Black Basta’s alleged ringleader identified as authorities raid homes of other members
Law enforcement agencies from multiple European countries are still pursuing leads on people involved in the Black Basta ransomware group, nearly a year after the group’s internal chat logs were leaked, exposing key details about its operations, and at least six months since the group claimed responsibility for new attacks.
Officials in Ukraine and Germany said they raided the homes of two Russian nationals accused of participating in Black Basta’s crimes and effectively halted their operations. The pair of alleged criminals who were living in Ukraine were not named.
German police publicly identified a third Russian national — Oleg Evgenievich Nefedov — as Black Basta’s alleged leader. Nefedov, a 35-year-old who was subsequently added to the most-wanted lists of Europol and Interpol, allegedly formed and ran Black Basta since 2022, authorities said.
He is accused of extorting more than 100 companies in Germany and about 600 other countries globally. Nefedov’s current whereabouts are unknown, but he is believed to be living in Russia.
Authorities said Nefedov may have previously been involved with the Conti ransomware group, which disbanded in 2022 after its internal messages were also leaked. Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum, which quickly rebranded to Royal before rebranding again to BlackSuit in 2024.
Police said they seized data and cryptocurrency assets during their searches of the alleged Black Basta participants’ residences in Ivano-Frankivsk and Lviv, Ukraine, but they did not provide further detail about what the evidence revealed.
The pair of alleged Black Basta co-conspirators are accused of specializing in stealing credentials, which were used to break into targeted companies’ networks, steal confidential data and launch malware to encrypt data for extortion attempts.
International law enforcement agencies’ ongoing efforts to target Black Basta and its alleged participants underscores a sustained effort to track cybercriminals despite the group’s relative dormancy.
Black Basta’s data leak site was shut down shortly after its internal chats were leaked last year, but uncaptured cybercriminals typically scatter and join new groups in the wake of a takedown or disbandment, said Allan Liska, threat intelligence analyst at Recorded Future.
“Even if Black Basta hasn’t been active, it doesn’t mean that the people behind it haven’t been,” he said.
Ransomware experts said Nefedov’s ringleader position at Black Basta and his previous involvement with Conti was already known in law enforcement and threat intelligence circles.
“The accusation signals less about the impact of Black Basta and more about the significance of Nefedov,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint.
The formal naming and request for information on Nefedov aligns with a broader law enforcement strategy to target core leadership responsible for orchestrating cyberattacks, Gray added.
Ransomware response is a never-ending pursuit that consistentely attracts new players and new groups at a faster clip than law enforcement can manage.
“You cut one head off and two appear,” Liska said. “You still have to cut the head off, you still have to stop the activity.”
While ransomware activity remains elevated, law enforcement is sticking to multidimensional countermeasures by targeting operators and affiliates, initial access brokers, infostealers, infrastructure providers and key services criminals use to deploy or facilitate the ransomware ecosystem.
These takedowns, seizures, indictments and arrests are sometimes organized under ongoing international sting operations such as Operation Endgame, which has neutralized malware networks, remote access trojans, botnets and other cybercrime enablers.
“These operations can’t be one-and-done,” Liska said. “They have to be interconnected and use that intelligence to build more cases against other actors.”
