When it comes to cybersecurity, it’s not uncommon to come across news stories that seem straight out of a science fiction movie. Yet, the reality is even more surprising and sometimes disturbing. The story of the two Ukrainian citizens suspected of being part of the Black Basta ransomware group is a clear example of how cyber threats are increasingly real and dangerous.
Ukrainian and German authorities have identified two Ukrainian citizens suspected of being part of Black Basta, a Russian-linked ransomware (RaaS) group.
According to the Ukrainian Cyber Police , the suspects specialized in technical hacking of protected systems and participated in the preparation of ransomware attacks. Specifically, the individuals acted as “hash crackers,” professionally extracting passwords from computer systems using specialized software. The obtained credentials were then used to infiltrate corporate networks, install ransomware, and demand ransoms for the recovery of encrypted data.
The group’s alleged leader, Oleg Yevgenievich Nefedov, a 35-year-old Russian citizen, has been placed on the European Union’s most wanted criminals list and among those designated as dangerous by INTERPOL. Authorities conducted searches of the suspects’ homes in Ivano-Frankivsk and Lviv, seizing digital devices and cryptocurrency assets.
Black Basta first emerged on the cyber threat landscape in April 2022. The group targeted over 500 companies in North America, Europe, and Australia, including several in Italy, amassing hundreds of millions of dollars in cryptocurrency through illicit payments, according to estimates.
In early 2025, internal chat logs from Black Basta covering a year of operations were leaked online, revealing details about its internal structure, key members, and vulnerabilities exploited to penetrate target organizations. These documents revealed that Nefedov led the group, using several aliases, including Tramp, Trump, GG, and AA . Some reports linked him to Russian political figures and intelligence agencies such as the FSB and GRU, connections he allegedly exploited to protect his operations and evade international justice.
The investigation also suggests a link between Nefedov and Conti , a ransomware group active since 2020 and now disbanded, Ryuk ‘s successor. In 2022, the U.S. State Department announced a $10 million reward for information on five Conti members, including Target, Tramp, Dandis, Professor, and Reshaev.
Following Conti’s retirement in 2022, Black Basta emerged as a standalone group alongside BlackByte and KaraKurt, while other former members joined the now-inactive BlackCat, Hive, AvosLocker, and HelloKitty .
According to the Federal Criminal Police Office (BKA), Nefedov managed all of the group’s operations: he decided on targets, assigned tasks, participated in ransom negotiations, and managed the funds obtained through extortion.
The data leaks led to an apparent inactivity of Black Basta starting in February 2025, with the sites disseminating stolen data being blocked. However, security experts point out that ransomware gang members tend to recycle into new groups or resurface under new identities. Analysis by ReliaQuest and Trend Micro indicates that several former Black Basta affiliates may have joined the CACTUS ransomware operation, with a spike in attacks observed in February 2025, coinciding with the shutdown of the Black Basta website.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
