Russian Ransomware Boss escaped from courtroom in Armenia
Image by Cybernews.
Alleged Black Basta ransomware boss Oleg Nefedov, wanted by Interpol and the US authorities, was arrested in Armenia for 72 hours. The judge struggled to issue a temporary detention decision in time, and the cybercriminal went for a walk and disappeared. Later, the crime ring leader bragged about “very high-level” friends.
Intel 471, a cyber threat intelligence company, connected more dots tying the persona of Basta Ransomware gang leader, known as GG (tramp, usernamegg), to Oleg Nefedov.
Black Basta’s internal messages were recently leaked, revealing many intricacies about the ransomware gang’s operations.
At a certain point, between June 21st, 2024, and July 3rd, 2024, the messages from the leader GG stopped. When GG reappeared, in a private conversation with another gang member, the leader told about the arrest by law enforcement officers and an escape with the help of high-level officials.
The events overlapped with reports from Armenia about the arrest and escape of a 34-year-old Russian citizen man, Oleg Nefedov, wanted by the US authorities and Interpol.
According to a report by an Armenian news outlet, 168.am, Nefedov was detained for 72 hours on June 21st, 2025, at 11:00 a.m. The prosecutors submitted a request for temporary detention to the court.
The court scheduled a “last minute” hearing three days later, just hours before the criminal’s arrest period expiration. The judge did not make a decision within the 72-hour timeframe. Nefedov’s attorney petitioned for the hearing to be adjourned for 15 minutes.
Nefedov was released for a walk and escaped from the courthouse during his hearing. He left in a vehicle while court officials and police were present.
“After Nefedov’s escape, he (the judge) himself came down from his office and announced the decision to arrest him,” Civilnet.am, an Armenian publication, reports.
Oleg Nefedov has not been found, and the judge has faced disciplinary action.
However, later, back in Moscow, the Black Basta leader shared vacation memories.
“How did they get you out? Did you pay a lot?” a gang member, Chuck, asked.
“Remember when I said I had friends at a really high level; this is the level of our first,” GG responded. “I’ve just managed to call him.”
In subsequent messages, GG claimed he asked for a “green corridor,” and “they immediately flew out for” him. GG mysteriously mentioned that he couldn’t say how he was pulled out and who helped him. However, the ‘first’ knows about him.
GG claims in the chats that they have help from a person who runs “big corporations” and could provide trouble-free passage through immigration thanks to another high official – referred to as the “number one” – who was aware of GG’s predicament.
“This type of connection with the state would not be unheard of for a high-ranking cybercrime player,” Intel 471 researchers explain.
“Russia’s intelligence services and the cybercriminal underground have long maintained relationships, with the former leaning on the latter for operational support under a quid pro quo arrangement: Underground actors can continue their activity without repercussions as long as they cooperate with the state.
The anonymous leaker of Black Basta chats on Telegram, who uses the moniker ExploitWhispers, previously suggested that GG and “tramp” might be the aliases for the same individual, Oleg Nefedov.
The preliminary research into the leaked conversations indicates that GG rented at least two offices in Moscow, Russia, where developers, malware operators, and network intruders were based.
The leak reveals that GG, together with Chuck, a developer and operator of Qakbot (Qbot) malware, allegedly purchased property in Dubai, United Arab Emirates. GG coordinated the group’s daily operations, hired new members, interacted with affiliates and partners, and supervised budgeting and finance activities.
