Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.
In addition, authorities added the group’s alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), to the European Union’s Most Wanted and INTERPOL’s Red Notice lists.
“According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware,” the Cyber Police of Ukraine said in a statement.
Specifically, the agency said the accused individuals functioned as “hash crackers,” who specialize in extracting passwords from information systems using specialized software. Once they obtained credential information, members of the ransomware group broke into corporate networks and ultimately deployed ransomware and extorted money to recover the encrypted information.
As part of the investigation, authorities conducted searches at the defendants’ residences located in Ivano-Frankivsk and Lviv, allowing them to seize digital storage devices and cryptocurrency assets.
Black Basta’s Emergence and Financial Impact
Meanwhile, Black Basta first emerged in the threat landscape in April 2022, and researchers say the group targeted more than 500 companies across North America, Europe, and Australia. The ransomware group reportedly earned hundreds of millions of dollars in cryptocurrency from illicit payments.
Early last year, a year’s worth of internal chat logs from Black Basta leaked online, offering a glimpse into the group’s inner workings, its structure and key members, and the various security vulnerabilities exploited to gain initial access to organizations of interest.
The leaked dossier also unmasked Nefedov as Black Basta’s ringleader, adding that he goes by various aliases, such as Tramp, Trump, GG, and AA. Some documents alleged that Nefedov had ties to high-ranking Russian politicians and intelligence agencies, including the FSB and GRU.
Arrests, Aliases, and Elusive Whereabouts
Investigators believe Nefedov leveraged these connections to protect his operations and evade international justice. A subsequent analysis from Trellix revealed that Nefedov secured his freedom despite getting arrested in Yerevan, Armenia, in June 2024. His other aliases include kurva, Washingt0n, and S.Jimmi. Although Nefedov is said to be in Russia, his exact whereabouts remain unknown.
Furthermore, evidence links Nefedov to Conti, a now-defunct group that sprang forth in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware group. They included Target, Tramp, Dandis, Professor, and Reshaev.
It’s worth mentioning here that Black Basta surfaced as an autonomous group, alongside BlackByte and KaraKurt, following the retirement of the Conti brand in 2022. Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty, all of which are now no longer active.
More recently, another detailed report published by Analyst1 this week uncovered Black Basta’s extensive reliance on Media Land, a bulletproof hosting service provider sanctioned by the U.S., the U.K., and Australia in November 2025, along with its general director Aleksandr Volosovik (aka Yalishanda). Despite the infrastructure acquired through Media Land, reports indicate the group received VIP treatment.
Leadership Role Confirmed by German Authorities
“[Nefedov] served as the head of the group. As such, he decided who or which organisations would be the targets of attacks, recruited members, assigned them tasks, took part in ransom negotiations, managed the ransom obtained by extortion, and used it to pay the members of the group,” Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) said.
Ultimately, the leaks appear to have led to Black Basta’s demise, with the group remaining silent after February and taking down its data leak site later that month. However, with ransomware gangs known to shut down, rebrand, and reemerge under a different identity, observers would not be surprised if members of the erstwhile criminal syndicate pivot to other ransomware groups or form new ones.
Indeed, according to reports from ReliaQuest and Trend Micro, analysts suspect that several former Black Basta affiliates migrated to the CACTUS ransomware operation — an assessment based on a massive spike in organizations named on the latter’s data leak site in February 2025, coinciding with Black Basta’s site going offline.
Source: TheHackerNews
Read more at Impreza News
