether homicide charges were appropriate. Her exact words, "Felony murder law does not require that a descendant pulled the [music] trigger, or read that they commit a dangerous felony that results in death. Not disruption, not [music] computer fraud, homicide." The word Hartmann had been circling for 5 years, but before Mississippi, before [music] Kaiser's testimony, something had already happened in London that made this conversation unavoidable. June 3rd, 2024. A ransomware group called Chelon attacked Synnovis, [music] a pathology provider serving NHS hospitals across Southeast London. Blood testing across the city ground to a halt. Because matching was impossible, hospitals had to use universal donor blood, draining national blood stocks to critical levels. More than 10,000 appointments canceled, over 1,700 elective procedures postponed, nearly 500 patient safety incidents recorded. Cancer treatments delayed. The stolen data, [music] patient names, NHS numbers, HIV diagnoses, cancer results, STI results.

[00:12:34]The most private moments of people's medical lives published publicly on the dark web with their names and NHS numbers attached as leverage. That was not [music] a side effect of the attack.

[00:12:46]It was the threat. DoppelPaymer hit Düsseldorf by mistake and handed the key back for free the moment they understood what they'd done. Chelon was told they were hitting hospitals. They said that was the point. In June 2025, King's College Hospital NHS Foundation Trust completed [music] its investigation into a patient who had died during the attack. A detailed clinical review found multiple contributing factors. Among them, a long wait for a blood test result caused by the cyber attack on Synnovis. It was the first time any hospital trust, anywhere in the [music] world, had officially confirmed that a ransomware attack contributed to a patient's [music] death. Marcus Hartmann said it would happen eventually. It took 5 years. It happened in London, not Germany, and the group responsible [music] didn't panic, didn't hand anything back, and didn't go silent.

[00:13:38]They said it wasn't accidental. Hartmann has not commented publicly on the London case, the man [music] who predicted it, who closed the first investigation and said the next patient might not be so sick. He has said nothing since it happened. Maybe there is nothing left to say. He was right. The outcome he described arrived exactly as he described it. What follows from that is no longer a prosecutor's question. Here is where things stand today. There is a confirmed case, officially documented, of a ransomware attack contributing to a patient's death. There is a former FBI official who told Congress the perpetrators of attacks like that one should face [music] homicide charges.

[00:14:20]There is a legal argument, federal felony murder law, that she says already exists to prosecute them. And there are three men on Europe's most wanted list, believed [music] to be inside Russia, who have never been charged with anything connected to the woman who died in Düsseldorf [music] on the morning of September 10th, 2020. Hartmann asked the right question 5 years before Washington got around to it.

[00:14:43]>> [music] >> Nobody has answered it yet.