Black Basta exposed A look at a cybercrime data leak Intel 471
p
While digitaldependent intelligence disciplines such as open source intelligence OSINT social media intelligence SOCMINT and signals intelligence SIGINT have become commonplace in our interconnected world HUMINT continues to transcend technological advancements cultural changes geopolitical eras and generational ebbs and flows
ppA major factor that distinguishes Intel 471 from competitors is its emphasis on specific target profiles No other product was found to offer this valuable capabilitypp
AI tools could pose significant risk of amplifying political disinformation on a neverbeforeseen scale This report provides insights into the current threat landscape allowing for better preparation and protection against these emerging risks
ppMore sources a better understanding of the threat landscape and better professionals working undercover in the darkest corners of the cybercrime worldppOn Feb 11 2025 a mysterious leaker going by the Telegram username ExploitWhispers released one years worth of internal communications between members of the Black Basta ransomware group on a Telegram channel Black Basta is still active in a reduced capacity but in 2022 it was the third most impactful ransomware group Its members appeared to be experienced Russianspeaking ransomware and cybercrime veterans some of whom worked with the infamous Conti ransomwareasaservice RaaS group The 197000 chat messages are drawn from 80 different chatrooms on Matrix servers hosting on six domains The leak rivals the chat leak that affected Conti ransomware gang in late February 2022 Black Bastas leak provides similar insight as Contis Black Basta is a polished ransomware group that carefully studied potential victims ran sophisticated phishing and malware campaigns and employed a range of people for support including call services malware development initial access crypters and penetration testing The messages reveal a range of technical data that formed Black Bastas operations including cryptocurrency wallets domain names indicators of compromise IoCs tools and techniques But the chats also reveal discord in the group petty quarrels and tangible worries of getting caught by international law enforcement One key member of Black Basta contended they had been able to elude law enforcement in mid2024 with help from influential people a situation that is explored further in this pieceppThis blog post will explore highlevel insights drawn from the messages Intel 471 plans to release a series of reports looking at this gangs tactics techniques and procedures TTPs including phishing social engineering vulnerabilities exploited and lateral movement as well as a look at identified victims cryptocurrency payment flows and possible realworld identities of threat actorsppExploitWhispers is the username for someone who was the administrator of a Telegram chat group called Шепот Басты Eng Basta Whisper The informant claimed gang members were crossing the line which referred to their alleged attacks on Russian financial institutions as a reason for the leak These attacks have yet to be verifiedppThe chat logs reveal most group members used a consistent format for Matrix aliases which included a username and a twoletter alias such as the tt suffix while some others had custom handles It is possible core team members inhouse developers and system administrators used standard handles and the Black Basta groups affiliates and partners used custom handles However this is a working hypothesis at the time of this reportppThe exposed internal communications also reveal several actors with managerial roles in the gangs operations For example usernamegg aka GG was a senior manager and team leader The conversations indicate usernamegg coordinated the groups daily operations hired new members interacted with affiliates and partners and supervised budgeting and finance activity We believe this actor also goes by trampppAnother leading member of the Black Basta group the actor tinker negotiated with victims managed call centers and supervised other activities The actor allegedly had the same role in the Conti group previously The actor tinker revealed an affiliation with the BlackSuit aka Royal ransomware group a spinoff of Contis Team 2 subgroup and admitted to be working as a Royal negotiatorppOur preliminary research indicated usernamegg rented at least two offices in Moscow Russia where developers malware operators and network intruders were based The actor also mentioned an influential ally who was a highranking employee at a large company and provided protection against possible law enforcement actionppThe gangs key members frequently expressed operational security OPSEC concerns were afraid their infrastructure and systems could be compromised and worried that personal data might be exposed in response to Black Basta gang members attacks on critical infrastructure ppFor example the actor w used a conversation with usernamegg to claim the OPSEC measures included using a remote desktop multiple layers of the onion router Tor and virtual private network VPN connections and disk encryption ppThe chat leak contains no messages from usernamegg between June 21 2024 and July 3 2024 On that day the actor reappeared making the comment I am here Ill tell you all about it when you get here In a private conversation with chuck usernamegg disclosed that they were apprehended once by law enforcement officers but highlevel officials helped usernamegg escapeppThe chat readspptranslated from Russianppchucktalksicu message how did they get you out ppchucktalksicu message did you pay a lot ppusernameggmatrixbestflowers247online message remember when I said I had friends at a really high level this is the level of our firstppusernameggmatrixbestflowers247online message Ive just managed to call himppusernameggs absence in the chats overlaps with a report in an Armenian news outlet of a man who was arrested and purportedly wanted by the US On June 24 2024 an Armenian news outlet168am reported that a 34yearold identified as Oleg N had been arrested on June 21 2024 related to charges filed in the US state of Washington ppThis arrest surfaced again in the same news outlet on Sept 20 2024 The story identifies the man as Oleg Nefedov and claims he was wanted by the US on an Interpol notice but was no longer in custody The story claims after Nefedovs arrest a judge found the prosecutor did not present a translation of the Interpol notice to Nefedov The prosecutor argued it was not required The article says Nefedov was released within 72 hours of his arrest which appears to be the period in which a court must make a decision on whether to continue to detain someone and that Nefedovs whereabouts are unknownppThe story continued to evolve On Sept 30 2024 168am reported that disciplinary action was being considered against the judge in Nefedovs case Artush Gabrielyan for allegedly waiting too long to hold Nefedovs detection hearing Nefedov the story contends is a Russian man wanted by the US in connection with fraud worth several billion After the detention period expired at 4 PM on June 24 2024 Nefedovs attorney petitioned for the hearing to be adjourned for 15 minutes and Nefedov left the court the publication reported On Oct 10 2024 the Armenian publication CivilNet published a story contending that disciplinary action had been undertaken against GabrielyanppThe Oleg Nefedov persona ties together with claims in the Black Basta chats made by the leaker ExploitWhispers ExploitWhispers suggested the actor Bio had identified the actor GG aka usernamegg as tramp and speculated AA GG and tramp might be aliases for the same individual who possibly used the Oleg Nefedov personappIntel 471 continues to investigate the news stories and the claims around the Oleg Nefedov and usernamegg personas Chat leaks can illuminate much about a group but also can present ambiguous information that can be difficult to verifyppThe identity of the person usernamegg refers to as level of our first and him in Figure 1 is unclear but suggests someone in a position of influence and authority In the chats usernamegg claims the person runs big corporations and could provide troublefree passage through immigration thanks to another high official referred to as the number one who was aware of usernameggs predicamentppThis type of connection with the state would not be unheard of for a highranking cybercrime player Russias intelligence services and the cybercriminal underground have long maintained relationships with the former leaning on the latter for operational support under a quid pro quo arrangement Underground actors can continue their activity without repercussions as long as they cooperate with the state The foundation for these relationships is institutionalized corruption where the state which has the power to conduct raids audits and other forms of harassment can coerce cybercriminal actors into paying protection money participating in statedirected cyber operations such as espionage or data theft and supporting state narratives through hacktivist or misinformation campaigns These relationships have been described in public documents such as the FSB tasking of cybercriminal actors to breach Yahoo email accounts in 2014 in US sanctions levied against the Trickbot actors who were related to Conti and the use of the GameOver Zeus botnet to search for sensitive data on Ukrainian computersppOther potentially identifying information emerged in the chats Both chuck who apparently developed and operated Qbot aka Qakbot malware and usernamegg allegedly purchased property in Dubai United Arab Emirates UAE The actor chuck also claimed in messages around July 2024 to have communicated with criminal defense attorney Arkady Bukh about the legal risks of residing in the UAE The actor chuck subsequently expressed the view that the risks of being arrested as a result of an Interpol notice were lowppThe Black Basta gang attacked at least 165 organizations in 2022 but is off to a slower start this year Intel 471 has recorded only eight victims so far The chat messages broadly reveal discord within the group suggesting this could be a reason for the low number of successful attacks Chat leaks contributed to the decline of the Conti ransomware group as the security lapse that led to it drove waning confidence among affiliates Nonetheless these threat actors are veteran ransomware attackers and it is likely that if Black Basta completely dissolves group members will reintegrate themselves into other ransomware operations which makes this intelligence valuable Intel 471 will continue to analyze the messages pp
Stay informed with our weekly executive update sending you the latest news and timely data on the threats risks and regulations affecting your organization
pp
Whether scaling your cybersecurity presence or starting to build your team we help you fight cyber threats
pp
AresLoader is a new loader malwareasaservice MaaS offered by threat actors with links to Russian hacktivism that was spotted recently in the wild
p
While digitaldependent intelligence disciplines such as open source intelligence OSINT social media intelligence SOCMINT and signals intelligence SIGINT have become commonplace in our interconnected world HUMINT continues to transcend technological advancements cultural changes geopolitical eras and generational ebbs and flows
ppA major factor that distinguishes Intel 471 from competitors is its emphasis on specific target profiles No other product was found to offer this valuable capabilitypp
AI tools could pose significant risk of amplifying political disinformation on a neverbeforeseen scale This report provides insights into the current threat landscape allowing for better preparation and protection against these emerging risks
ppMore sources a better understanding of the threat landscape and better professionals working undercover in the darkest corners of the cybercrime worldppOn Feb 11 2025 a mysterious leaker going by the Telegram username ExploitWhispers released one years worth of internal communications between members of the Black Basta ransomware group on a Telegram channel Black Basta is still active in a reduced capacity but in 2022 it was the third most impactful ransomware group Its members appeared to be experienced Russianspeaking ransomware and cybercrime veterans some of whom worked with the infamous Conti ransomwareasaservice RaaS group The 197000 chat messages are drawn from 80 different chatrooms on Matrix servers hosting on six domains The leak rivals the chat leak that affected Conti ransomware gang in late February 2022 Black Bastas leak provides similar insight as Contis Black Basta is a polished ransomware group that carefully studied potential victims ran sophisticated phishing and malware campaigns and employed a range of people for support including call services malware development initial access crypters and penetration testing The messages reveal a range of technical data that formed Black Bastas operations including cryptocurrency wallets domain names indicators of compromise IoCs tools and techniques But the chats also reveal discord in the group petty quarrels and tangible worries of getting caught by international law enforcement One key member of Black Basta contended they had been able to elude law enforcement in mid2024 with help from influential people a situation that is explored further in this pieceppThis blog post will explore highlevel insights drawn from the messages Intel 471 plans to release a series of reports looking at this gangs tactics techniques and procedures TTPs including phishing social engineering vulnerabilities exploited and lateral movement as well as a look at identified victims cryptocurrency payment flows and possible realworld identities of threat actorsppExploitWhispers is the username for someone who was the administrator of a Telegram chat group called Шепот Басты Eng Basta Whisper The informant claimed gang members were crossing the line which referred to their alleged attacks on Russian financial institutions as a reason for the leak These attacks have yet to be verifiedppThe chat logs reveal most group members used a consistent format for Matrix aliases which included a username and a twoletter alias such as the tt suffix while some others had custom handles It is possible core team members inhouse developers and system administrators used standard handles and the Black Basta groups affiliates and partners used custom handles However this is a working hypothesis at the time of this reportppThe exposed internal communications also reveal several actors with managerial roles in the gangs operations For example usernamegg aka GG was a senior manager and team leader The conversations indicate usernamegg coordinated the groups daily operations hired new members interacted with affiliates and partners and supervised budgeting and finance activity We believe this actor also goes by trampppAnother leading member of the Black Basta group the actor tinker negotiated with victims managed call centers and supervised other activities The actor allegedly had the same role in the Conti group previously The actor tinker revealed an affiliation with the BlackSuit aka Royal ransomware group a spinoff of Contis Team 2 subgroup and admitted to be working as a Royal negotiatorppOur preliminary research indicated usernamegg rented at least two offices in Moscow Russia where developers malware operators and network intruders were based The actor also mentioned an influential ally who was a highranking employee at a large company and provided protection against possible law enforcement actionppThe gangs key members frequently expressed operational security OPSEC concerns were afraid their infrastructure and systems could be compromised and worried that personal data might be exposed in response to Black Basta gang members attacks on critical infrastructure ppFor example the actor w used a conversation with usernamegg to claim the OPSEC measures included using a remote desktop multiple layers of the onion router Tor and virtual private network VPN connections and disk encryption ppThe chat leak contains no messages from usernamegg between June 21 2024 and July 3 2024 On that day the actor reappeared making the comment I am here Ill tell you all about it when you get here In a private conversation with chuck usernamegg disclosed that they were apprehended once by law enforcement officers but highlevel officials helped usernamegg escapeppThe chat readspptranslated from Russianppchucktalksicu message how did they get you out ppchucktalksicu message did you pay a lot ppusernameggmatrixbestflowers247online message remember when I said I had friends at a really high level this is the level of our firstppusernameggmatrixbestflowers247online message Ive just managed to call himppusernameggs absence in the chats overlaps with a report in an Armenian news outlet of a man who was arrested and purportedly wanted by the US On June 24 2024 an Armenian news outlet168am reported that a 34yearold identified as Oleg N had been arrested on June 21 2024 related to charges filed in the US state of Washington ppThis arrest surfaced again in the same news outlet on Sept 20 2024 The story identifies the man as Oleg Nefedov and claims he was wanted by the US on an Interpol notice but was no longer in custody The story claims after Nefedovs arrest a judge found the prosecutor did not present a translation of the Interpol notice to Nefedov The prosecutor argued it was not required The article says Nefedov was released within 72 hours of his arrest which appears to be the period in which a court must make a decision on whether to continue to detain someone and that Nefedovs whereabouts are unknownppThe story continued to evolve On Sept 30 2024 168am reported that disciplinary action was being considered against the judge in Nefedovs case Artush Gabrielyan for allegedly waiting too long to hold Nefedovs detection hearing Nefedov the story contends is a Russian man wanted by the US in connection with fraud worth several billion After the detention period expired at 4 PM on June 24 2024 Nefedovs attorney petitioned for the hearing to be adjourned for 15 minutes and Nefedov left the court the publication reported On Oct 10 2024 the Armenian publication CivilNet published a story contending that disciplinary action had been undertaken against GabrielyanppThe Oleg Nefedov persona ties together with claims in the Black Basta chats made by the leaker ExploitWhispers ExploitWhispers suggested the actor Bio had identified the actor GG aka usernamegg as tramp and speculated AA GG and tramp might be aliases for the same individual who possibly used the Oleg Nefedov personappIntel 471 continues to investigate the news stories and the claims around the Oleg Nefedov and usernamegg personas Chat leaks can illuminate much about a group but also can present ambiguous information that can be difficult to verifyppThe identity of the person usernamegg refers to as level of our first and him in Figure 1 is unclear but suggests someone in a position of influence and authority In the chats usernamegg claims the person runs big corporations and could provide troublefree passage through immigration thanks to another high official referred to as the number one who was aware of usernameggs predicamentppThis type of connection with the state would not be unheard of for a highranking cybercrime player Russias intelligence services and the cybercriminal underground have long maintained relationships with the former leaning on the latter for operational support under a quid pro quo arrangement Underground actors can continue their activity without repercussions as long as they cooperate with the state The foundation for these relationships is institutionalized corruption where the state which has the power to conduct raids audits and other forms of harassment can coerce cybercriminal actors into paying protection money participating in statedirected cyber operations such as espionage or data theft and supporting state narratives through hacktivist or misinformation campaigns These relationships have been described in public documents such as the FSB tasking of cybercriminal actors to breach Yahoo email accounts in 2014 in US sanctions levied against the Trickbot actors who were related to Conti and the use of the GameOver Zeus botnet to search for sensitive data on Ukrainian computersppOther potentially identifying information emerged in the chats Both chuck who apparently developed and operated Qbot aka Qakbot malware and usernamegg allegedly purchased property in Dubai United Arab Emirates UAE The actor chuck also claimed in messages around July 2024 to have communicated with criminal defense attorney Arkady Bukh about the legal risks of residing in the UAE The actor chuck subsequently expressed the view that the risks of being arrested as a result of an Interpol notice were lowppThe Black Basta gang attacked at least 165 organizations in 2022 but is off to a slower start this year Intel 471 has recorded only eight victims so far The chat messages broadly reveal discord within the group suggesting this could be a reason for the low number of successful attacks Chat leaks contributed to the decline of the Conti ransomware group as the security lapse that led to it drove waning confidence among affiliates Nonetheless these threat actors are veteran ransomware attackers and it is likely that if Black Basta completely dissolves group members will reintegrate themselves into other ransomware operations which makes this intelligence valuable Intel 471 will continue to analyze the messages pp
Stay informed with our weekly executive update sending you the latest news and timely data on the threats risks and regulations affecting your organization
pp
Whether scaling your cybersecurity presence or starting to build your team we help you fight cyber threats
pp
AresLoader is a new loader malwareasaservice MaaS offered by threat actors with links to Russian hacktivism that was spotted recently in the wild
p
