Two individuals from Ukraine, believed to be associated with the Russia-linked ransomware-as-a-service (RaaS) group Black Basta, have been identified by Ukrainian and German law enforcement authorities.
Additionally, Oleg Evgenievich Nefedov, a 35-year-old Russian national and alleged leader of the group, has been placed on the European Union’s Most Wanted and INTERPOL’s Red Notice lists.
The Cyber Police of Ukraine stated that the suspects were involved in technical hacking of protected systems and played a role in orchestrating cyberattacks using ransomware. Specifically, they were known as “hash crackers,” specializing in extracting passwords from information systems using specialized software.
Following searches at their residences in Ivano-Frankivsk and Lviv, authorities seized digital storage devices and cryptocurrency assets.
Black Basta, which emerged in April 2022, has targeted over 500 companies in North America, Europe, and Australia, earning substantial amounts of cryptocurrency through ransom payments.
Last year, internal chat logs from Black Basta were leaked online, revealing details about the group’s operations, members, and vulnerabilities exploited to access organizations. The leaked information identified Nefedov as the leader, known by aliases such as Tramp, Trump, GG, and AA, with alleged ties to Russian politicians and intelligence agencies.
Nefedov, who was previously arrested in Yerevan, Armenia, in June 2024, is associated with the now-defunct Conti ransomware group and suspected to be in Russia, evading international authorities.
There is evidence linking Nefedov to Conti, a group that emerged in 2020 as a successor to Ryuk. The U.S. State Department offered a $10 million reward for information on individuals associated with Conti, including Nefedov.
After the retirement of the Conti brand in 2022, Black Basta, BlackByte, and KaraKurt emerged as separate groups. Following the leaks, Black Basta ceased activity in February, leading to speculation that former members may have joined other ransomware groups like CACTUS.
