German Authorities Identify Black Basta Ringleader, Now Added to EU Most-Wanted and Interpol Red Notice Lists
Published
Key Takeaways
- International Manhunt: German authorities added a Russian national to the EU's most-wanted list for his alleged role as the founder and leader of Black Basta.
- Widespread Impact: Since emerging in 2022, Black Basta has been linked to ransomware attacks on approximately 700 organizations globally.
- Operational Role: Nefekov is accused of selecting targets, recruiting affiliates, leading ransom negotiations, and managing the proceeds of the illicit activities.
German federal police have placed Oleg Evgenievich Nefekov, a 35-year-old Russian national, on the EU most-wanted list, identifying him as the spearhead of the notorious Black Basta ransomware operation. The individual is now also on INTERPOL's Red Notice list.
Nefekov is accused of being the "founder and ringleader" of the group, making him responsible for a string of attacks that have impacted hundreds of organizations worldwide since Black Basta's emergence in 2022.
The Rise and Fall of a Ransomware Kingpin
According to German authorities, Oleg Nefekov directed all aspects of the group's activities. He reportedly was arrested in Armenia in 2024 but allegedly escaped custody, and is currently believed to be residing in Russia.
“The wanted individual, as ringleader, supported the ongoing use of the Black Basta ransomware and other malware, through which the group infiltrated foreign computer systems, stole data, and encrypted systems in order to demand a ransom, payable in cryptocurrencies, for decryption,” the German police announcement said.
An analysis of the group's internal chat leaks by security researchers linked Nefekov to multiple online aliases – "tramp," "tr," "gg," "kurva," "AA," "S.Jimmi," and "Washingt0n." His responsibilities allegedly included target selection, affiliate recruitment, and direct participation in ransom negotiations.
The naming of this ransomware kingpin comes after the group ceased operations following a major internal data leak in 2025. Conti and Trickbot details also leaked last year.
Cybersecurity Implications of Targeting Leadership
Black Basta rapidly filled the vacuum left by the 2024 LockBit disruption, quickly becoming a dominant force in the ransomware-as-a-service (RaaS) landscape. The group is estimated to have extorted around 700 companies worldwide, the EU website said.
The “Tramp” alias is believed to be linked to Conti, alongside “Target,” “Reshaev,” “Professor,” and “Dandis,” according to the 2022 U.S. Department of State's reward announcement.
Early last year, Sophos researchers discovered that two ransomware actors leveraged Microsoft 365 services and exploited default MS Teams configurations to breach organizations' systems and deploy Black Basta. A new campaign soon after saw Black Basta and Cactus Ransomware using MS Teams, Quick Assist, and BackConnect.
In September 2025, researchers linked the new CountLoader malware to BlackBasta, LockBit, and Qilin.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular