Black Basta Ransomware Leader Added to Interpol Red Notice

The Black Basta Operation

Black Basta emerged in April 2022 and quickly became one of the most prolific ransomware groups in the cybercriminal ecosystem. The group is believed to be responsible for at least 600 ransomware incidents worldwide, targeting organisations including healthcare systems, government contractors, and critical infrastructure. Security researchers estimate the group earned more than 100 million dollars in ransom payments during its operation.

Nefedov, who operated under multiple aliases including tramp, GG, AA, kurva, and Washingt0n, is accused of founding Black Basta and serving as its ringleader. According to Germany's Federal Criminal Police Office, he selected targets, recruited members, participated in ransom negotiations, and managed cryptocurrency proceeds used to pay affiliates. Evidence suggests Nefedov has connections to Conti, a now defunct ransomware syndicate that emerged in 2020 as a successor to Ryuk.

Raids and Arrests in Ukraine

Ukrainian cyber police, working in close cooperation with German authorities, conducted raids at residences in the Ivano Frankivsk and Lviv regions of western Ukraine. The operation identified 2 Ukrainian nationals who allegedly worked for the ransomware group as hash cracking specialists. These individuals were responsible for extracting passwords from compromised information systems using specialised software to enable network intrusions and subsequent ransomware deployment.

During the searches, authorities seized mobile phones, computer equipment, digital storage devices, and cryptocurrency assets. Ukrainian prosecutors stated the suspects were responsible for technically breaching protected systems and preparing cyberattacks that disrupted over 100 companies in Germany and approximately 600 organisations worldwide.

The Armenian Escape

Analysis of leaked internal chat logs revealed that Nefedov was arrested in Yerevan, Armenia, in June 2024 but mysteriously escaped just 2 days later. In the leaked chats, Nefedov claimed Russian authorities helped secure his release through a green corridor, suggesting possible state protection. He is believed to be residing in Russia, though his exact whereabouts remain unknown.

This incident highlights a recurring pattern in cybercrime enforcement where Russian cybercriminals appear to operate with impunity as long as they avoid targeting Russian interests. The alleged state assistance in Nefedov's escape raises serious questions about the relationship between Russian authorities and cybercriminal groups operating from Russian territory.

The Group's Collapse

Black Basta's operations appear to have collapsed following the February 2025 leak of over 200,000 internal chat messages by an anonymous individual calling themselves ExploitWhispers. The leaker claimed the group had crossed the line by attacking Russian banks, a violation of the unwritten rule that Russian based cybercriminal groups do not target Russian entities.

The leaked data consisted of 1.2 gigabytes of chat logs from Black Basta's Matrix server, containing 196,045 messages primarily in Russian, spanning from September 2023 to September 2024. The leak provided unprecedented insights into the group's operations, tactics, infrastructure, and internal dynamics, similar to the Conti ransomware group's collapse in 2022 following a similar chat leak.

Following the leak, the group went silent. Their data leak site was taken offline, and no known victims have been identified since January 2025. The group is effectively defunct.

Migration to Other Groups

Research from ReliaQuest and Trend Micro suggests that former Black Basta affiliates have likely migrated to other ransomware operations, particularly the Cactus ransomware group. Leaked chats showed a payment of 500,000 to 600,000 dollars from Black Basta's leader to Cactus, suggesting a potential relationship or transition between the groups.

Internal divisions within Black Basta were evident in the leaked chats, with some members attacking Russian targets whilst others engaged in scamming victims by collecting ransom payments without providing working decryption keys. By January 2025, a mass migration of affiliates was observed to Cactus and Akira, groups offering more favourable profit splits of 80 20 compared to Black Basta's 70 30 arrangement.

International Law Enforcement Response

The identification and public naming of Nefedov represents a coordinated international law enforcement effort involving German and Ukrainian authorities. Whilst the Interpol Red Notice and EU Most Wanted listing are symbolically important, the practical reality is that Nefedov remains out of reach as long as he stays in Russia, which does not extradite its citizens to face criminal charges abroad.

Nevertheless, the action demonstrates the increasing sophistication and coordination of international law enforcement in tracking and identifying cybercriminals. The raids in Ukraine and seizure of assets show that whilst ringleaders may remain protected, their networks of operatives and facilitators can still face consequences.

The Black Basta case illustrates the ongoing challenges in combating ransomware operations that operate across international borders, particularly when suspects enjoy apparent protection from nation states that benefit from their activities or use them for strategic purposes.