Flash Report: European Law Enforcement Raids Black Basta Actors’ Homes

Key Findings

• On January 15, 2026, law enforcement agencies from Ukraine and Germany raided the homes of two individuals suspected of conducting activities as part of the Black Basta ransomware collective.
• In addition to the raids, the alleged leader of Black Basta—a Russian individual identified as Oleg Evgenievich Nefedov—was placed on both EUROPOL’s Most Wanted list and Interpol’s Red Notice list.
• Black Basta first appeared in April 2022 and has likely conducted successful attacks against at least 500 companies across North America, Europe, and Australia. In that time, the collective has likely earned hundreds of millions of dollars in illicit ransom payments.
• ZeroFox assesses that Black Basta likely ceased operations in early 2025 and has not been active since. Initially, there were indications that Black Basta actors may have transitioned to the CACTUS ransomware group; however, CACTUS has also been inactive since mid-2025.

Details

On January 15, 2026, law enforcement agencies from Ukraine and Germany raided the homes of two individuals suspected of conducting activities as part of the Black Basta ransomware collective.¹ The raids took place in Lviv and Ivano-Frankivsk, in Western Ukraine, and were conducted as part of a larger Interpol investigation.

• Police seized evidence of cybercriminal activities at both locations, including digital storage devices and cryptocurrency assets.
• The two individuals (whom authorities have not named at this time) reportedly operated as “hash crackers” for Black Basta, specializing in extracting passwords from targeted systems using specialized software. This allowed Black Basta to access targeted companies’ internal systems, escalate privileges, steal data, and deploy ransomware.

In addition to the raids, the alleged leader of Black Basta (a Russian individual identified as Oleg Evgenievich Nefedov) was placed on both EUROPOL’s Most Wanted list and Interpol’s Red Notice list. Nefedov was likely also involved in the activities of another Russian-language ransomware collective known as Conti.

• In a series of texts with a contact named “Chuck” leaked in March 2025 by a Telegram user, Nefedov claimed Russian officials facilitated his escape from Armenian custody in June 2024.²

Black Basta first appeared in April 2022 and has likely conducted successful attacks against at least 500 companies across North America, Europe, and Australia. In that time, the collective has likely earned hundreds of millions of dollars in illicit ransom payments. Black Basta has reportedly extensively utilized the services of Media Land, a bulletproof hosting service sanctioned by the United States, United Kingdom, and the European Union in November 2025.³

ZeroFox assesses that Black Basta likely ceased operations in early 2025 and has not been active since. Initially, there were indications that Black Basta actors may have transitioned to the CACTUS ransomware group; however, CACTUS has also been inactive since mid-2025. 

In March 2025, cybersecurity researchers determined that Black Basta actors were using the same infrastructure as CACTUS, including:

• The BackConnect module for persistent control of infected systems; and
• Shared, verified credentials, which were likely sourced from the same information stealer logs.⁴

The cessation of activity by both Black Basta and CACTUS is likely due to European law enforcement agencies disabling the underlying QakBot malware strain both groups used in May 2025. As part of the ongoing EUROPOL Operation Endgame, over 300 servers were seized or taken offline, likely leaving Black Basta without a functional ransomware infrastructure.⁵

Law enforcement actions against cybercriminal groups tend to have only a short-term impact on the wider threat environment. Despite European actions against Black Basta, Oleg Nefedov remains free and is likely under some level of protection by Russian officials. Although the recent raids and the listing of Nefedov on most-wanted lists are significant, they are unlikely to have a lasting effect on Russian-sponsored ransomware threat actors. 

The cessation of operations for Black Basta (and CACTUS) is likely temporary. Following the law enforcement takedown of QakBot, Nefedov is very likely reconfiguring Black Basta’s infrastructure. ZeroFox assesses there is a roughly even chance that Black Basta ransomware activity will resume in 2026.

Recommendations

• Develop a comprehensive incident response strategy.
• Deploy a holistic patch management process, and ensure all IT assets are patched with the latest software updates as quickly as possible.
• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Implement secure password policies, phishing-resistant multi-factor authentication (MFA), and unique credentials.

• Configure email servers to block emails with malicious indicators, and deploy authentication protocols to prevent spoofed emails.
• Proactively monitor for compromised accounts and credentials being brokered in deep and dark web (DDW) forums.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).

Scope Note

ZeroFox Intelligence is derived from a variety of sources, including—but not limited to—curated open-source accesses, vetted social media, proprietary data sources, and direct access to threat actors and groups through covert communication channels. Information relied upon to complete any report cannot always be independently verified. As such, ZeroFox applies rigorous analytic standards and tradecraft in accordance with best practices and includes caveat language and source citations to clearly identify the veracity of our Intelligence reporting and substantiate our assessments and recommendations. All sources used in this particular Intelligence product were identified prior to 11:30 AM (EST) on January 22, 2026; per cyber hygiene best practices, caution is advised when clicking on any third-party links.

ZeroFox Intelligence Probability Scale 

All ZeroFox intelligence products leverage probabilistic assessment language in analytic judgments. Qualitative statements used in these judgments refer to associated probability ranges, which state the likelihood of occurrence of an event or development. Ranges are used to avoid a false impression of accuracy. This scale is a standard that aligns with how readers should interpret such terms.

1. hXXps://www.infosecurity-magazine[.]com/news/suspects-black-basta-ransomware/
2. hXXps://www.infosecurity-magazine[.]com/news/blackbasta-ransomwares-ties-russia/
3. hXXps://thehackernews[.]com/2026/01/black-basta-ransomware-hacker-leader.html
4. hXXps://thehackernews[.]com/2025/03/researchers-link-cactus-ransomware.html
5. hXXps://ransomware[.]org/blog/its-been-a-bad-week-for-ransomware-operators/