Black Basta ransomware gang's internal chat logs leak online

February 21, 2025

Data leak

An unknown leaker has released what they claim to be an archive of internal Matrix chat logs belonging to the Black Basta ransomware operation.

ExploitWhispers, the individual who previously uploaded the stolen messages to the MEGA file-sharing platform, which are now removed, has uploaded it to a dedicated Telegram channel.

It's not yet clear if ExploitWhispers is a security researcher who gained access to the gang's internal chat server or a disgruntled member.

While they never shared the reason behind this move, cyber threat intelligence company PRODAFT said today that the leak could directly result from the ransomware gang's alleged attacks targeting Russian banks.

"As part of our continuous monitoring, we've observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors," PRODAFT said.

"On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks."

*Black Basta ransomware chat leak (BleepingComputer)*

The leaked archive contains messages exchanged in Black Basta's internal chat rooms between September 18, 2023, and September 28, 2024.

BleepingComputer's analysis of the messages shows they contain a wide range of information, including phishing templates and emails to send them to, cryptocurrency addresses, data drops, victims' credentials, and confirmation of tactics we previously reported on.

The leaked chats also contain 367 unique ZoomInfo links, which indicate the likely number of companies targeted during this period. Ransomware gangs commonly use the ZoomInfo site to share information about a targeted company, internally or with victims during negotiations.

ExploitWhispers also shared information about some Black Basta ransomware gang members, including Lapa (one of the operation's admins), Cortes (a threat actor linked to the Qakbot group), YY (Black Basta's main administrator), and Trump (aka GG and AA) is believed to be Oleg Nefedovaka, the group's boss.

Who is Black Basta?

The Black Basta Ransomware-as-a-Service (RaaS) operation emerged in April 2022 and has claimed many high-profile victims worldwide, including healthcare companies and government contractors.

Some of their victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group(formerly British Telecom), U.S. healthcare giant Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada.

As CISA and the FBI revealed in a joint report issued last May, Black Basta affiliates breached over 500 organizations between April 2022 and May 2024.

According to joint research from Corvus Insurance and Elliptic, the ransomware gang also collected an estimated $100 million in ransom payments from over 90 victims until November 2023.

In February 2022, a Ukrainian security researcher also leaked over 170,000 internal chat conversations and the source code for the Conti ransomware encryptor online after the infamous Russian-based Conti cybercrime syndicate sided with Russia following Ukraine's invasion.