ZeroFox Intelligence Flash Report - European Law Enforcement Raids Black Basta Actors’ Homes

ZeroFox Intelligence Flash Report - European Law Enforcement Raids Black Basta Actors’ Homes

Product Serial: F-2026-01-23a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on the recent European law enforcement efforts against the Black Basta ransomware collective.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On January 15, 2026, law enforcement agencies from Ukraine and Germany raided the homes of two individuals suspected of conducting activities as part of the Black Basta ransomware collective.
• In addition to the raids, the alleged leader of Black Basta—a Russian individual identified as Oleg Evgenievich Nefedov—was placed on both EUROPOL’s Most Wanted list and Interpol’s Red Notice list.
• Black Basta first appeared in April 2022 and has likely conducted successful attacks against at least 500 companies across North America, Europe, and Australia. In that time, the collective has likely earned hundreds of millions of dollars in illicit ransom payments.
• ZeroFox assesses that Black Basta likely ceased operations in early 2025 and has not been active since. Initially, there were indications that Black Basta actors may have transitioned to the CACTUS ransomware group; however, CACTUS has also been inactive since mid-2025.