Ukrainian and German authorities announced on Thursday that they have identified suspects associated with the Russia-linked ransomware group Black Basta. An international manhunt has now commenced for additional perpetrators involved in the group's activities.
According to the official website of Ukraine’s cyber police unit, two Ukrainian nationals have been identified as active members of the group. An unnamed Russian citizen is alleged to be the organizer and has been placed on an international wanted list through Interpol, as confirmed by German authorities.
These actions are the result of a joint investigation involving Ukraine, Germany, Switzerland, the Netherlands, and the United Kingdom. Europol, which also provided support to the probe, has characterized Black Basta as one of the most dangerous cybercrime operations in recent years.
Russian-Based Ransomware Network Involved in Years of Cyberattacks
Ukraine's investigative unit reports that Black Basta has been active since at least early 2022. The group is accused of launching ransomware attacks against corporations, hospitals, and public institutions in Western countries it deems "economically viable."
Between 2022 and 2025, the group is believed to have caused damages estimated in the hundreds of millions of euros to industrial and healthcare organizations in Europe and the United States. They are also accused of distributing private information to hacking networks.
The two Ukrainian suspects reportedly established their base in western Ukraine, collaborating with other hackers to breach the security of corporate systems and extract login credentials. After obtaining employee authorization data, they used it to gain access to internal company systems, expand administrative privileges, and access company files.
The stolen access was then utilized to disable critical systems. Malicious software was deployed to encrypt data, enabling the attackers to demand ransom in exchange for restoring access.
Raids in Western Ukraine Uncover Digital and Crypto Evidence
As reported by the Ukrainian police, authorized searches were conducted at residences in the Ivano-Frankivsk and Lviv regions, believed to be the locations where the cybercriminals lived. During these raids, officers seized cryptocurrency, though the value or type of digital assets confiscated was not disclosed.
Authorities had previously carried out searches in Kharkiv and surrounding areas, targeting other suspected group members, at the request of foreign partners. The German investigations team believes a Russian national founded and led the group, and that this individual was also part of another notorious ransomware and cyber-extortion operation.
The wanted notice was issued through Interpol channels at the request of Germany’s Federal Criminal Police Office and Frankfurt prosecutors.
"Black Basta is a top-tier cybercrime threat, posing a significant risk to global cybersecurity. Law enforcement agencies from multiple countries are collaborating to address this threat," Ukraine's cyber police stated in its announcement.
Concluding their report on the case, the agencies reiterated that no single country can dismantle such networks alone and urged more nations to facilitate intelligence sharing.
Ukraine and Russia’s Crime Syndicate Extends to Austria
Approximately two months prior, Austrian police arrested two suspects linked to a fatal crypto robbery. These suspects were identified as Ukrainian men, aged 19 and 45.
The victim was a 21-year-old Ukrainian national whose body was discovered burned shortly after midnight on November 26. The remains were found inside a burned Mercedes with Ukrainian license plates in the Donaustadt district of Vienna.
Upon arrival at the scene, emergency responders found the charred vehicle. Forensic police later recovered a melted gasoline canister from the back seat.
According to reports from local news outlets, the crime began earlier that night near the SO/Vienna hotel in an underground parking garage. Security footage captured a confrontation between the victim and two men, and witnesses reported a loud exchange of words in the garage.
A hotel guest contacted the front desk, which then alerted the police. However, officers arrived well after the individuals had already left the scene. The victim was reportedly forced into his own vehicle and driven to the Donaustadt district. He was then assaulted and compelled to surrender passwords to two cryptocurrency wallets, which were subsequently emptied.
Austrian media reported that the victim suffered severe injuries during the assault and died before the vehicle was set on fire.