{
	"id": "2c1a7957-c502-4c31-b729-073c15ab1940",
	"created_at": "2026-04-06T00:07:04.917321Z",
	"updated_at": "2026-04-10T13:12:28.007811Z",
	"deleted_at": null,
	"sha1_hash": "8aff6ae61e5a1d033be605062591cf45e7673814",
	"title": "Black Basta’s blunder: exploiting the gang’s leaked chats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 194452,
	"plain_text": "Black Basta’s blunder: exploiting the gang’s leaked chats\r\nArchived: 2026-04-05 20:05:07 UTC\r\nOverview\r\nBlack Basta, a notorious ransomware group linked to the Ryuk and Conti criminal enterprises, found itself\r\nexposed when a leak of its Matrix chat server surfaced on a Telegram channel. The chat server, hosted on the\r\ndomain bestflowers247[.]online, was leaked by a user going by the handle ExploitWhispers. The leaked files\r\ncontained JSON documents detailing timestamps, sender and recipient information, thread IDs, and message\r\ncontent. This data provides actionable insights into the group's operations, helping to identify key accounts and\r\ndomains used by its members.\r\nExploitWhispers leaks Black Basta chat logs, exposing key accounts and domains\r\nThe leaked chat data not only offers insight into Black Basta’s inner workings but also sheds light on the broader\r\nransomware ecosystem. Understanding how the group navigates this ecosystem provides valuable perspective on\r\nits scale and capabilities, with various methods available to assess its effectiveness and impact. One approach is to\r\nanalyze the cryptocurrency transactions attributed to the criminal enterprise. Kaitlin Martin of the blockchain\r\nintelligence firm Chainalysis highlighted this very point in reference to the Black Basta leak:\r\n“On- and off-chain data within the Black Basta leaked chats show how the group relies upon various web services, third-party\r\nservices, and dark web forums for their operations. Payments to these services by not only Black Basta, but also other ransomware\r\ngroups, demonstrate the extent to which these services are part of the critical infrastructure of the ransomware ecosystem.\"\r\nBy examining financial transactions and operational dependencies, researchers can better understand the\r\necosystem in which these groups operate and sustain themselves.\r\nOne key aspect of this ecosystem is how ransomware gangs select their victims. While it is certainly true that\r\nsome industries and regions of the world are disproportionately affected, it seems to be the case that ransomware\r\ngangs are not selecting specific victims as much as they are selecting the victims from within a pool of already\r\ncompromised machines. Ransomware gangs coordinate with criminal teams that infect thousands of machines\r\ndaily, then review the list of compromised systems to identify those belonging to well-funded enterprises.\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 1 of 7\n\nIn many cases, ransomware gangs purchase initial access to victim hosts from brokers who scour through huge\r\ncollections of credentials traded and sold in criminal markets and forums. These credentials, harvested by\r\ninformation stealers like LummaC2, often belong to accounts of remote access systems like RDWeb, Citrix, and\r\nbrowser-based VPNs. Understanding this selection process highlights the importance of robust credential security,\r\nnetwork segmentation, and proactive threat monitoring to disrupt ransomware operations before they escalate into\r\nfull-scale attacks.\r\nPrior to the leak, Black Basta ran highly effective ransomware operations, breaching numerous enterprises and\r\ninflicting millions of dollars in damages and ransom payments. The leaked chat data provides intelligence on the\r\ngroup’s tactics, techniques, and procedures (TTPs), offering visibility into their operations. Using this data,\r\nCloudflare tracked Black Basta activity and uncovered unique insights into their infrastructure and attack\r\nmethods. Organizations can leverage this information to strengthen their understanding of ransomware gangs like\r\nBlack Basta to improve their defenses and proactively anticipate their next moves, reducing the risk of falling\r\nvictim to future attacks.\r\nCloudforce One dissects Black Basta TTPs\r\nWhen Cloudforce One obtained the bestflowers.json file, we first enumerated any infrastructure referenced in the\r\nchats, focusing on those where we had unique visibility. During this process, we identified techniques employed\r\nby Black Basta to facilitate data exfiltration and obscure their remote infrastructure. We conducted a thorough\r\nanalysis of this infrastructure to assess its potential impact. Our investigation confirmed that many of the domains\r\nmentioned in the chats were not used, suggesting they were preemptively created for operational tasks that never\r\nmaterialized.\r\nBlack Basta followed a consistent process to set up accounts with infrastructure providers. Group members\r\nregularly shared account creation details in the chat, including names, postal addresses, and sign-in credentials.\r\nThey used corporate-looking domains for email addresses rather than leveraging free email services. When\r\nmanaging their infrastructure, they connected from a variety of networks and inconsistently relied on anonymity\r\nservices. While their passwords were reasonably complex, they frequently reused the same ones across multiple\r\naccounts.\r\nAfter completing the investigation into Black Basta's infrastructure, we closely reviewed the chats to analyze their\r\nmethods for initial access, post-exploitation tactics, and negotiation strategies. Black Basta actively leveraged\r\nprecursor malware like Qakbot to infiltrate a vast number of machines worldwide. After gaining access, they\r\nidentified high-value targets through post exploitation tasks, including well known techniques like installing\r\npersistent beacons, enumerating directories, and escalating privileges.\r\nIn some cases, Black Basta breached systems using other methods that involved credentials harvested by an\r\ninformation stealer. Cloudforce One discovered some of the associated accounts in collections of credentials\r\ntraded and freely shared in Telegram channels dedicated to information stealer logs. An example Telegram\r\nmessage involving one of these compromised accounts is depicted in the image below.\r\nCompromised RDWeb account of US business identified by Black Basta\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 2 of 7\n\nBlack Basta’s reliance on credential theft and malware underscores the interconnected nature of the ransomware\r\necosystem—an ecosystem that thrives not only on initial access but also on the financial infrastructure that\r\nsustains its operations. Ransom payments flow through cryptocurrency, primarily Bitcoin. The leaked chats\r\ncontain numerous cryptocurrency addresses that may serve as payment destinations, which can be clustered with\r\nothers addresses to analyze Black Basta’s financial footprint and impact.\r\nThe group also references cryptocurrency when arranging payments for infrastructure, with requestors specifying\r\nthe amount and sometimes offering multiple cryptocurrency payment options. This mirrors practices observed in\r\nthe Conti chat leaks from 2022, where team members routinely asked managers to make cryptocurrency payments\r\nfor virtual private servers, domain names, and VPN services.\r\nCloudforce One's investigation of the intelligence divulged through the leak of Black Basta's chat server provided\r\ninteresting tradecraft and revealed unique Cloudflare insight. It confirmed the group’s use of precursor malware,\r\nstrategic handling of credentials, and ability to infiltrate networks, maintain persistence, and successfully target\r\nhigh-value victims. By analyzing the leaked chat data, we also gained additional details on the critical role\r\ncryptocurrency plays in sustaining their operations and their reliance on various web and third-party services, as\r\nwell as dark web forums. This investigation highlights the evolving complexity of the ransomware ecosystem and\r\nunderscores the need for robust defenses—ranging from securing initial access points to monitoring financial\r\ntransactions—to effectively combat these persistent and adaptive threat actors.\r\nHow to protect yourself\r\nMany journals and blogs offer ransomware mitigation recommendations, but they often fail to address the root\r\ncauses of incidents. Ransomware groups typically gain initial access through a few key methods:\r\nCredential theft and resale: Information stealers harvest remote access credentials, which are then sold to\r\ninitial access brokers. These brokers, in turn, sell them to ransomware gangs.\r\nPrecursor malware deployment: Threat actors distribute malware like Qakbot and IcedID via widespread\r\nspam campaigns. They then identify high-value ransomware targets from the infected machines. Attackers\r\noften deliver this malware through email attachments with embedded scripts, or links to files containing\r\nscripts, that download and execute malicious payloads.\r\nExploiting vulnerable edge devices: Ransomware groups frequently exploit unpatched vulnerabilities in\r\nfirewalls, VPN appliances, and file-sharing services to gain unauthorized access. Ransomware incidents\r\noften stem from these security gaps, allowing attackers to infiltrate networks and deploy their payloads.\r\nFollow these recommendations to reduce your exposure to ransomware:\r\nDisable browser-stored passwords: Enterprises that provide an organizational password manager should\r\nprevent users from saving credentials in web browsers.\r\nSecure remote access systems: Require multi-factor authentication (MFA) for RDP, RDWeb, Citrix, VPNs,\r\nand other remote access services exposed to the internet.\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 3 of 7\n\nEducate users about bootleg software: Illegitimate software is a primary source of information stealers that\r\nharvest credentials later sold to initial access brokers.\r\nFilter email attachments carefully: Consider a robust email security solution that can block malicious\r\nattachments containing active content, such as macros or scripts, to prevent malware delivery. Cloudflare\r\nprotects against email-borne infection vectors commonly used by ransomware groups through our\r\nCloudflare Email Security product.\r\nBlock risky office macros: Prevent the execution of macros in Office documents flagged with the Mark of\r\nthe Web, which indicates they were downloaded from the internet.\r\nReport abuse on Cloudflare’s networks: If you identify suspicious activity, report it at Cloudflare’s Trust\r\nHub.\r\nIndicators of Compromise\r\nThe following list of domains, extracted from Black Basta’s chat logs, are associated with malware and data\r\nexfiltration. While some of these domains were active in the past and are unlikely to appear in future traffic,\r\nconducting a retrospective analysis could help identify any historical connections. Detecting past activity\r\nassociated with these domains may indicate malware communication with a command-and-control server.\r\nThe table includes some of the prominent domains and IP addresses identified in the leaked chats, but it only\r\nprovides a sampling of the very lengthy list of Black Basta indicators tracked by Cloudforce One. To learn more\r\nabout getting access to the full list of indicators along with additional actionable context, refer to our Threat\r\nEvents platform, available to Cloudforce One customers.\r\nDomain Name IP Resolution Domain Creation Time\r\nsecurecloudmanage[.]com 170.130.165.132 2024-03-05 13:04:52.236672+00\r\nhelpatelier[.]com 91.240.202.138 2024-03-14 09:38:30.173591+00\r\nultimateparlor[.]com 89.117.2.54 2024-05-24 12:47:08.455469+00\r\ngentillytransfer[.]com 89.117.2.89 2024-05-27 12:05:53.701176+00\r\nonegamesonline[.]com 89.117.2.90 2024-05-28 08:02:53.092536+00\r\nnorthhollandservices[.]com 38.180.159.239 2024-05-28 08:42:52.569909+00\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 4 of 7\n\nDomain Name IP Resolution Domain Creation Time\r\nflowersmound[.]com 89.117.1.52 2024-05-28 08:54:40.571323+00\r\nemezaconsulting[.]com 131.226.2.133 2024-05-28 12:32:26.106612+00\r\nrogersfilms[.]com 204.93.201.244 2024-05-28 11:45:36.083471+00\r\nvatrafreedom[.]com 84.32.45.66 2024-05-28 12:05:08.75151+00\r\ngiencoe[.]com 45.128.135.14 2024-05-28 17:56:52.682707+00\r\ngites-prevert-vosges[.]com 185.208.158.174 2024-05-28 20:01:12.922021+00\r\npalmspringsvrbo[.]com 191.96.53.148 2024-05-28 20:17:47.319948+00\r\nzink-net[.]com 131.226.2.134 2024-05-28 20:36:42.299783+00\r\nventurarp[.]com 193.160.32.11 2024-05-28 22:02:09.107554+00\r\nschlangenbiss[.]com 216.146.25.106 2024-05-28 21:46:54.425764+00\r\nimatec-centre[.]com 91.196.70.165 2024-05-29 14:07:16.853144+00\r\ndragopale[.]com 185.208.158.185 2024-05-29 15:02:03.129715+00\r\ncars-cn[.]com 191.96.53.158 2024-05-29 14:52:48.606726+00\r\nleaguesecure[.]com 131.226.2.136 2024-05-29 15:36:30.074671+00\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 5 of 7\n\nDomain Name IP Resolution Domain Creation Time\r\ndeviantnode[.]com 193.160.32.41 2024-05-29 16:43:24.092781+00\r\nonlinesayfa[.]com 128.254.207.82 2024-05-29 16:33:46.219601+00\r\nhomegrownhoops[.]net 45.128.133.17 2024-05-31 08:00:14.783392+00\r\nnhatrangtour[.]net 181.215.68.28 2024-05-31 09:11:03.912393+00\r\ndwadesigns[.]net 131.226.2.94 2024-05-31 10:24:33.097051+00\r\ndirtydreams[.]net 193.160.32.51 2024-05-31 12:36:39.13195+00\r\nmickiemckittrick[.]net 216.146.25.53 2024-05-31 12:54:13.799473+00\r\nlowellplumbers[.]net 131.226.2.141 2024-05-31 14:03:58.626894+00\r\nmicrosoftapp365[.]com 93.127.217.226 2024-06-12 15:44:22.158827+00\r\nmicrosoftonline365[.]net 155.94.192.112 2024-06-12 15:57:06.390643+00\r\nmicrosoft-online-365[.]net 38.132.111.19 2024-06-12 16:11:46.039318+00\r\nproline-billiard[.]com 93.127.217.226 2024-06-12 22:11:56.12727+00\r\ndas-inter[.]net 155.94.192.112 2024-06-12 22:26:10.301132+00\r\napd-disc[.]com 38.132.111.19 2024-06-12 22:38:35.725516+00\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 6 of 7\n\nDomain Name IP Resolution Domain Creation Time\r\nhalagifts[.]com 217.15.175.191 2024-06-18 18:38:39.9041+00\r\nAbout Cloudforce One\r\nCloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that\r\ndetect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political\r\ngain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with\r\npublishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions.\r\nWe identify and defend against attacks with unique insight that no one else has.\r\nThe foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which\r\nencompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the\r\nInternet, giving us unparalleled visibility into global events – including the most interesting attacks on the\r\nInternet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the\r\npoint of launch, and turn intelligence into tactical success.\r\nSource: https://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cloudflare.com/threat-intelligence/research/report/black-bastas-blunder-exploiting-the-gangs-leaked-chats/"
	],
	"report_names": [
		"black-bastas-blunder-exploiting-the-gangs-leaked-chats"
	],
	"threat_actors": [],
	"ts_created_at": 1775434024,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8aff6ae61e5a1d033be605062591cf45e7673814.pdf",
		"text": "https://archive.orkl.eu/8aff6ae61e5a1d033be605062591cf45e7673814.txt",
		"img": "https://archive.orkl.eu/8aff6ae61e5a1d033be605062591cf45e7673814.jpg"
	}
}