• Home
  • cyber
  • Black Basta: Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice
cyber Ransomware

Black Basta: Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

Apr 1, 2022 2 min read
Black Basta: Black Basta Ransomware Leader Added to EU Most Wanted and INTERPOL Red Notice

Ukrainian and German Authorities Target Black Basta Ransomware Operatives

Ukrainian and German law enforcement have identified two Ukrainian nationals suspected of working for Black Basta, a Russia-linked ransomware-as-a-service (RaaS) group. The individuals, described as "hash crackers," specialized in breaching protected systems to extract passwords, enabling the group to infiltrate corporate networks, deploy ransomware, and extort victims. Searches of their residences in Ivano-Frankivsk and Lviv led to the seizure of digital storage devices and cryptocurrency assets.

The alleged leader of Black Basta, 35-year-old Russian national Oleg Evgenievich Nefedov, has been added to the EU’s Most Wanted list and INTERPOL’s Red Notice. Known by aliases including Tramp, Trump, GG, and AA, Nefedov is accused of overseeing operations, selecting targets, recruiting members, and managing ransom payments. Leaked internal chat logs from early 2024 revealed his role, along with claims of ties to Russian intelligence agencies (FSB and GRU), which allegedly helped him evade justice including after his June 2024 arrest in Armenia, from which he was later released.

Black Basta emerged in April 2022, targeting over 500 organizations across North America, Europe, and Australia and amassing hundreds of millions in illicit cryptocurrency payments. The group is linked to the defunct Conti ransomware operation, with Nefedov previously associated with Conti under the alias Tramp. Following Conti’s shutdown in 2022, Black Basta operated independently alongside groups like BlackByte and KaraKurt, while other Conti affiliates dispersed to operations such as BlackCat and Hive.

After the leaks exposed its structure, Black Basta went silent in February 2025, taking its data leak site offline. However, cybersecurity firms ReliaQuest and Trend Micro report that former Black Basta affiliates may have migrated to the CACTUS ransomware group, citing a surge in victims listed on CACTUS’s site coinciding with Black Basta’s disappearance. The shift underscores the persistent threat of ransomware actors rebranding and regrouping under new identities.

Source: https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html

Black Talon Security cybersecurity rating report: https://www.rankiteo.com/company/blacktalonsecurity

"id": "BLA1768679224",
"linkid": "blacktalonsecurity",
"type": "Ransomware",
"date": "4/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'location': ['North America', 'Europe', 'Australia'],
                        'type': 'Organizations'}],
 'attack_vector': 'Password cracking, initial access brokering',
 'data_breach': {'data_encryption': 'Yes (ransomware encryption)'},
 'description': 'Ukrainian and German law enforcement have identified two '
                'Ukrainian nationals suspected of working for Black Basta, a '
                'Russia-linked ransomware-as-a-service (RaaS) group. The '
                'individuals specialized in breaching protected systems to '
                'extract passwords, enabling the group to infiltrate corporate '
                'networks, deploy ransomware, and extort victims. The alleged '
                'leader of Black Basta, Oleg Evgenievich Nefedov, has been '
                'added to the EU’s Most Wanted list and INTERPOL’s Red Notice. '
                'Black Basta emerged in April 2022, targeting over 500 '
                'organizations and amassing hundreds of millions in illicit '
                'cryptocurrency payments. The group went silent in February '
                '2025, with former affiliates potentially migrating to the '
                'CACTUS ransomware group.',
 'impact': {'financial_loss': 'Hundreds of millions in illicit cryptocurrency '
                              'payments',
            'systems_affected': 'Corporate networks'},
 'initial_access_broker': {'entry_point': 'Password cracking, breached '
                                          'systems'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain, extortion',
 'post_incident_analysis': {'root_causes': 'Initial access via password '
                                           'cracking, RaaS model enabling '
                                           'cybercriminal collaboration'},
 'ransomware': {'data_encryption': 'Yes',
                'ransom_paid': 'Hundreds of millions in illicit cryptocurrency '
                               'payments',
                'ransomware_strain': 'Black Basta'},
 'references': [{'source': 'Law enforcement reports'},
                {'source': 'Cybersecurity firms (ReliaQuest, Trend Micro)'}],
 'regulatory_compliance': {'legal_actions': 'INTERPOL Red Notice, EU Most '
                                            'Wanted list'},
 'response': {'law_enforcement_notified': 'Yes (Ukrainian and German '
                                          'authorities, INTERPOL, EU)'},
 'threat_actor': 'Black Basta (Russia-linked RaaS group)',
 'title': 'Ukrainian and German Authorities Target Black Basta Ransomware '
          'Operatives',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.