January 20th – This Week’s Top Cybersecurity and Dark Web Stories

BlackBasta Founder on German Authorities “Most Wanted” List

In a significant operation targeting one of the world’s most active cybercrime groups, law enforcement agencies from Germany, the Netherlands, Switzerland, Ukraine, and the United Kingdom have announced raids on suspected members of the notorious BlackBasta ransomware group. Authorities have also circulated an international arrest warrant for the alleged founder and ringleader, a Russian national.

German authorities stated that BlackBasta, a “transnational hacker group” active since March 2022, has amassed over 600 victims worldwide, primarily in the West, collecting hundreds of millions of dollars in cryptocurrency ransom payoffs. The group, which targeted critical infrastructure, including healthcare, is believed to have over 20 active members.

Police publicly identified the group’s suspected leader as 35-year-old Russian national Oleg Evgenievich Nefedov. He remains at large and has been placed on Interpol’s international most-wanted list, though he is believed to be in Russia. Germany’s Federal Criminal Police Office (BKA) said Nefedov was responsible for selecting targets, recruiting members, managing ransoms, and assigning tasks. Leaked chat messages revealed his identity and ties him to aliases like Trump/Tramp, GG, and AA. The messages also suggest he was an active member in the REvil and Conti groups and is allegedly protected by high-ranking Russian political figures and the FSB and GRU agencies.

In conjunction with German law enforcement, Ukrainian police searched the homes of two suspected members in the Ivano-Frankivsk and Lviv regions last week, seizing computers, phones, bank records, cash, and cryptocurrency. These two individuals reportedly specialized in hacking systems, gaining initial access, stealing sensitive data, and infecting endpoints with ransomware – a role described as “hash crackers.”

This follows a separate operation last August near Kharkiv, where a different suspected member was questioned. This individual was suspected of acting as a “crypter,” ensuring the malware used was not detected by antivirus programs.

BlackBasta is a spin-off from the Conti group, formed in April 2022 after Conti’s leadership publicly backed Russian President Vladimir Putin’s invasion of Ukraine, which caused ransom payments to dry up. Police investigations are continuing, with digital forensic investigators reviewing seized devices. The BKA is urging the public to share any pertinent intelligence on Nefedov or other suspects.

Microsoft Disrupts Global Cybercrime Subscription Service

Microsoft, in a joint operation with international law enforcement, including German authorities and Europol, has successfully disrupted and taken offline RedVDS, a global cybercrime subscription service. The action includes coordinated legal proceedings launched for the first time in both the United States and the United Kingdom, marking a major step toward dismantling networks fueling AI-enabled fraud.

RedVDS operated as a “cybercrime-as-a-service” platform, offering criminals access to cheap, disposable virtual computers running unlicensed software for as little as US $24 a month. This service made large-scale, anonymous, and cross-border fraud accessible and scalable, becoming a key driver in the recent surge of cyber-enabled crime.

The malicious service has been linked to approximately US $40 million in reported fraud losses in the U.S. alone since March 2025. Victims include:

• H2-Pharma: An Alabama-based pharmaceutical company that lost over $7.3 million, funds intended for lifesaving medical treatments.
• Gatehouse Dock Condominium Association: A Florida organization tricked out of nearly $500,000 contributed by residents for essential property repairs. Both organizations have joined Microsoft as co-plaintiffs in the civil action.

RedVDS was utilized for a wide array of criminal activities, including high-volume phishing and hosting scam infrastructure. Attackers frequently combined RedVDS with generative AI tools to:

• Identify high-value targets faster.
• Create more realistic, multimedia message email threads mimicking legitimate correspondence.
• Augment deception using face-swapping, video manipulation, and voice cloning AI tools to impersonate individuals.

In one month, over 2,600 distinct RedVDS virtual machines were observed sending an average of one million phishing messages per day to Microsoft customers. Since September 2025, RedVDS-enabled attacks have compromised or fraudulently accessed over 191,000 organizations worldwide. The true financial and emotional toll is estimated to be far higher than the directly observed $40 million, as fraud often goes unreported.

R1Z Pleads Guilty to Selling Access to Computer Networks

A Jordanian national, Feras Khalil Ahmad Albashiti, 40, has pleaded guilty in a New Jersey federal court for his role as an “access broker” who sold unauthorized access credentials to the computer networks of at least 50 victim companies.

Albashiti, who operated online under the moniker “r1z,” admitted to using an online forum to sell illicit access, including a May 2023 instance where he sold unauthorized network access to an undercover law enforcement officer in exchange for cryptocurrency. Albashiti was extradited from the Republic of Georgia in July 2024.

He pleaded guilty to fraud and related activity in connection with access credentials, a charge that carries a maximum penalty of 10 years in prison and a fine of up to $250,000. His sentencing is scheduled for May 11, 2026, following an investigation led by the Federal Bureau of Investigation (FBI) in Newark.