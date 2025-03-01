September 2020: An affiliate of the ransomware company REvil reveals the details of a cyber attack he carried out a few months earlier against the French company Elior. At the time, ransomware was already a significant threat, but nowhere near the scale it was about to take on. It was at this time, however, that journalists at Computer Weekly’s French sister site, LeMagIT, began to monitor developments on a monthly basis.

Some of the major players in this threat who are active today were already active at that time. The following account sheds new light on how they are likely to profit from their gains, as well as the level of protection they can claim - rightly or wrongly - to escape justice.

Yerevan, June 2024 On Friday 21 June 2024, on American Street in Yerevan, the adventure is about to take an unexpected turn for the man who appears to be one of them. Oleg Nefedov was arrested by the local police at 11am on the street in the Armenian capital that leads to the US embassy and runs alongside the river Hrazdan. At 1.30pm the next day, the public prosecutor requested that he be remanded in custody. In the meantime, Armenia had obtained and had translated the documents required for his extradition. He was the subject of an Interpol Red Notice - which was not made public. The hearing is scheduled for Monday 24 June at 10am. Sufficient, in theory. The Armenian media site 168.am, which reported the events, explains that the decision to remand him in custody must be made within 72 hours of the arrest - before 11am on 24 June. But the deadline was missed, for reasons that were not specified. At 4pm, Oleg Nefedov was released. The Prosecutor General's Office confirmed the facts in a press release dated 20 September. The news passed almost unnoticed. On 16 December 2024, a source contacted LeMagIT. He was positive that the man who used the pseudonym Tramp - a former member of the late Conti and one of the leaders of the Black Basta ransomware gang - was the same Oleg Nefedov who had been arrested in Yerevan at the end of the previous June: "I also know Tramp under the name Oleg Y. Nefedov", he says, adding that he used to work with him. "He has the best protection in Russia. He has friends in the security services. He even pays the FSB and the GRU", this source explains. These are the Russian intelligence services. "Nobody has that kind of money or that level of security anymore," the source added. This is indeed what Tramp, also known by the pseudonyms AA and GG, told one of his partners, dd, on 14 November 2022: "I have guys from Lubyanka [FSB headquarters in Moscow] and the GRU, I've been feeding them for a long time," according to a log of private exchanges that probably took place on the encrypted messaging service Tox. These exchanges were provided to LeMagIT on 30 December 2024, as well as to colleagues at German magazine Der Spiegel (see image, below). LeMagIT Tramp boasts contacts with the FSB and GRU. But is Tramp really Oleg? Other sources have said so, on condition of anonymity. There is plenty of evidence to support these assertions.

Tramp questioned An analysis of the activity associated with the pseudonym GG in exchanges on the Matrix instance of Black Basta is troubling - it shows a total absence of activity from 21 June 2024 to 2 July inclusive. When Tramp came back online on 3 July, he said he had a new computer and had changed his Telegram account. He explained that he had lost his previous computer, "and not just that. It's a long story", he says: "it's been difficult in real life. I don't know where to start..." But, as researcher and human intelligence specialist Liontamer pointed out, Tramp confided in gang member Chuck, whom he had known for "so many years", a few hours later: "The cops caught me". He mentions a reward for "information on TR [potentially Trickbot, but the pseudonym Tramp has also been openly designated by the American justice system]. 10 million". He goes on to say that he had seen his file, "but they didn't show me everything". He had to be extradited. LeMagIT Tramp says he called on high-level support to avoid extradition to the United States. The same day, Chuck says he wants a holiday: "Don't go anywhere. Stay at home", Tramp advises him. Chuck says he has booked tickets to Kaliningrad. Tramp insists: "We have to protect everyone now". Chuck finally gives up his plans: "I'm cancelling; I'm going to Karelia". Tramp explains that he has seen all the pseudonyms of the members of Black Basta in the file presented to him. He says he benefited from very high-level protection, "at the level of our number 1": "I managed to call. I just asked for a pass. They immediately took off for me".

Highly placed relations Any further details? "I can't say anything about how I got out and who helped. But I've been told that the number 1 knows me and that, without his agreement, they wouldn't have done anything," assures Tramp. Chuck then asked: "Putin, right?" Tramp would say no more. A.Savin - travail personnel, CC BY-SA 3.0 The Lubyanka building, headquarters of the FSB in Moscow. On 7 July, however, he became more talkative, indicating that his phone had been seized. He said that an unspecified "they" had "total access to Apple. They are connected to the whole planet. They know everything". As a result, "Apple is dead. [...] We have to clean everything up over there". But Chuck is worried: someone has told him that he is wanted by the US law enforcement agencies. Someone he pays every month to protect him in case the FSB come looking for him. He fears that the Russian services will "start to extort [them] or force [them] to work for them, in exchange for protection". He may have a point. On 16 September 2024, YY called Tramp. In doing so, he revealed an alias under which he was known for his activities with the late Conti: "Hi Tramp, it's bio. I've been released, sorry I couldn't warn you. The masked raiders nearly broke every bone in my body when they came in, but luckily I had time to disconnect from the server. LeMagIT Bio, an ex-Conti member, talks to Tramp about his run-ins with the police. According to him, it was a cryptocurrency exchange that betrayed him: "They couldn't find anything other than my last three transactions (around 3 btc). In short, they kept me in pre-trial detention and then released me. For the time being, I feel I'm being watched, so I'm keeping a low profile. It's a shame they confiscated the car and seized the house [...], but I hope to get them back soon. Bio will then request several payments of a few hundred dollars from Tramp. On 10 November 2024, he will consolidate 20 bitcoins at Kraken.

A lavish lifestyle Oleg will shortly be celebrating his 35th birthday. He comes from Iochkar-Ola, a town of over 260,000 inhabitants 850km east of Moscow and 60km from the Volga, capital of the Mari Republic. Alexxx1979 - travail personnel, CC BY-SA 4.0 Ioshcar-Ola, capital of the Mari Republic. He appears to have long had a keen interest in cryptocurrencies. An account on btc-e.com has been associated with him. This foreign exchange service suffered a data breach in 2014. In 2017, he worked at Bitsoft, which then presented itself as "the largest Russian company in the field of cloud-mining of Ethereum, Litecoin, and Zcash". He registered several domain names, including one in July 2017. LeMagIT tracked them down using historical Whois data and a phone number. The address? Iochkar-Ola. From this data, LeMagIT also found a telephone number that was, for a time, directly linked to the name “Mr Tramp” in TrueCaller, but also listed elsewhere as Oleg Nefedov, as well as the address associated with his Apple iCloud account. Oleg declares income from Bitsoft until 2021. Over the period, this income is hardly impressive: 60,000 roubles in 2017 and 2018, or around €900 a year. It's a little better in 2019, with more than 261,000 roubles, or around €3,600 at the average exchange rate for that year. After that, he will receive income from Polis, a company that will be wound up at the end of 2023. Bitsoft will suffer the same fate in August 2024. DAIMLER AG Mercedes-Benz G 63 AMG, an SUV for over €80,000. That didn't stop him from driving a BMW X6 M50D in 2019. In 2021, he was caught speeding in a Mercedes AMG S63 4MATIC - more than 60km/h over the limit. He also drove a Porsche Macan. In early 2024, he had the papers replaced on his Mercedes V-class van. At that time, he also had a Mercedes GLE 400 D 4MATIC. A few months earlier, he had the address changed for his G-Class AMG G63 SUV. Since at least 2022, Oleg has been investing in top-of-the-range lounges under a brand in which it owns a share of the intellectual property. The brand is present all over the world, from Dubai and Abu Dhabi to Baku, Moscow and Bali. At the end of August 2024, he founded a charity called Rodina - Motherland in Russian.

Tramp, golden boy of ransomware According to LeMagIT analysis, Tramp has at least 20 bitcoins to his name and controlled at least 2,000 in January 2023 - half a surprise. In autumn 2021, LeMagIT had tracked the millions of dollars in ransomware payments obtained by Conti over the preceding months. In November 2023, Elliptic and Corvus Insurance estimated that Black Basta had done no worse, collecting more than $100m in ransom payments in almost two years of activity. In France, Black Basta attacked Oralia in April 2022, followed by H-Tube, Villa Florek, Envea, Dupont Restauration and Baccarat. In all, more than 520 victims of Black Basta are publicly known, compared with more than 350 for Conti. In the exchanges provided at the end of December last year, Tramp was asked twice to make payments in bitcoins. At least one of the payments came from an address known to be controlled by Tramp. But Tramp, who is also known by the pseudonym "p1ja", didn't arrive in the world of ransomware with the appearance of Conti, the cyber-extortion business that fell apart in 2022, shortly after Russia invaded Ukraine. According to LeMagIT’s information, he has been involved in such activities for much longer. In extracts from private discussions between Tramp and ssd, in November 2022, there is a reference to a Windows system name: WIN-7PV24JSN83C. Red Hot Cyber noted this machine name in August 2022. LeMagIT observed it for 28 victims claiming to be LockBit - 2.0 and 3.0 - throughout that same year. Presumably corresponding to a hosted virtual machine, this name was not very widespread at the time - in August 2022, the specialist search engine Shodan counted around 200 occurrences, including more than 190 on IP addresses geolocated in Russia.