European and international law enforcement agencies have intensified their pursuit of individuals connected to the Black Basta ransomware operation. Authorities confirmed that the alleged leader of the Russia-linked ransomware-as-a-service (RaaS) group has been placed on both the European Union’s Most Wanted list and INTERPOL’s Red Notice, while Ukrainian and German investigators have identified two additional suspects operating inside Ukraine.
According to official notices, Ukrainian National Police and German Federal Criminal Police (BKA) coordinated efforts to uncover members of an international hacking group affiliated with Russia.
The investigation identified two Ukrainian nationals who allegedly performed specialized technical roles within the criminal structure of Black Basta ransomware. At the same time, investigators formally named the group’s suspected organizer as Oleg Evgenievich Nefedov (Нефедов Олег Євгеньевич), a 35-year-old Russian citizen.
Law enforcement statements said Nefedov has now been declared internationally wanted. He was added to the EU Most Wanted list, and an INTERPOL Red Notice was issued at the initiative of Germany’s Federal Criminal Police Office and the Central Office for Combating Internet Crime (ZIT) of the Frankfurt am Main Public Prosecutor’s Office.
German authorities are seeking him on suspicion of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.”
Authorities Detail Role of Alleged Ringleader and Technical Specialists
German prosecutors allege that Nefedov founded and led the group behind the Black Basta ransomware, acting as its ringleader and chief decision-maker. Under multiple pseudonyms, including tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is suspected of developing and establishing the Black Basta malware. Investigators claim he functioned as the group’s “managing director,” selecting attack targets, recruiting personnel, assigning tasks, participating in ransom negotiations, managing cryptocurrency proceeds, and distributing payments to members of the group.
The Ukrainian National Police detailed how domestic cyber police officers and investigators from the Main Investigative Department, under the procedural guidance of the Cyber Department of the Office of the Prosecutor General, worked alongside the German BKA to disrupt the group’s activities. Within the framework of the international investigation, two participants operating in Ukraine were identified as performing technical functions essential to ransomware attacks.
According to investigators, these individuals specialized in breaking into protected systems and preparing ransomware campaigns. They acted as so-called “hash crackers,” extracting passwords from corporate information systems using specialized software. After obtaining employee credentials, the suspects allegedly accessed internal company networks without authorization, escalated privileges of compromised accounts, and expanded their control within corporate environments.
Authorities said this access was then used to compromise critical systems, steal confidential data, and deploy malware designed to encrypt files. Victims were subsequently extorted for ransom payments, typically demanded in cryptocurrency, in exchange for data decryption and restoration.
Searches authorized by the court were carried out at the suspects’ residences in the Ivano-Frankivsk and Lviv regions. During these operations, police seized evidence of illegal activity, including digital storage devices and cryptocurrency assets.
Black Basta Ransomware Global Impact
Through joint efforts involving Europol specialists, investigators also identified Nefedov as the probable organizer of the broader criminal enterprise. Foreign law enforcement partners indicated he may also have been involved in the operations of another notorious ransomware group, Conti.
Law enforcement agencies described the Black Basta ransomware group as one of the most dangerous cybercrime organizations in recent years. Between 2022 and 2025, the group allegedly targeted hundreds of companies, institutions, and government bodies in economically developed Western countries, causing damages estimated in the hundreds of millions of euros. Victims spanned multiple sectors, including healthcare, manufacturing, and construction, across the United States, the United Kingdom, Canada, Australia, and several EU member states.
The investigation has been conducted as part of a wider international cooperation framework involving authorities from Ukraine, Germany, Switzerland, the Netherlands, and the United Kingdom. Ukrainian police also noted that earlier investigative actions, including searches in Kharkiv and the surrounding region, had already been carried out at the request of foreign partners.