FacebookTwitterLinkedIn

Black Basta Internal Chat Logs Leaked

Karolis Liucveikis Written by on

An unknown leaker, going by the alias ExploitedWhispers, has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation. Now removed, the stolen messages were originally uploaded to the MEGA file-sharing platform.

Since their removal from MEGA, ExploitedWhispers has uploaded them to a dedicated Telegram channel. It is unclear if ExploitedWhispers is a security researcher who gained access to Black Basta's infrastructure or a disgruntled affiliate.

Black Basta Internal Chat Logs Leaked

According to a post on X by cyber threat intelligence company PRODAFT, the leak may result from Black Basta targeting Russian banks.

The post went on to say,

As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors…Their ransomware is also considered less effective compared to other major groups. Earlier this year, key members left BLACKBASTA to join Cactus (Nurturing Mantis) ransomware or other cybercriminal groups…the internal conflict was driven by "Tramp" (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBOT. As a key figure within BLACKBASTA, his actions played a major role in the group's instability.

Lastly, the post stated,

On February 11, 2025, a major leak exposed BLACKBASTA’s internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.

The leaked chat log shows conversations dating from September 18, 2023, to September 28, 2024. According to Bleeping Computer, the leaked messages contain a treasure trove of information, including phishing templates and emails to send them to, cryptocurrency addresses, data drops, victims' credentials, and confirmation of tactics security researchers previously believed Black Basta employed.

Interestingly, the chats also contained 367 unique ZoomInfo links, which indicate the likely number of companies targeted during this period. Ransomware gangs, like Black Basta, use ZoomInfo sites to share information about a targeted company, internally or with victims during negotiations.

Who is Behind Black Basta

ExploitedWhispers also took to X to share even more information regarding their leaked content. The post dealt mainly with other Black Basta gang members of interest, including an individual who goes by Trump, who is believed to be the gang's commander-in-chief.

Information regarding the gang members has been included below,

  • "Lapa" is identified as one of the key administrators of Black Basta. ExploitedWhispers went on to state, "…Holding this high-trust position, Lapa is frequently insulted by his boss, who persistently demands major changes. The role causes Lapa significant stress, yet he earns significantly less compensation compared to others in the group. It appears that ransom payments might be an additional source of income for him to support his family during these difficult times. Under his administration, there was a brute force attack on the infrastructure of some Russian banks. So far, no actions seem to have been taken by law enforcement, suggesting that this situation could pose a serious problem and potentially provoke reactions from these authorities."
  • "Cortes" is believed to be associated with the Qakbot group, who attracted the attention of US intelligence services when American enterprises were targeted. ExploitedWhispers argues that when BlackBasta conducted attacks on Russian banks, "Cortes" distanced himself from these actions, probably surprised that this Russian group would target its own country. This is possibly one of the reasons Qakbot doesn’t target Russian enterprises or individuals.
  • "YY" is also a main administrator of Black Basta according to ExploitedWhispers, who believes that under his administration, there was also a brute force attack on the infrastructure of some Russian banks.  ExploitedWhispers is of the opinion that  no measures have been taken by law enforcement, which could present a serious problem to Black Basta, who has already had senior members arrested.
  • "Trump", believed to be the gang's current leader, ExploitedWhisper stated, "...It can be inferred that "GG", "AA", and "Trump" are all aliases used by Oleg Nefedov, the group's boss."

Another senior gang member, "Bio," was also mentioned as previously being part of the infamous Conti ransomware gang and working with Oleg Nefedov. ExploitedWhispers believes both individuals operate now under the Black Basta umbrella, but significant friction relating to ransomware operations exists between the two.

Black Basta emerged as a ransomware-as-a-service (RaaS) operation in 2022 and has claimed several high-profile victims. Said high-profile victims include Rheinmetall, Hyundai's European division, BT Group (formerly British Telecom), U.S. healthcare giant Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

It is believed that between 2022 and 2024, Black Basta affiliates, Black Basta affiliates breached over 500 organizations. Further, the gang made over 100 million USD in 2023 from the combined ransoms paid by over 90 victims. While the gang appears to have encountered some internal struggle, the gang still represents a significant danger to enterprises.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog