Ukrainian and German investigators have uncovered the identities of two Ukrainian nationals believed to be involved with Black Basta, a ransomware-as-a-service operation linked to Russia.
Authorities also announced that the group’s suspected leader, 35-year-old Russian citizen Oleg Evgenievich Nefedov, has been placed on both the European Union’s Most Wanted list and INTERPOL’s Red Notice database.
According to Ukraine’s Cyber Police, the suspects focused on breaching secured systems and supporting ransomware attacks. Investigators say their role centered on technical intrusion and attack preparation rather than direct negotiations with victims.
Law enforcement described the two individuals as “hash crackers,” specialists who extract passwords from protected systems using advanced software tools. Once credentials were recovered, other members of the group gained access to corporate networks, deployed ransomware, and demanded payment to restore encrypted data.
Searches carried out at properties in Ivano-Frankivsk and Lviv led to the seizure of digital devices and cryptocurrency holdings believed to be connected to the criminal activity.
Black Basta surfaced in April 2022 and quickly became a major player in the ransomware ecosystem, reportedly attacking more than 500 organizations across North America, Europe, and Australia. Estimates suggest the group generated hundreds of millions of dollars in cryptocurrency through extortion payments.
In early 2024, a year’s worth of internal Black Basta chat logs leaked online, exposing the group’s internal structure, operational methods, and exploited security weaknesses. The leak also identified Nefedov as the group’s leader, revealing that he operated under multiple aliases, including Tramp, Trump, GG, and AA.
Some leaked materials alleged that Nefedov maintained connections with senior Russian political figures and intelligence services, including the FSB and GRU. Investigators believe these relationships may have helped shield him from prosecution.
Further analysis by Trellix indicated that Nefedov was briefly detained in Yerevan, Armenia, in June 2024 but was later released. Although he is believed to be in Russia, his exact location remains unknown. Additional aliases attributed to him include kurva, Washingt0n, and S.Jimmi.
There is also evidence linking Nefedov to Conti, a now-defunct ransomware group that emerged in 2020 as a successor to Ryuk. In August 2022, the U.S. State Department offered a $10 million reward for information on five individuals tied to Conti, including figures known as Target, Tramp, Dandis, Professor, and Reshaev.
Following the shutdown of the Conti brand in 2022, Black Basta emerged as an independent operation alongside groups such as BlackByte and KaraKurt. Other former Conti members reportedly joined ransomware crews like BlackCat, Hive, AvosLocker, and HelloKitty, many of which are no longer active.
Germany’s Federal Criminal Police Office stated that Nefedov acted as the group’s central decision-maker. Investigators say he selected targets, recruited members, assigned roles, took part in ransom talks, controlled extorted funds, and handled payouts to affiliates.
After the internal leaks became public, Black Basta appeared to collapse. The group stopped communicating after February and removed its data leak site shortly afterward. However, ransomware groups often dissolve only to resurface under new names.
Security firms ReliaQuest and Trend Micro report signs that former Black Basta affiliates may have shifted to the CACTUS ransomware operation. This assessment is based on a sharp rise in victims listed on CACTUS’s leak site in February 2025, which coincided with Black Basta’s sudden disappearance.