German Authorities Add Alleged Black Basta Ringleader to EU Most-Wanted List
German law enforcement added Oleg Evgenievich Nefedov/Nefekov, a 35-year-old Russian national, to the EU’s most-wanted list in connection with the Black Basta ransomware operation. German prosecutors and the Federal Criminal Police Office (BKA) allege he founded and led the group, acting as a “managing director” who selected targets, recruited and tasked members, participated in ransom negotiations, and managed extortion proceeds used to pay affiliates.
Authorities attribute to Black Basta a large global victim set since at least early 2022; reporting cites BKA estimates of roughly 700 organizations attacked worldwide and external researcher estimates of $100M+ in extortion payments by the end of 2023. The manhunt follows broader disruption and scrutiny of the group after an internal leak reportedly contributed to Black Basta ceasing activity, and the EU listing includes multiple alleged aliases (e.g., tramp, tr, gg, AA, kurva, Washingt0n, S.Jimmi) tied to the suspect’s role in developing and operating the ransomware and related malware used for intrusion, data theft, and encryption-based extortion paid in cryptocurrency.
Timeline
Jan 16, 2026
Nefedov added to EU Most Wanted and Interpol wanted lists
German authorities placed Oleg Nefedov on the EU Most Wanted list and said Interpol issued a Red Notice for him, seeking public tips on his whereabouts, travel, contacts, and online accounts. Authorities believe he is likely in Russia, though his exact location is unknown.
Jan 16, 2026
Germany names Oleg Nefedov as alleged Black Basta leader
Germany's BKA and Frankfurt prosecutors publicly identified Russian national Oleg Evgenievich Nefedov as the suspected founder and leader of Black Basta. They accused him of developing the ransomware, selecting targets, recruiting members, participating in ransom negotiations, and managing cryptocurrency proceeds.
Jan 16, 2026
Two Ukrainian suspects identified as Black Basta 'hash crackers'
Investigators identified two Ukrainian suspects accused of supporting Black Basta by extracting passwords from stolen data, stealing credentials, and escalating privileges to prepare ransomware attacks. Authorities said their work enabled intrusions, data theft, and malware deployment against victims.
Jan 16, 2026
Germany and Ukraine raid suspects linked to Black Basta
Ukrainian and German law enforcement conducted coordinated searches in the Ivano-Frankivsk and Lviv regions targeting alleged Black Basta members. Authorities seized digital devices, notes, and cryptocurrency assets for forensic analysis as part of the investigation.
Feb 28, 2025
Black Basta activity declines after leak exposure
Following the 2025 internal leak, Black Basta reportedly became inactive, removed its leak site, and ceased activity in a collapse compared by some reporting to Conti’s post-leak downfall. Some affiliates were reported to have shifted to other operations such as CACTUS.
Feb 28, 2025
Black Basta extorts organizations in Germany and worldwide
Between March 2022 and February 2025, German authorities say Black Basta extorted more than 100 companies and institutions in Germany and roughly 600 to 700 organizations worldwide. Reported losses in Germany exceeded €20 million, with hospitals and public institutions among the victims.
Feb 1, 2025
Black Basta internal chats are leaked
Internal Black Basta chat logs and related data were leaked in early 2025, exposing operational details, member aliases, and technical information used by researchers and investigators. The leak was later cited as key evidence linking Oleg Nefedov to the group’s leadership.
Apr 1, 2022
Black Basta ransomware operation emerges
Black Basta began operating as a ransomware-as-a-service group in 2022, with multiple reports placing its emergence in early 2022 or April 2022. Authorities later tied the group to hundreds of extortion incidents worldwide involving data theft and system encryption.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
5 more from sources like securityaffairs, bleeping computer, the record media and register security
Related Stories
Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (**BKA**) identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as `UNKN`/`UNKNOWN`, the alleged leader and public face of the **GandCrab** and **REvil** ransomware operations, and named **Anatoly Sergeevitsch Kravchuk**, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to **130 attacks in Germany**, including about **25 cases** that generated roughly **€1.9 million** in ransom payments and caused more than **€35 million** in economic damage. German investigators described GandCrab and REvil as highly organized **ransomware-as-a-service** enterprises that helped popularize **double extortion** and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including **JBS** and **Kaseya**, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's **FSB** in 2022.
1 months ago
German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (**BND**) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US **NSA** for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.” Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the **Conti** ransomware ecosystem. A third item—a *Citizen Lab* job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
1 months ago
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
3 weeks ago