They identify the alleged Black Basta leader and launch international hunting with Europol and Interpol

The authorities of Ukraine and Germany have taken an important step in the long investigation against the Ransomware group known as Black Basta: they have identified those who consider their leader and have promoted their incorporation into international search lists. This is a symbolic and operational blow. which reflects both the maturity of international police cooperation and the difficulties of bringing to justice gangs operating in the cybercriminal field.

According to information disseminated by Ukrainian cyberpolice, the investigation targeted a 35-year-old Russian citizen, identified by authorities as Oleg Evgenievich Nefedov, who is attributed the leadership of the operation. The same source describes the joint work with German colleagues and the making of records in specific locations in the regions of Ivano-Frankivsk and Lviv, where digital storage devices and assets were seized in cryptomonedas. The official note by the Ukrainian police is available for further details on the performance and evidence collected. Here..

In addition, the identification has resulted in the inclusion of the alleged leader in international search and capture lists: his record is now among the objectives published by Europol and in an Interpol notification. These tools are part of the arsenal that facilitate cooperation between police forces in different countries and help coordinate processes for the arrest or blocking of assets where there are jurisdictions involved. Official links to consult these notifications are available on the pages of Europol and Interpol.

Black Suit is a clear example of how the model "Ransomware-as-a-service" (RaaS) has professionalized and multiplied the impact of these bands. Since its inception in 2022, the operation has been related to hundreds of attacks on large organizations in various parts of the world: automotive and defence companies, service providers, health institutions and public entities have been among the victims. This scheme allows developers, operators and specialized affiliates to cooperate in a modular way, which complicates research and extends the radius of damage.

The Ukrainian inquiry emphasizes the presence of individuals specialized in obtaining initial access to corporate networks: actors who, through tools and techniques of "hash cracking" and other methodologies, extract credentials, raise privileges and prepare the ground for the encryption and extortion phase. This preparatory phase is critical in the criminal chain because it allows the attacker to install back doors and move laterally before detonating the visible attack on the victim's systems.

One element that helped shed light on the group's internal structure was the massive leak of messages between members of Black Basta itself, which allowed external analysts to track aliases, talk about roles and rewards, and possible links to previous groups. Security researchers who reviewed this material have pointed to connections between online identities used by the band and actors who previously operated on the Conti network, the great Ransomware union that dismembered a few years ago. A detailed analysis of these talks and their technical significance can be read in Trellix's report published by the firm.

Conti's history serves as a context: after its dissolution, dispersed members and leaders reappeared in new projects or took control of existing operations, generating an ecosystem in which visible surnames in one operation can reemerge under other brands. This dynamic makes it difficult not only to assign, but also to the international mitigation strategy, because operators often add layers of ofuscation and move by taking advantage of jurisdictions with little cooperation.

The police response included measures on the ground - searches, seizure of devices and freezing of certain resources - but the persecution of these networks does not end with an international requirement: bringing to trial the alleged perpetrators requires letter rogatory, extraditions, deep forensic analysis and the will to multiply States to hold long processes. In addition, the transnational nature of cybercrime requires the combination of technical intelligence and judicial diplomacy.

For companies and administrations that may be objective, this case again stresses the need to strengthen basic but effective measures: robust access controls, monitoring of privileged accounts, network segmentation and response plans that include not only technical recovery but also legal and communication management. Experience shows that prevention and early detection dramatically reduce the operational and economic impact of incidents.

Finally, the public announcement of the identification of the alleged leader also serves as a signal to the security community: it reveals that investigations can bear fruit through the exchange of information between jurisdictions and collaboration with cybersecurity companies that analyse leaks and leaks. However, partial success does not eliminate the permanent challenge posed by actors who, through cryptomonedas, decentralized infrastructure and a strong culture of anonymity, continue to adapt to police responses.

For further information on primary sources and technical analysis, please refer to the note by the Ukrainian cyberpolice mentioned above. Here. and Trellix's study of filtered chats Here. as well as the search sheets published by Europol and Interpol.