{
	"id": "e9ec7a67-ef82-4544-a530-a57b1d14adda",
	"created_at": "2026-04-06T00:10:43.660713Z",
	"updated_at": "2026-04-10T03:20:26.708171Z",
	"deleted_at": null,
	"sha1_hash": "1014fa3191c4dfd82439872ebf2a8cafda7ef6b5",
	"title": "Black Basta exposed: A look at a cybercrime data leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 325867,
	"plain_text": "Black Basta exposed: A look at a cybercrime data leak\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 18:00:30 UTC\r\nOn Feb. 11, 2025, a mysterious leaker going by the Telegram username ExploitWhispers released one year’s\r\nworth of internal communications between members of the Black Basta ransomware group on a Telegram\r\nchannel. Black Basta is still active in a reduced capacity, but in 2022, it was the third most impactful ransomware\r\ngroup. Its members appeared to be experienced Russian-speaking ransomware and cybercrime veterans, some of\r\nwhom worked with the infamous Conti ransomware-as-a-service (RaaS) group. The 197,000 chat messages are\r\ndrawn from 80 different chatrooms on Matrix servers hosting on six domains. The leak rivals the chat leak that\r\naffected Conti ransomware gang in late February 2022. Black Basta’s leak provides similar insight\r\nas Conti’s: Black Basta is a polished ransomware group that carefully studied potential victims, ran sophisticated\r\nphishing and malware campaigns and employed a range of people for support, including call services, malware\r\ndevelopment, initial access, crypters and penetration testing. The messages reveal a range of technical data that\r\nformed Black Basta’s operations, including cryptocurrency wallets, domain names, indicators of compromise\r\n(IoCs), tools and techniques. But the chats also reveal discord in the group, petty quarrels and tangible worries of\r\ngetting caught by international law enforcement. One key member of Black Basta contended they had been able to\r\nelude law enforcement in mid-2024 with help from influential people, a situation that is explored further in this\r\npiece.\r\nThis blog post will explore high-level insights drawn from the messages. Intel 471 plans to release a series of\r\nreports looking at this gang’s tactics, techniques and procedures (TTPs), including phishing, social engineering,\r\nvulnerabilities exploited and lateral movement, as well as a look at identified victims, cryptocurrency payment\r\nflows and possible real-world identities of threat actors.\r\nWhy were the chats released?\r\n@ExploitWhispers is the username for someone who was the administrator of a Telegram chat group called\r\n“Шепот Басты” (Eng. Basta Whisper). The informant claimed gang members were “crossing the line,” which\r\nreferred to their alleged attacks on Russian financial institutions, as a reason for the leak. These attacks have yet to\r\nbe verified.\r\nWho is in the chats?\r\nThe chat logs reveal most group members used a consistent format for Matrix aliases, which included a\r\n“username” and a two-letter alias such as the “tt” suffix, while some others had custom handles. It is possible core\r\nteam members, in-house developers and system administrators used standard handles, and the Black Basta\r\ngroup’s affiliates and partners used custom handles. However, this is a working hypothesis at the time of this\r\nreport.\r\nhttps://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nPage 1 of 5\n\nThe exposed internal communications also reveal several actors with managerial roles in the gang’s operations.\r\nFor example, usernamegg aka GG was a senior manager and team leader. The conversations\r\nindicate usernamegg coordinated the group’s daily operations, hired new members, interacted with affiliates and\r\npartners, and supervised budgeting and finance activity. We believe this actor also goes by tramp.\r\nAnother leading member of the Black Basta group, the actor tinker, negotiated with victims, managed call\r\ncenters and supervised other activities. The actor allegedly had the same role in the Conti group previously. The\r\nactor tinker revealed an affiliation with the BlackSuit aka Royal ransomware group, a spinoff of Conti’s Team\r\n2 subgroup, and admitted to be working as a Royal negotiator.\r\nWhere is Black Basta based?\r\nOur preliminary research indicated usernamegg rented at least two offices in Moscow, Russia, where developers,\r\nmalware operators and network intruders were based. The actor also mentioned “an influential ally” who was a\r\nhigh-ranking employee at a large company and provided protection against possible law enforcement action.\r\nOperational security\r\nThe gang’s key members frequently expressed operational security (OPSEC) concerns, were afraid their\r\ninfrastructure and systems could be compromised and worried that personal data might be exposed in response\r\nto Black Basta gang members’ attacks on critical infrastructure. \r\nFor example, the actor w used a conversation with usernamegg to claim the OPSEC measures included using a\r\nremote desktop, multiple layers of the onion router (Tor) and virtual private network (VPN) connections and disk\r\nencryption. \r\nThe chat leak contains no messages from usernamegg between June 21, 2024, and July 3, 2024. On that day the\r\nactor reappeared, making the comment: \"I am here. I'll tell you all about it when you get here.\" In a private\r\nconversation with chuck, usernamegg disclosed that they were apprehended once by law enforcement officers,\r\nbut high-level officials helped usernamegg escape:\r\nhttps://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nPage 2 of 5\n\nThe image depicts a screenshot of Black Basta group members’ leaked conversations from July 3, 2024, where the\r\nactor usernamegg talked about their alleged arrest.\r\nThe chat reads:\r\n(translated from Russian):\r\n@chuck:talks.icu, message: how did they get you out? \r\n@chuck:talks.icu, message: did you pay a lot? } \r\n@usernamegg:matrix.bestflowers247.online, message: remember when I said I had friends at a really high level;\r\nthis is the level of our first\r\n@usernamegg:matrix.bestflowers247.online, message: I've just managed to call him.\r\nusernamegg’s absence in the chats overlaps with a report in an Armenian news outlet of a man who was arrested\r\nand purportedly wanted by the U.S.  On June 24, 2024, an Armenian news outlet,168.am, reported that a 34-year-old identified as Oleg N. had been arrested on June 21, 2024, related to charges filed in the U.S. state of\r\nWashington. \r\nThis arrest surfaced again in the same news outlet on Sept. 20, 2024. The story identifies the man as Oleg\r\nNefedov and claims he was wanted by the U.S. on an Interpol notice but was no longer in custody. The story\r\nclaims after Nefedov’s arrest, a judge found the prosecutor did not present a translation of the Interpol notice\r\nto Nefedov. The prosecutor argued it was not required. The article says Nefedov was released within 72 hours of\r\nhis arrest, which appears to be the period in which a court must make a decision on whether to continue to detain\r\nsomeone, and that Nefedov’s “whereabouts are unknown.”\r\nhttps://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nPage 3 of 5\n\nThe story continued to evolve. On Sept. 30, 2024, 168.am reported that disciplinary action was being considered\r\nagainst the judge in Nefedov’s case, Artush Gabrielyan, for allegedly waiting too long to hold Nefedov’s detection\r\nhearing. Nefedov, the story contends, is a Russian man wanted by the U.S. in connection with fraud “worth\r\nseveral billion.” After the detention period expired at 4 PM on June 24, 2024, Nefedov’s attorney petitioned for\r\nthe hearing to be adjourned for 15 minutes, and Nefedov left the court, the publication reported. On Oct. 10, 2024,\r\nthe Armenian publication CivilNet published a story contending that disciplinary action had been undertaken\r\nagainst Gabrielyan.\r\nThe Oleg Nefedov persona ties together with claims in the Black Basta chats made by the\r\nleaker, ExploitWhispers. ExploitWhispers suggested the actor Bio had identified the actor GG aka usernamegg\r\nas tramp and speculated AA, GG and tramp might be aliases for the same individual who possibly used the Oleg\r\nNefedov persona.\r\nIntel 471 continues to investigate the news stories and the claims around the Oleg Nefedov and usernamegg\r\npersonas. Chat leaks can illuminate much about a group, but also can present ambiguous information that can be\r\ndifficult to verify.\r\nWho helped usernamegg?\r\nThe identity of the person @usernamegg refers to as “level of our first” and “him” in Figure 1 is unclear but\r\nsuggests someone in a position of influence and authority. In the chats, @usernamegg claims the person runs “big\r\ncorporations” and could provide trouble-free passage through immigration thanks to another high official —\r\nreferred to as the “number one” — who was aware of @usernamegg’s predicament.”\r\nThis type of connection with the state would not be unheard of for a high-ranking cybercrime player. Russia’s\r\nintelligence services and the cybercriminal underground have long maintained relationships, with the former\r\nleaning on the latter for operational support under a quid pro quo arrangement: Underground actors can continue\r\ntheir activity without repercussions as long as they cooperate with the state. The foundation for these relationships\r\nis institutionalized corruption, where the state — which has the power to conduct raids, audits and other forms of\r\nharassment — can coerce cybercriminal actors into paying protection money, participating in state-directed cyber\r\noperations such as espionage or data theft and supporting state narratives through hacktivist or misinformation\r\ncampaigns. These relationships have been described in public documents, such as the FSB tasking of\r\ncybercriminal actors to breach Yahoo email accounts in 2014; in U.S. sanctions levied against the Trickbot actors,\r\nwho were related to Conti; and the use of the GameOver Zeus botnet to search for sensitive data on Ukrainian\r\ncomputers.\r\nOther potentially identifying information emerged in the chats. Both chuck, who apparently developed and\r\noperated Qbot aka Qakbot malware, and usernamegg allegedly purchased property in Dubai, United Arab\r\nEmirates (UAE). The actor chuck also claimed in messages around July 2024 to have communicated with\r\ncriminal defense attorney Arkady Bukh about the legal risks of residing in the UAE. The\r\nactor chuck subsequently expressed the view that the risks of being arrested as a result of an Interpol notice were\r\nlow.\r\nConclusion\r\nhttps://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nPage 4 of 5\n\nThe Black Basta gang attacked at least 165 organizations in 2022 but is off to a slower start this year — Intel 471\r\nhas recorded only eight victims so far. The chat messages broadly reveal discord within the group, suggesting this\r\ncould be a reason for the low number of successful attacks. Chat leaks contributed to the decline of the Conti\r\nransomware group, as the security lapse that led to it drove waning confidence among affiliates. Nonetheless,\r\nthese threat actors are veteran ransomware attackers, and it is likely that if Black Basta completely dissolves,\r\ngroup members will re-integrate themselves into other ransomware operations, which makes this intelligence\r\nvaluable. Intel 471 will continue to analyze the messages. \r\nSource: https://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nhttps://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/black-basta-exposed-a-look-at-a-cybercrime-data-leak"
	],
	"report_names": [
		"black-basta-exposed-a-look-at-a-cybercrime-data-leak"
	],
	"threat_actors": [],
	"ts_created_at": 1775434243,
	"ts_updated_at": 1775791226,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1014fa3191c4dfd82439872ebf2a8cafda7ef6b5.pdf",
		"text": "https://archive.orkl.eu/1014fa3191c4dfd82439872ebf2a8cafda7ef6b5.txt",
		"img": "https://archive.orkl.eu/1014fa3191c4dfd82439872ebf2a8cafda7ef6b5.jpg"
	}
}