Law enforcement authorities in Ukraine and Germany have identified two Ukrainian nationals suspected of supporting the Russia linked Black Basta ransomware as a service operation. Officials also confirmed that the alleged leader of the group has now been placed on both the European Union Most Wanted list and INTERPOL Red Notice database.
The suspect has been named as Oleg Evgenievich Nefedov, a 35 year old Russian national. According to investigators, he played a central role in managing and coordinating Black Basta’s criminal activities.
Ukraine’s Cyber Police stated that the identified individuals were involved in technical intrusion operations and assisted in preparing ransomware based cyberattacks. Authorities described the suspects as specialized hash crackers, individuals responsible for extracting passwords from protected systems using advanced software tools.
Once valid credentials were obtained, members of the ransomware group reportedly infiltrated corporate networks, deployed ransomware payloads, and demanded payments in exchange for decrypting affected data.
Search operations were carried out at locations in Ivano Frankivsk and Lviv, where investigators seized digital storage devices and cryptocurrency assets believed to be linked to ransomware activity.
Black Basta first appeared in the cyber threat landscape in April 2022 and is believed to have targeted more than 500 organizations across North America, Europe, and Australia. Estimates suggest the group generated hundreds of millions of dollars in cryptocurrency through extortion payments.
In early 2025, leaked internal chat logs provided rare insight into Black Basta’s internal hierarchy, operational methods, and the vulnerabilities exploited to gain initial access. These disclosures identified Nefedov as the group’s leader and revealed that he operated under multiple aliases, including Tramp, Trump, GG, and AA.
Some leaked documents alleged that Nefedov maintained connections with senior Russian political figures and intelligence agencies such as the FSB and GRU, which may have helped shield his operations. A later analysis by Trellix indicated that Nefedov avoided prosecution despite being arrested in Yerevan, Armenia, in June 2024. Additional aliases linked to him include kurva, Washingt0n, and S.Jimmi, although his current location remains unknown.
Investigators have also linked Nefedov to Conti, a ransomware group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information about five individuals associated with Conti, including Tramp and other known aliases.
Black Basta later emerged as an independent group following the retirement of the Conti brand in 2022. Other former Conti members are believed to have joined ransomware operations such as BlackCat, Hive, AvosLocker, and HelloKitty, all of which have since ceased activity.
A separate report published this week by Analyst1 revealed Black Basta’s heavy dependence on Media Land, a bulletproof hosting provider sanctioned by the United States, the United Kingdom, and Australia in November 2025. The report noted that the group received preferential access to infrastructure services through Media Land and its director Aleksandr Volosovik, also known as Yalishanda.
Germany’s Federal Criminal Police Office stated that Nefedov acted as the head of the organization, selecting targets, recruiting members, assigning tasks, negotiating ransom payments, and distributing proceeds among affiliates.
Following major leaks earlier this year, Black Basta appears to have ceased operations, taking its data leak site offline in February. However, security experts warn that ransomware groups frequently rebrand or merge into new operations.
Reports from ReliaQuest and Trend Micro suggest that former Black Basta affiliates may have transitioned to the CACTUS ransomware operation, citing a sharp increase in victims listed on CACTUS leak sites shortly after Black Basta went dark.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
