Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of involvement with the Russia-linked ransomware-as-a-service group Black Basta, according to official statements. The group’s alleged leader, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to both the European Union’s Most Wanted list and INTERPOL’s Red Notice database. Investigations indicate that the suspects specialized in technical hacking and were responsible for preparing cyberattacks using ransomware, while functioning as “hash crackers” who extracted passwords from protected systems to gain unauthorized access to corporate networks.
Authorities reported that the defendants’ residences in Ivano-Frankivsk and Lviv were searched, resulting in the seizure of digital storage devices and cryptocurrency assets. Black Basta emerged in April 2022 and has reportedly targeted over 500 organizations across North America, Europe, and Australia, generating hundreds of millions of dollars in cryptocurrency from ransom payments. Leaked internal chat logs from the group provided insights into its operations, revealing Nefedov’s role as ringleader and his use of multiple aliases, including Tramp, Trump, GG, and AA. Some reports suggest he maintained connections with high-ranking Russian officials and intelligence agencies, which were allegedly leveraged to protect operations and evade capture.
Nefedov has also been linked to Conti, a ransomware group that evolved as a successor to Ryuk in 2020. Several former Conti members were reportedly involved in Black Basta and subsequently moved to other groups after Conti’s retirement, including BlackCat, Hive, AvosLocker, and HelloKitty. Despite being arrested in Yerevan, Armenia, in June 2024, Nefedov managed to secure his release and is currently believed to remain in Russia, though his exact location is unknown. Analysts note that former Black Basta affiliates are suspected to have joined the CACTUS ransomware operation, indicating the continued mobility of threat actors across the ransomware ecosystem.
The investigation further highlighted Black Basta’s reliance on Media Land, a bulletproof hosting provider sanctioned by the US, UK, and Australia in November 2025. According to Germany’s Federal Criminal Police Office, Nefedov directly managed group operations, deciding targets, recruiting members, negotiating ransoms, and distributing funds. The group reportedly ceased activity after February, taking down its data leak portal, though experts caution that ransomware gangs often rebrand or join new operations. The recent developments underscore ongoing efforts by law enforcement agencies to disrupt international cybercrime networks and track digital assets tied to ransomware activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
