Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.
In addition, the group’s alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union’s Most Wanted and INTERPOL’s Red Notice lists, authorities noted.
“According to the investigation, the suspects specialized in technical hacking of protected systems and were involved in preparing cyberattacks using ransomware,” the Cyber Police of Ukraine said in a statement.
The agency said the accused individuals functioned as “hash crackers,” who specialize in extracting passwords from information systems using specialized software. Once the credential information was obtained, members of the ransomware group broke into corporate networks and ultimately deployed ransomware and extorted money to recover the encrypted information.
Authorities conducted searches at the defendants’ residences located in Ivano-Frankivsk and Lviv, allowing them to seize digital storage devices and cryptocurrency assets.
Black Basta first emerged in the threat landscape in April 2022, and is said to have targeted more than 500 companies across North America, Europe, and Australia. The ransomware group is estimated to have earned hundreds of millions of dollars in cryptocurrency from illicit payments.
Early last year, a year’s worth of internal chat logs from Black Basta leaked online, offering a glimpse into the group’s inner workings, its structure and key members, and the various security vulnerabilities exploited to gain initial access to organizations of interest.
The leaked dossier also unmasked Nefedov as Black Basta’s ringleader, adding he goes by various aliases, such as Tramp, Trump, GG, and AA. Some documents alleged that Nefedov had ties to high-ranking Russian politicians and intelligence agencies, including the FSB and GRU.
Nefedov is believed to have leveraged these connections to protect his operations and evade international justice. A subsequent analysis from Trellix revealed that Nefedov was able to secure his freedom despite getting arrested in Yerevan, Armenia, in June 2024. His other aliases include kurva, Washingt0n, and S.Jimmi. Although Nefedov is said to be in Russia, his exact whereabouts are unknown.
Furthermore, there is evidence linking Nefedov to Conti, a now-defunct group that sprang forth in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware group. They included Target, Tramp, Dandis, Professor, and Reshaev.
It’s worth mentioning here that Black Basta surfaced as an autonomous group, alongside BlackByte and KaraKurt, following the retirement of the Conti brand in 2022. Other members joined groups like BlackCat, Hive, AvosLocker, and HelloKitty, all of which are now no longer active.
Another detailed report published by Analyst1 this week also uncovered Black Basta’s extensive reliance on Media Land, a bulletproof hosting service provider that was sanctioned by the U.S., the U.K., and Australia in November 2025, along with its general director Aleksandr Volosovik (aka Yalishanda). The infrastructure acquired through Media Land notwithstanding, it’s said the group was given VIP treatment.
“[Nefedov] served as the head of the group. As such, he decided who or which organisations would be the targets of attacks, recruited members, assigned them tasks, took part in ransom negotiations, managed the ransom obtained by extortion, and used it to pay the members of the group,” Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) said.
The leaks have led to Black Basta’s apparent demise, with the group remaining silent after February and taking down its data leak later that month. But with ransomware gangs known to shut down, rebrand, and reemerge under a different identity, it won’t be surprising if members of the erstwhile criminal syndicate pivot to other ransomware groups or form new ones.
Indeed, per reports from ReliaQuest and Trend Micro, it’s suspected that several of the former Black Basta affiliates might have migrated to the CACTUS ransomware operation – an assessment based on the fact that there was a massive spike in organizations named on the latter’s data leak site in February 2025, coinciding with Black Basta’s site going offline.
