Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

The authorities in Europe and Ukraine have achieved a breakthrough that has made the Russia-associated Black Basta ransomware gang lose its anonymity by identifying two key operators and putting its alleged leader on international most-wanted lists. This indicates that there is a growing trend in the global war against ransomware-as-a-service (RaaS) groups which have inflicted damages worth billions of dollars worldwide.

Law enforcement agencies from Ukraine and Germany have disclosed that two individuals from Ukraine, who are believed to have been involved in the Black Basta operations, have been recognized, while the group's alleged mastermind, Oleg Evgenievich Nefedov, a Russian national, has been included into the Most Wanted list of the European Union and the INTERPOL Red Notice database.

Ukrainian and German Police Identify Black Basta Operators

The individuals in question as per the Cyber Police of Ukraine were the two suspects, who managed the whole process and were experts in password extraction and credential cracking using the latest sophisticated tools. Black Basta associates later used these credentials to gain access to the corporate networks, install ransomware, and consequently, demand large sums of money in cryptocurrency as ransom from the victims.

The law enforcement agencies carried out coordinated raids at the properties in Ivano-Frankivsk and Lviv and confiscated digital storage devices, laptops, and cryptocurrency wallets purportedly related to the ransomware activities.

This move by the law enforcement agencies is a clear indication of the growing international cooperation which aims not only to arrest the hackers operating at the forefront of the ransomware ecosystems but also to dismantle the infrastructure and criminals’ leaders behind such cybercrime syndicates.

Who Is Oleg Nefedov, the Alleged Leader of Black Basta?

Law enforcement authorities have come to the conclusion that the 35-year-old Russian national Oleg Evgenievich Nefedov was the mastermind behind Black Basta. Germany’s Federal Criminal Police Office (BKA) disclosed that Nefedov was responsible for the entire operation, from planning attacks and recruiting members to coordinating ransomware and negotiating with victims, up to the dividing of ransom proceeds.

Nefedov was said to have been using several fake names like Tramp, Trump, GG, AA, kurva, Washingt0n, and S.Jimmi, which made it hard for the law enforcement agencies to follow him. The authorities are of the opinion that he is in Russia but they have no idea where exactly.

In addition, reports claim that Nefedov was released after he was arrested in Armenia in June 2024 and that he was protected by political and intelligence-related connections.

Black Basta’s Origins and Global Impact

Black Basta appeared in the scene in April 2022, very soon after the notorious Conti ransomware group's collapse. By now, it has already attacked more than 500 organizations in North America, Europe, and Australia, which included hospitals, makers, and banks among its targets. 

According to the experts, this group’s activities in total have brought them hundreds of millions of dollars in bitcoin, thus positioning them among the most successful ransomware operations of the last decade. 

Early in 2024, the leak of internal chat logs of the Black Basta group revealed a lot about the group’s internal situation, the way they chose their targets, and the person who led them, Nefedov.

Links to Conti and Other Ransomware Syndicates

Evidence has linked Nefedov to the now-wiped out Conti ransomware gang, which was a derivative of Ryuk. The U.S. State Department in August 2022 declared a reward worth $10 million for info about a few members of Conti, comprising names that are common with Black Basta's leaders.

After shutting down, Conti was responsible for the rise of different offshoots like Black Basta, BlackByte, KaraKurt, BlackCat, Hive, AvosLocker, and HelloKitty, and many of these have either been liquidated or changed their names since then, showing how the ransomware groups keep evolving to avoid getting caught by the police.

Use of Bulletproof Hosting and Sanctioned Infrastructure

As per the findings of the latest analysis conducted by Analyst1, Black Basta had a strong dependence on Media Land, which is a bulletproof hosting service that was banned by the U.S., U.K., and Australia in November 2025. Media Land and its manager, Aleksandr Volosovik (also known as Yalishanda), are said to have given sturdy support to the ransomware campaigns enabling them to work with very little hindrance.

Black Basta was said to have received top-tier access and hosting services at the level of VIP, which helped the group even more in terms of operational stamina, notwithstanding the international sanctions.

Black Basta’s Collapse and Possible Rebranding

The internal communications leak led to the silent treatment from Black Basta in February 2025; soon after the silence, the group closed its data leak site - a clear sign that the group had practically disbanded.

On the other hand, security companies like ReliaQuest and Trend Micro suspect that a lot of the former Black Basta members have moved on to the CACTUS ransomware operation, pointing to a sudden increase in CACTUS victim disclosures just after the disappearance of Black Basta.

This scenario corresponds to a cybercrime pattern: the gangs involved in ransomware go through the processes of dissolving, rebranding, and emerging again under new names, and usually, the same operators along with the same infrastructure are involved.

What This Means for Global Cybersecurity

The internal communications leak led to the silent treatment from Black Basta in February 2025; soon after the silence, the group closed its data leak site a clear sign that the group had practically disbanded.

On the other hand, security companies like ReliaQuest and Trend Micro suspect that a lot of the former Black Basta members have moved on to the CACTUS ransomware operation, pointing to a sudden increase in CACTUS victim disclosures just after the disappearance of Black Basta.

This scenario corresponds to a cybercrime pattern: the gangs involved in ransomware go through the processes of dissolving, rebranding, and emerging again under new names, and usually, the same operators along with the same infrastructure are involved.