Ukrainian and German law enforcement officials have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.
Additionally, the group’s alleged leader, 35-year-old Russian citizen Oleg Evgenievich Nefedov (НефеDOв Олег Евгеньевич), has been added to the EU’s most wanted and Interpol’s red notice lists, officials noted.
“According to the investigation, the suspects were experts in technical hacking of protected systems and were involved in the preparation of cyberattacks using ransomware,” Ukraine’s cyber police said in a statement.
The agency said the accused persons work as “hash crackers”, who specialize in extracting passwords from information systems using special software. Once the trusted information was obtained, members of the ransomware group breached the corporate network and ultimately deployed the ransomware to recover the encrypted information and extort money.
Authorities conducted searches at the defendants’ residences located in Ivano-Frankivsk and Lviv, allowing them to seize digital storage devices and cryptocurrency assets.
Blackjack first emerged into the threat landscape in April 2022, and is said to have targeted more than 500 companies in North America, Europe, and Australia. The ransomware group is estimated to have made millions of dollars in cryptocurrencies from illegal payments.
Early last year, a year’s worth of Black Basta’s internal chat logs were leaked online, providing a glimpse into the inner workings of the group, its structure and the various security vulnerabilities used to gain early access to key members and organizations of interest.
The leaked document also exposes Nefedov as the leader of Black Basta, saying he goes by various aliases such as Trump, Trump, GG and AA. Some documents alleged that Nefedov had ties to high-ranking Russian politicians and intelligence agencies, including the FSB and GRU.
Nefedov is believed to have taken advantage of these connections to protect his actions and avoid international justice. A subsequent analysis of the trails revealed that Nefedov was able to secure his freedom, despite being arrested in June 2024 in Yerevan, Armenia. His other aliases include Kurva, Washingtonton and S.Jimmy. Although Nefedov is said to be in Russia, his exact whereabouts are unknown.
Additionally, there is evidence linking Nefedov to Konti, a now defunct group that emerged in 2020 as Ryuk’s successor. In August 2022, the US State Department announced a $10 million reward for information leading to five individuals associated with the Conti ransomware group. They included Target, Tramp, Dandis, Professor and Reshev.
It is worth mentioning here that after the retirement of the Conti brand in 2022, Black Basta emerged as an autonomous group along with Blackbyte and Karakurt. Other members joined groups such as Blackcat, Hive, Evoslocker and Hellokitty, all of which are no longer active.
Germany’s Federal Criminal Police Office (BKA or Bundeskriminalamt) said, “He served as the head of the group. In this way, he decided who or what organizations would be the target of attacks, recruited members, assigned them tasks, participated in ransom negotiations, managed the ransom obtained from extortion and used it to pay group members.”
The leak led to the apparent death of Black Basta, with the group remaining silent after February and retracting its data leak at the end of that month. But with ransomware gangs known to disband, rebrand, and re-emerge under a different identity, it would not be surprising if members of erstwhile criminal syndicates turned to other ransomware groups or formed new groups.
Indeed, as ReliaQuest and Trend Micro report, it is suspected that many of Black Basta’s former associates may have moved into the Cactus ransomware operation – an assessment based on the fact that there was a massive increase in organizations named on the latter’s data leak site in February 2025, which coincided with Black Basta’s site going offline.
