International operation to catch Ransomware leader  International law enforcement agencies have increased their search for individuals linked to the Black Basta ransomware campaign. Agencies confirmed that the suspected leader of the Russia-based Ransomware-as-a-service (RaaS) group has been put in the EU’s and Interpol’s Most Wanted list and Red Notice respectively. German and Ukrainian officials have found two more suspects working from Ukraine.  As per the notice, German Federal Criminal Police (BKA) and Ukrainian National Police collaborated to find members of a global hacking group linked with Russia.  About the operation  The agencies found two Ukrainians who had specific roles in the criminal structure of Black Basta Ransomware. Officials named the gang’s alleged organizer as Oleg Evgenievich Nefedov from Russia. He is wanted internationally. German law enforcement agencies are after him because of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.” According to German prosecutors, Nefedov was the ringleader and primary decision-maker of the group that created and oversaw the Black Basta ransomware. under several aliases, such as tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is thought to have created and established the malware known as Black Basta.  The Ukrainian National Police described how the German BKA collaborated with domestic cyber police officers and investigators from the Main Investigative Department, guided by the Office of the Prosecutor General's Cyber Department, to interfere with the group's operations. The suspects Two individuals operating in Ukraine were found to be carrying out technical tasks necessary for ransomware attacks as part of the international investigation. Investigators claim that these people were experts at creating ransomware campaigns and breaking into secured systems. They used specialized software to extract passwords from business computer systems, operating as so-called "hash crackers."  Following the acquisition of employee credentials, the suspects allegedly increased their control over corporate environments, raised the privileges of hacked accounts, and gained unauthorized access to internal company networks. Authorities claimed that after gaining access, malware intended to encrypt files was installed, sensitive data was stolen, and vital systems were compromised. The suspects' homes in the Ivano-Frankivsk and Lviv regions were searched with permission from the court. Digital storage devices and cryptocurrency assets were among the evidence of illicit activity that police confiscated during these operations.

Podcast Episode · TechDaily.ai · 01/23/2026 · 15m

ウクライナとドイツの法執行当局は、ロシアに関連するとされるランサムウェア集団Black Bastaに関与した疑いで捜査を進め、ウクライナ西部で活動していたウクライナ人2人を特定して家宅捜索を実施しました。捜索ではデジタル記録媒体や暗号資産が押収され、押収物の解析が続けられています。

The leaks tied to the BlackBasta ransomware group and Russian hosting company Media Land pulled back the curtain on something defenders.

The mastermind of the gang behind the 2024 Zirco Data hack, as well as more than 500 others, has been pinged alongside two other hackers.

German authorities have named Oleg Nefekov, the alleged leader of the Black Basta ransomware group, on the EU's most-wanted list.

 Two Ukrainians are now under suspicion of aiding Black Basta, a ransomware network tied to Russia, after joint work by police units in Ukraine and Germany - this step adds pressure on the hacking group’s operations. The man believed to lead the gang, Oleg Evgenievich Nefedov, aged thirty-five and holding Russian citizenship, appears on key global alerts: one issued by the EU, another by INTERPOL. Though named, he remains at large.  A Ukrainian cybercrime unit identified two people who handled technical tasks for a ransomware network, focusing on breaking into secured systems. These individuals worked by uncovering encrypted passwords through dedicated tools. Their job was to unlock access codes so others could move deeper. With those login details, associates entered company servers without permission. They installed malicious encryption programs afterward. Victims then faced demands for money before files would be released.  Finding hidden data drives inside apartments across Ivano-Frankivsk and Lviv opened a path toward tracking illegal transactions. Though police stayed silent on custody details, they emphasized digital trails now feed directly into active probes.  Emerging in April 2022, Black Basta quickly rose as a leading ransomware force worldwide. Over 500 businesses in North America, Europe, and Australia faced its attacks, bringing in hundreds of millions through crypto ransoms. Instead of acting alone, the group used a service-based approach, pulling in partners who received profit cuts for launching assaults on their behalf.  Early in 2025, internal chat records from Black Basta were made public, showing how the group operated and naming those involved. Nefedov emerged as the central figure behind the network; his known aliases included Tramp, Trump, GG, and AA. Evidence within the files suggested ties between him and high-level individuals in Russian politics. Links to state security bodies like the FSB and GRU appeared in some messages.  Such affiliations might explain why legal action against him never moved forward. The disclosure offered rare insight into an otherwise hidden criminal ecosystem. A report from June 2024 noted a short detention of Nefedov in Yerevan, Armenia; authorities let him go afterward. Although listed internationally as a fugitive, where he is now has not been confirmed - evidence suggests Russia may be harboring him.  Some researchers connect Nefedov to Conti, a well-known ransomware outfit that ended in 2022. When Conti broke apart, new groups appeared - Black Basta, BlackByte, and KaraKurt among them. Following the split, ex-Conti members moved into different ransomware efforts, though certain ones eventually stopped operating. A different analysis by Analyst1 showed Black Basta made frequent use of Media Land - an internet host blacklisted by U.S., British, and Australian governments in late 2025 due to its resistance to takedown requests.  According to officials in Germany, Nefedov was responsible for choosing victims, bringing in new people, handling payment talks after attacks, then splitting the money taken with others involved. After the leaks, activity from Black Basta's systems stopped. Its public leak page vanished by February.  Still, security analysts note such criminal networks frequently reappear under different names or combine forces elsewhere. Data collected by ReliaQuest together with Trend Micro points toward ex-members possibly joining CACTUS. A sharp increase in victims claimed by CACTUS emerged right when Black Basta faded.

BlackBastaランサムウェアグループとロシアのホスティング企業Media Landに関連するリークは、防御側がめったに目にできないもの――大規模なランサムウェア作戦の背後にある内部の仕組みと人々――の幕を引きました。 2025年2月、 ExploitWhispers というハンドルネームを名乗る正体不明の人物がTelegramに現れ、Matrixメッセンジャー上でのBlackBasta内部チャットの巨大なアーカイブを公開しました。 JSONファイルとして公開されたこのダンプには、2023年9月18日から2024年9月28日までにやり取りされた約20万件のメッセージが含まれていました。 中には技術的な議論や運用上の詳細だけでなく、実名も含まれており、そのうちの1人は後に制裁リストにも登場することになります。 Kirill Zatolokin――アンダーグラウンドでは 「Slim Shady」 としてよく知られていました。 最初のリークの影響は即座に現れました。非難が飛び交い、関係者が露見し、エコシステム内の派閥が互いに責任をなすりつけ始めました。 そして2025年3月28日、2度目の打撃が加わります。別の匿名の人物が Media Land に紐づくデータベースをリークし、サーバー構成、顧客の購入履歴、ユーザーアカウントデータ、同社の運用に関連する暗号資産アドレスといった内部記録が明らかになりました。 侵害はどのように起きたのか 表向き、Media Landは「正当な」ロシアのホスティングプロバイダーでした。しかし実態として、流出データはアンダーグラウンドの多くがすでに疑っていたことを裏付けました。Media Landは、2009年頃からサイバー犯罪者に中核インフラを供給してきた長年の ブレットプルーフホスティング（BPH）サービス Yalishanda と密接に結びついていたのです。 これにより、捜査当局や規制当局にとって重要な疑問が浮上しました。なぜ登録されたロシア企業が、これほど深くサイバー犯罪インフラに組み込まれているのか？答えは単純で、示唆的でした――それが同社の本当のビジネスモデルだったのです。 リークは、 BlackBasta が自らの作戦の背骨としてMedia Land/Yalishandaに大きく依存していたことを示しました。 専用サーバーや帯域から、サポート、そしてアビューズ耐性に至るまで、Media Landは当時最も活発に活動していたランサムウェア・シンジケートの一つに対し、プレミアムで手厚いサービスを提供する事業者として機能していました。 内部チャットでは、 「Slim Shady」 （Zatolokin）がBlackBastaとホスティングインフラの橋渡し役として振る舞い、速度テストを共有し、数十Gbps規模の帯域使用について議論し、BlackBastaの要求が増すにつれてより高い支払いを交渉している様子が示されていました。 こうした証拠の収束は、規制当局に突破口をもたらしました。2025年11月19日、米財務省外国資産管理局（OFAC）は、オーストラリアおよび英国当局と連携し、 Media Land とその子会社 Data Center Kirishi に対する制裁を発表しました。 Yalishandaの関係者が、ユーザーから提出されたサービス苦情に直接対応しており、同組織がカスタマーサポートをどのように扱っていたかについての示唆を与えている（出典 – Analyst1）。 名指しされた個人は2人でした。Media Landのゼネラルディレクターであり、Yalishandaの長年の運営者である Aleksandr Volosovik と、サイバー犯罪インフラおよび ランサムウェア作戦 を直接支援した役割により制裁対象となった Kirill Zatolokin です。 これらの名前の背後にある物語は、サイバー犯罪のエコシステムがいかに個人的で、時に混沌としているかを浮き彫りにしています。 法執行機関の盲点 Volosovikは、Yalishandaの主要運営者として2019年の報道で初めて公に 特定 されました。彼は長年にわたり、マルウェア運用者、ランサムウェアのアフィリエイト、初期アクセスブローカーに対応するブレットプルーフホスティングを運営してきました。 かつて中国での仕事を探す求人広告を投稿していたZatolokinは、やがて 「Slim Shady」 という別名のもと、顧客対応の運用者兼インフラ調整役として表面化し、顧客管理、性能問題の解決、そして犯罪インフラを密かに稼働させ続ける役割を担っていました。 アクターggが、Media Landのインフラから実施された速度テスト結果を示すSlim Shadyのメッセージを、同じ運用者のlapaと共有した（出典 – Analyst1）。 リークはまた、舞台裏の資金の配管も暴きました。チャットログと取引の痕跡は、BlackBastaの運用者がランサムウェアの支払いから得た資金をマネーロンダリングのパイプラインに通し、USDTのようなステーブルコインへ価値を移し、その洗浄済み資産をインフラ、SOCKSプロキシ、およびスタッフの給与の支払いに用いていたことを示しています。 BlackBastaと協働するインフラ担当者である lapa に紐づく支払いは、プロキシ調達やサーバー管理といった役割が、単発の場当たり的な取引ではなく、構造化され反復可能な運用の一部として資金供給されていることを浮き彫りにしています。 総合すると、BlackBastaのチャットとMedia Landのデータベースは、現代のロシア語圏ランサムウェア作戦がエンドツーエンドでどのように機能するかを示す、稀有な設計図を形成しています。 そこから見えてくるのは、「正当」なフロント、ブレットプルーフホスティング、大容量帯域の取引、そして犯罪グループと稼働を支えるインフラの間に座る信頼された仲介者たちが、緊密に結びついたネットワークです。 制裁、露見、リークによって、このエコシステムが即座に解体されるわけではありません。VolosovikやZatolokinのような人物は、ドメインをローテーションし、ウォレットを入れ替え、新たなハンドルネームを採用できます。 しかし、これらの開示は防御側、アナリスト、法執行機関にとって非常に価値のあるものを与えます。すなわち、時間をかけて追跡・相関・妨害できる具体的な名前、インフラのパターン、そして資金フローです。 ランサムウェアがビジネスであるなら、インフラは背骨です。これらのリークは、その背骨がどこで接続され、次にどこへ圧力をかけられるのかを正確に示しています。 翻訳元:

The identity of the Black Basta ransomware gang leader has been confirmed by law enforcement in Ukraine and Germany, and the individual has been added to the wanted list of Europol and Interpol.

  Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use. Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations.  There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national.  Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization. There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme. Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years.  Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales.  The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes.  A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation.  There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group.  According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation.  A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations.  According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks.  According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations.  It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker.  Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization.  These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group.  It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side.  Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group.  The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process. Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence.  Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies.  In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world.  A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected.  In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others.  These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies.  A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom.  There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well.  Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions.  Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline.  Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware.  It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials.  In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov (Нефедов Олег Евгеньевич), has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread