Key Findings

• Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta.

• The group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists.

• The accused individuals specialized in technical hacking, including credential theft and "hash cracking" to gain access to corporate networks, before deploying ransomware and extorting money.

• Black Basta first emerged in 2022 and is estimated to have targeted over 500 companies across North America, Europe, and Australia, earning hundreds of millions in cryptocurrency from illicit payments.

• Leaked chat logs revealed Nefedov as Black Basta's ringleader, with alleged ties to high-ranking Russian politicians and intelligence agencies like the FSB and GRU.

• Nefedov is believed to have leveraged these connections to protect his operations and evade international justice, though his exact whereabouts are currently unknown.

Background

Black Basta emerged as a ransomware-as-a-service operation in early 2022 and quickly gained notoriety for its high-profile targets and the scale of its extortion campaigns. The group is said to have specialized in technical hacking methods, including credential theft and "hash cracking" to gain access to corporate networks, before deploying ransomware and demanding payment to decrypt the data.

Identification of Key Figures

Ukrainian and German authorities have identified two Ukrainian nationals as suspects in the Black Basta operation, describing them as specialists involved in the technical aspects of the group's activities. Additionally, the alleged leader of Black Basta, a 35-year-old Russian national named Oleg Evgenievich Nefedov, has been added to the European Union's Most Wanted list and INTERPOL's Red Notice.

Alleged Connections and Influence

Leaked chat logs from the group have revealed that Nefedov, who uses various aliases such as Tramp, Trump, GG, and AA, is believed to have had ties to high-ranking Russian politicians and intelligence agencies, including the FSB and GRU. These alleged connections are thought to have helped Nefedov protect his operations and evade international justice, despite being arrested in Yerevan, Armenia, in June 2024.

Impact and Implications

Black Basta is estimated to have targeted over 500 companies across North America, Europe, and Australia, earning hundreds of millions in cryptocurrency from illicit payments. The group's operational model, which relied on a segmented supply chain of specialists, made it a persistent threat for incident response teams. The addition of Nefedov to the Interpol Red Notice list is expected to create friction in the ransomware ecosystem, potentially leading to a reshuffle of the players involved.

Sources

• https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html

• https://anavem.com/cybersecurity/black-basta-boss-interpol-red-notice-oleg-nefedov

• https://www.instagram.com/p/DTlSc-KDmNr/