Law enforcement agencies in Ukraine and Germany have identified two Ukrainian nationals suspected of collaborating with the Russia-linked ransomware-as-a-service (RaaS) group known as Black Basta.
Authorities also confirmed that the group’s alleged leader, 35-year-old Russian citizen Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been placed on both the European Union’s Most Wanted list and INTERPOL’s Red Notice database.
"According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware," Ukraine’s Cyber Police said in an official statement.
Investigators revealed that the two suspects allegedly operated as “hash crackers,” focusing on extracting passwords from secured systems using specialized tools. Once credentials were obtained, other members of the ransomware operation infiltrated corporate networks, deployed ransomware, and demanded payment in exchange for restoring access to encrypted data.
Search operations carried out at the suspects’ homes in Ivano-Frankivsk and Lviv resulted in the seizure of digital storage devices and cryptocurrency holdings, authorities said.
Active since April 2022, Black Basta has reportedly attacked more than 500 organizations across North America, Europe, and Australia. The ransomware group is believed to have generated hundreds of millions of dollars in cryptocurrency through extortion payments.
In early 2025, a cache of internal Black Basta chat logs spanning roughly a year surfaced online. The leaked material provided rare insight into the group’s hierarchy, internal communications, key participants, and the security flaws they exploited to gain initial access to victim networks.
Those leaks identified Nefedov as the central figure behind Black Basta, noting that he operated under multiple aliases including Tramp, Trump, GG, and AA. Additional documents alleged that he maintained links with senior Russian political figures and intelligence services, including the FSB and GRU.
Investigators believe Nefedov used these alleged connections to shield his activities and avoid prosecution. Analysis by Trellix later indicated that despite being arrested in Yerevan, Armenia, in June 2024, Nefedov managed to secure his release. Other aliases attributed to him include kurva, Washingt0n, and S.Jimmi. While he is believed to be residing in Russia, his precise location remains unknown.
Further intelligence has linked Nefedov to Conti, the now-defunct ransomware group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information leading to five individuals associated with Conti, including Target, Tramp, Dandis, Professor, and Reshaev.
Black Basta emerged as an independent operation following the Conti brand’s shutdown in 2022, alongside groups such as BlackByte and KaraKurt. Former Conti affiliates also dispersed to other ransomware operations including BlackCat, Hive, AvosLocker, and HelloKitty, many of which have since ceased activity.
A separate report released this week by Analyst1 highlighted Black Basta’s heavy reliance on Media Land, a bulletproof hosting provider sanctioned by the U.S., U.K., and Australia in November 2025, along with its general director Aleksandr Volosovik, also known as Yalishanda. Despite the sanctions, the group allegedly received preferential, VIP-level service.
"[Nefedov] served as the head of the group. As such, he decided who or which organisations would be the targets of attacks, recruited members, assigned them tasks, took part in ransom negotiations, managed the ransom obtained by extortion, and used it to pay the members of the group," Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) stated.
Following the leaks, Black Basta appears to have ceased operations. The group has remained inactive since February and dismantled its data leak site later that month. However, cybersecurity experts caution that ransomware groups often dissolve only to reappear under new identities.
Reports from ReliaQuest and Trend Micro suggest that several former Black Basta affiliates may have transitioned to the CACTUS ransomware operation. This theory is supported by a sharp increase in victims listed on CACTUS’ leak site in February 2025, coinciding with Black Basta’s disappearance.
