What Remains of Black Basta Now That Alleged Gang Leader Joined the Most Wanted List?

The Hacker News recently reported¹ that alleged Black Basta ransomware leader Oleg Evgenievich Nefedov has been added to the EU Most Wanted and INTERPOL Red Notice lists. Over time, Black Basta² affiliates have relied on phishing and vulnerability exploitation for initial access, followed by double extortion—encrypting systems and exfiltrating sensitive data. Victims were instructed to contact operators via Tor-based .onion portals and typically given 10–12 days before data publication on the “Basta News” leak site.

Security researchers publicized 27 network IoCs³ tied to a recent campaign⁴. We analyzed 18 IoCs, including 15 IP addresses and three verified domains, to uncover additional infrastructure and connections.

Using our homegrown tools to investigate the threat, we uncovered these findings:

• Five unique potential victim IP addresses communicated with the 15 IP addresses identified as IoCs
• 7,560 email-connected domains, 482 of which turned out to be malicious
• Two additional IP addresses
• Seven IP-connected domains
• 1,572 string-connected domains, four of which turned out to be malicious

Note that we focused on only three of the 12 domains originally identified as IoCs after validating their legitimacy and responsiveness via Jake AI⁵. However, we retained the full list of 15 IP addresses tagged as IoCs for infrastructure pivoting.

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

—

• [1] https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html
• [2] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
• [3] https://otx.alienvault.com/pulse/67bdd8f7ef4e2e3e43204f78
• [4] https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d
• [5] https://jake.whoisxmlapi.com/