German Authorities Add Alleged Black Basta Ringleader to EU Most-Wanted List
German law enforcement added Oleg Evgenievich Nefedov/Nefekov, a 35-year-old Russian national, to the EU’s most-wanted list in connection with the Black Basta ransomware operation. German prosecutors and the Federal Criminal Police Office (BKA) allege he founded and led the group, acting as a “managing director” who selected targets, recruited and tasked members, participated in ransom negotiations, and managed extortion proceeds used to pay affiliates.
Authorities attribute to Black Basta a large global victim set since at least early 2022; reporting cites BKA estimates of roughly 700 organizations attacked worldwide and external researcher estimates of $100M+ in extortion payments by the end of 2023. The manhunt follows broader disruption and scrutiny of the group after an internal leak reportedly contributed to Black Basta ceasing activity, and the EU listing includes multiple alleged aliases (e.g., tramp, tr, gg, AA, kurva, Washingt0n, S.Jimmi) tied to the suspect’s role in developing and operating the ransomware and related malware used for intrusion, data theft, and encryption-based extortion paid in cryptocurrency.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Nefedov added to EU Most Wanted and Interpol wanted lists
German authorities placed Oleg Nefedov on the EU Most Wanted list and said Interpol issued a Red Notice for him, seeking public tips on his whereabouts, travel, contacts, and online accounts. Authorities believe he is likely in Russia, though his exact location is unknown.
Germany names Oleg Nefedov as alleged Black Basta leader
Germany's BKA and Frankfurt prosecutors publicly identified Russian national Oleg Evgenievich Nefedov as the suspected founder and leader of Black Basta. They accused him of developing the ransomware, selecting targets, recruiting members, participating in ransom negotiations, and managing cryptocurrency proceeds.
Two Ukrainian suspects identified as Black Basta 'hash crackers'
Investigators identified two Ukrainian suspects accused of supporting Black Basta by extracting passwords from stolen data, stealing credentials, and escalating privileges to prepare ransomware attacks. Authorities said their work enabled intrusions, data theft, and malware deployment against victims.
Germany and Ukraine raid suspects linked to Black Basta
Ukrainian and German law enforcement conducted coordinated searches in the Ivano-Frankivsk and Lviv regions targeting alleged Black Basta members. Authorities seized digital devices, notes, and cryptocurrency assets for forensic analysis as part of the investigation.
Black Basta activity declines after leak exposure
Following the 2025 internal leak, Black Basta reportedly became inactive, removed its leak site, and ceased activity in a collapse compared by some reporting to Conti’s post-leak downfall. Some affiliates were reported to have shifted to other operations such as CACTUS.
Black Basta extorts organizations in Germany and worldwide
Between March 2022 and February 2025, German authorities say Black Basta extorted more than 100 companies and institutions in Germany and roughly 600 to 700 organizations worldwide. Reported losses in Germany exceeded €20 million, with hospitals and public institutions among the victims.
Black Basta internal chats are leaked
Internal Black Basta chat logs and related data were leaked in early 2025, exposing operational details, member aliases, and technical information used by researchers and investigators. The leak was later cited as key evidence linking Oleg Nefedov to the group’s leadership.
Black Basta ransomware operation emerges
Black Basta began operating as a ransomware-as-a-service group in 2022, with multiple reports placing its emergence in early 2022 or April 2022. Authorities later tied the group to hundreds of extortion incidents worldwide involving data theft and system encryption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
The Good, the Bad and the Ugly in Cybersecurity - Week 4
sentinelone.com
Open sourceBlack Basta’s alleged ringleader identified as authorities raid homes of other members | CyberScoop
cyberscoop.com
Open sourceLaw enforcement tracks ransomware group blamed for massive financial losses - Help Net Security
helpnetsecurity.com
Open sourceFahndung nach Kopf von Black Basta | CSO Online
csoonline.com
Open sourceGerman cops add Black Basta boss to EU most-wanted list • The Register
go.theregister.com
Open sourceGerman cops add Black Basta boss to EU most-wanted list • The Register
theregister.com
Open sourceFormer Conti member, now known as “Devman,” added to Interpol’s wanted list (updated) - DataBreaches.Net
databreaches.net
Open sourceFormer Conti member “Tramp,” now known as “Devman,” added to Interpol’s wanted list - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (**BKA**) identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as `UNKN`/`UNKNOWN`, the alleged leader and public face of the **GandCrab** and **REvil** ransomware operations, and named **Anatoly Sergeevitsch Kravchuk**, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to **130 attacks in Germany**, including about **25 cases** that generated roughly **€1.9 million** in ransom payments and caused more than **€35 million** in economic damage. German investigators described GandCrab and REvil as highly organized **ransomware-as-a-service** enterprises that helped popularize **double extortion** and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including **JBS** and **Kaseya**, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's **FSB** in 2022.
Apr 6, 2026
German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (**BND**) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US **NSA** for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.” Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the **Conti** ransomware ecosystem. A third item—a *Citizen Lab* job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
Mar 21, 2026
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Apr 12, 2026