Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware group Black Basta and have placed the group’s alleged leader, a Russian national, on an international wanted list, officials said on Thursday.

Black Basta has been active since at least early 2022 and is believed to be responsible for extorting hundreds of companies, hospitals and public institutions worldwide — including Swiss industrial giant ABB and U.S. healthcare provider Ascension — causing hundreds of millions of dollars in estimated damages.

The two Black Basta suspects, who were operating from western Ukraine, allegedly specialized in breaching protected systems and preparing ransomware attacks by extracting login credentials from compromised networks. Police described them as so-called “hash crackers,” responsible for recovering passwords from stolen data using specialized software.

The stolen credentials were later used to gain unauthorized access to internal corporate systems, escalate privileges within networks, steal sensitive data and deploy ransomware designed to encrypt systems and extort cryptocurrency payments from victims.

Digital storage devices and cryptocurrency assets were seized during searches at the suspects’ homes in Ukraine’s Ivano-Frankivsk and Lviv regions. Ukrainian prosecutors said analysis of the seized material is ongoing.

Alleged ringleader

Germany’s Federal Criminal Police Office (BKA) identified the suspected leader of the group as Oleg Nefedov, a 36-year-old Russian national, who is wanted on suspicion of forming a criminal organization abroad, large-scale extortion and related cyber offenses.

As the group’s alleged ringleader, Nefedov is suspected of selecting targets, recruiting members, assigning tasks, negotiating ransom payments and distributing proceeds obtained through extortion. Ransoms were typically demanded in cryptocurrency.

Authorities said he operated under multiple online aliases — including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi — and may also have had ties to another notorious ransomware group, Conti.

German police said Nefedov is believed to be in Russia, although his exact whereabouts are unknown. He has been placed on an international wanted list through Interpol.

Last February, internal chat logs belonging to Black Basta were leaked, revealing the group’s internal structure and day-to-day operations. The leaked material reportedly contained identifying details about individuals involved in the scheme.

Researchers previously said that several members of the Black Basta crew previously belonged to a criminal network that operated the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan. More than a dozen individuals linked to those operations have since been publicly identified and sanctioned by Western authorities.