{
	"id": "b8f93b76-5134-47a9-a602-7035993f1550",
	"created_at": "2026-04-06T00:16:39.473956Z",
	"updated_at": "2026-04-10T03:20:23.582652Z",
	"deleted_at": null,
	"sha1_hash": "e0e2ba72f07eef2ac20fec5be0bc1bda69e72c95",
	"title": "Deciphering Black Basta’s Infrastructure from the Chat Leak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1203551,
	"plain_text": "Deciphering Black Basta’s Infrastructure from the Chat Leak\r\nBy Research Team\r\nPublished: 2025-03-06 · Archived: 2026-04-05 17:01:04 UTC\r\nThis article has originally appeared on Cybercrime Diaries\r\nOn February 20, 2025, the cybersecurity community received an unexpected stroke of luck as internal strife\r\nseemingly spread within the infamous Black Basta ransomware group. On that day, an unknown individual using\r\nthe alias ExploitWhispers released a file on Telegram, allegedly containing the group’s internal chat logs. The file\r\nwas a JSON dataset comprising of 196,045 messages from a Matrix/Element chat, primarily in Russian, spanning\r\nfrom September 18, 2023, to September 28, 2024.\r\nWhile the true identity of the leaker and their actual motives remain unknown, ExploitWhispers accused Black\r\nBasta of crossing a red line by targeting Russian banks. A preliminary analysis suggests that most, if not all, of the\r\nleaked data appears legitimate. However, the possibility of data manipulation cannot be entirely ruled out.\r\nBlack Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022 and has since attacked over\r\n500 organizations worldwide across various sectors, including healthcare, manufacturing, and utilities. Notable\r\nvictims include Ascension, Dish Network, Maple Leaf Foods, BT Group, and Rheinmetall. According to estimates\r\npublished by The Record in November 2023 the group received over 100 million dollars in ransom payments to\r\nthat date. However, since January 2025 no new victims have been reported and the group’s leak site is presently\r\ndown, suggesting that an internal conflict could have shaken up the group.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 1 of 11\n\nFigure 1: Ransomware victims per country for Black Basta (Source: Ransmware.live)\r\nBack in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of\r\nthe group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An\r\ninvestigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor\r\nis Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.\r\nWhile extensive research has already been published, providing insights into who Nefedov is and which\r\nvulnerabilities the group exploited, this short blog focuses on Black Basta’s internal organization. Additionally,\r\nthis will offer a glimpse into how and where the group hosted and obfuscated its leak site and C2 servers.\r\nBack in 2022, this RaaS was founded by Conti Team 3, also known as Tramp’s team, which remained in control of\r\nthe group during the period covered by the leak. In the leaked chat, Tramp appears under the aliases gg and aa. An\r\ninvestigation by LeMagIT, supported by external sources, confirmed that the likely real identity of this threat actor\r\nis Oleg Nefedov, a Russian citizen originally from Yoshkar-Ola.\r\nWhile extensive research has already been published, providing insights into who Nefedov is and which\r\nvulnerabilities the group exploited, this blog will primarily focus on Black Basta’s internal organization. This\r\noffers a look into how and where the group hosted and obfuscated its leak site and C2 servers.\r\nKey Observations from the Leak and Available Information\r\nThe true identity of the group’s leader, Tramp (aka gg), is possibly Oleg Nefedov, a 35-year-old Russian\r\ncitizen from Yoshkar-Ola, who is officially known as a successful entrepreneur, but claims to be protected\r\nby powerful friends allowing him to pursue his malicious endeavors. \r\nBlack Basta operates as a highly structured and hierarchical organization, with at least two offices, likely\r\nlocated in Moscow or its outskirts.\r\nGroup members have several different specializations focusing on areas such as infrastructure\r\nmanagement, initial access, malware and C2 obfuscation, development, and negotiations.\r\nA key distinction existed between threat actors who were employees of the group—working under\r\nTramp’s direct and strict supervision in office settings—and more independent operatives, known as\r\npentesters or affiliates, working online.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 2 of 11\n\nThese independent affiliates were often Tramp’s former associates from other illicit operations, such\r\nas Conti RaaS or banking trojans. They operate within their own teams, using distinct tools,\r\nmethods, and internal hierarchies. This division sometimes leads to tensions between them and\r\nBlack Basta’s core management.\r\nThe group periodically changes Matrix servers for OSPEC reasons. In September 2024, Tramp\r\ndecided to migrate to a new server. This can also be explained by Tramp’s brief arrest that almost\r\nresulted in an extradition from Armenia during a vacation trip in June 2024. \r\nBlack Basta members are active on major Russian-language cybercrime forums such as XSS, Exploit, and\r\nRAMP, where they purchase services from other threat actors. These services include crypting (payload\r\nobfuscation), hosting, spam campaigns, exploits, and initial access to compromised networks.\r\nThe group’s leak site, admin panel, and C2 servers were primarily hosted on legitimate providers such as\r\nHetzner, but these were acquired through third-party resellers that specialized in server rentals and\r\naccepted cryptocurrency payments.\r\nInfrastructure obfuscation appeared to be a more viable strategy than relying on bulletproof hosting.\r\nHowever, bulletproof hosting services, such as Gerry, were used for deploying abuse-resistant C2\r\nservers for Cobalt Strike and for fast-flux capabilities, which helped conceal the real IP addresses of\r\ndomains.\r\nOverall, the leak of this chat underscored once again that a substantial part of cybercriminal activity takes\r\nplace outside forums or public chats, with the latter being just the tip of the iceberg.\r\nBlack Basta’s Organization and Internal Hierarchy\r\nA statistical analysis of the leaked data provided valuable insight into the group’s hierarchy. The most active user\r\n—by far—was the leader, Tramp, also known as “gg” (@usernamegg in the Figure 2 below). He was responsible\r\nfor coordinating other members, developing new methods for obtaining initial access, participating in attacks,\r\nhandling negotiations, and maintaining strict control over his employees. He enforced this control by personally\r\nvisiting both offices where they operated.\r\nLapa is the second most active user, he can be described as a senior “pentester” who seemingly knew Tramp\r\nbefore joining the chat in September 2023. The majority of messages from this user were related to access to\r\ncorporate networks of victims. There are also active external pentesters such as “w.”\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 3 of 11\n\nFigure 2: Black Basta members by number of messages (Source: Flare)\r\nThe periods of activity and the nature of messages itself indicate that the group had specifically defined and\r\norganized vacations periods, like in January or June 2024 when almost all activity stopped.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 4 of 11\n\nFigure 3: Messages per Week on Black Basta (Source: Flare)\r\nAnother notable observation was the distinct structure of the usernames present in the chat. Usernames composed\r\nof the word “username” followed by two letters—such as “gg” (aka Tramp), “ww”, “tt”, or “ss”—and hosted on\r\nthe bestflowers247.online Matrix server appeared to belong to Black Basta’s core members (example:\r\n@usernamegg:bestflowers247.online). These threat actors were directly managed by Tramp, who also provided\r\nthem with their Matrix accounts.\r\nThis structure clearly distinguished them from other members of the chat, who used their own Matrix servers, had\r\ndifferent username formats, and operated more independently. These independent actors, that can be in fact\r\nconsidered as affiliates, often referred to their own teams and other threat actors who were not part of the chat.\r\nThis differentiation is also highlighted in the graph below, where it can be seen that core members remained active\r\nfor a much longer period than external ones. However, some noticeable discrepancies suggest that the data might\r\nbe incomplete or that certain core members were simply dismissed in June 2024.\r\nFor instance, no disputes or conflicts were recorded for core members such as “ww”, “mm”, “zz”, or “cc”, yet the\r\nchat abruptly stopped in June 2024. This indicated the following possibilities: that the dataset is likely incomplete\r\nor that these members moved to another communication channel.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 5 of 11\n\nFigure 4. Black Basta members and their first and last messages (Source: Flare)\r\nAnalysis of the various exchanges between members in the chat led to deciphering their main roles and\r\nspecializations within Black Basta. As shown in the graph below—and accessible through the provided link—the\r\ngroup could be divided into the following specialties:\r\nLeadership and management: Led by gg, also known as Tramp.\r\nInfrastructure management, servers, and hosting payments: Handled by yy, also known as bio.\r\nInternal pentesters and support: A group working directly under Tramp’s command from two offices. These\r\nmembers were strictly monitored, often asking for his permission even to step away from their computers\r\nfor a few minutes. Notable members included nn, ww, zz, and others.\r\nExternal affiliates: More independent and experienced, often operating with their own teams. They were\r\nparticularly active in obtaining initial access and conducting social engineering attacks. For instance,\r\nKortez was frequently mentioned as the leader of another malicious group working alongside blood, adm,\r\nnickolas, and u123.\r\nCoders and programmers: Mostly seasoned malware developers such as n3auxaxl, also known as mekor,\r\nand chuk. They were responsible for developing new malware, including the group’s Pikabot, which\r\nconsisted of a downloader/installer, a loader, and a core backdoor component. Black Basta occasionally\r\nhired additional coders, though this appeared to be one of the hardest roles to fill.\r\nCrypting and obfuscation specialists: Primarily a small group of two individuals. One notable figure was\r\nmuaddib6, also known as Bentley, who may have been the infamous Russian threat actor Vitaly Kovalev.\r\nSocial engineering experts: Specialized in gaining initial access by targeting high-value companies. They\r\nused tactics such as impersonating IT support personnel, calling employees, and convincing them to install\r\nAnyDesk to deploy malware.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 6 of 11\n\nBrute-force and password de-hashing specialists: At least two threat actors focused specifically on these\r\ntechniques.\r\nBlack Basta’s Internal Structure\r\nFigure 5: Black Basta’s Internal Structure (Source: Flare)\r\nBlack Basta’s Infrastructure: Hosted in Germany and Obfuscated\r\nThanks to this preliminary work, which helped identify the main specialization of each threat actor active in the\r\nchat, it became easier to determine where to look for specific information, such as details about the group’s\r\ninfrastructure.\r\nAccording to the previous paragraphs and Figure 5, the threat actor yy, also known as bio, was responsible for\r\nBlack Basta’s hosting, websites, and penetration testing servers.\r\nAs illustrated in Figure 6 below and in the graph available here, the group’s most critical servers were likely\r\npurchased from VPSKot, a company accepting cryptocurrency payments and reselling servers from legitimate\r\nhosting providers unaware of their real customers. One such provider was the German company Hetzner, where\r\nBlack Basta hosted its Onion websites like the administrative panel, blog, and Element/Matrix chat service in\r\nSeptember 2023.\r\nBlack Basta’s Key Servers in September 2023\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 7 of 11\n\nFigure 6: Black Basta’s Key Servers (Source: Flare)\r\nThe examination of yy’s messages from November 2023 also gives an interesting glimpse into how Black Basta\r\ndeployed Cobalt Strike on servers and obfuscated them behind proxies. Cobalt Strike is a post-exploitation\r\nframework commonly used by red teams and cybercriminals to establish command and control, move laterally\r\nwithin networks, and execute malicious payloads.\r\nThe group seemingly used bulletproof hosting (BPH) but rather marginally, mainly preferring to acquire many\r\nservers from « grey » and offshore hosting companies to rotate their servers and obfuscate their sensitive\r\ninfrastructure. One BPH that was still mentioned multiple times in the leak, referred to as « the Abkhaz hosting »,\r\nwas a service advertised by the threat actors « gerry », one of the most prominent illicit hosting presently active on\r\nRussian-language cybercrime forums.\r\nBlack Basta’s Cobalt Strike Servers and Proxies in November 2023\r\nFigure 7: Black Basta’s Cobalt Strike servers and proxies (Source: Flare)\r\nFinal Thoughts on the Black Basta Leak: A Treasure Trove to Explore\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 8 of 11\n\nThis blog offers just a glimpse into the valuable information that can be extracted and analyzed from this leak. It\r\ncontains numerous threat actor handles, illicit services from cybercrime forums, contact details, cryptocurrency\r\naddresses, and identified vulnerabilities. One particularly interesting investigative approach could be leveraging\r\nthese indicators to track threat actor accounts across forums, potentially uncovering their real identities. For\r\nexample, this allowed the identification of several accounts on cybercrime forums of mentioned threat actors by a\r\nsearch in the Flare platform with their TOX IDs.\r\nFigure 8: Black Basta threat actors found in Flare (Source: Flare)\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 9 of 11\n\nFigure 9. Examples of threat actors selling various services on Exploit that were mentioned in the leak\r\nDig Further into Cybercrime with Flare Academy\r\nInterested in following more cybercrime research? Check out Flare Academy’s training sessions, which are led by\r\ncybersecurity researchers. Check out the upcoming sessions here.\r\nWe also offer the Flare Academy Discord Community, where you can connect with peers and access training\r\nresources from the Flare Academy training.\r\nCan’t wait to see you there!\r\nSources\r\n“Black Basta – Chat Viewer,” February 2025. https://ransomware-leaks.com/.\r\nGarrity, Patrick. “Exposing CVEs from Black Bastas’ Chats.” VulnCheck, February 24, 2025.\r\nhttps://vulncheck.com/blog/black-basta-chats.\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 10 of 11\n\nRansomwarelive. “Balck Basta – Ransomware.Live 👀,” March 5, 2025. https://www.ransomware.live.\r\nRieß-Marchive, Valéry. “Ransomware : de REvil à Black Basta, que sait-on de Tramp ?” LeMagIT, March 1, 2025.\r\nhttps://www.lemagit.fr/actualites/366619807/Ransomware-de-REvil-a-Black-Basta-que-sait-on-de-Tramp.\r\nTownsend, Kevin. “Black Basta Leak Offers Glimpse Into Group’s Inner Workings.” SecurityWeek, March 3,\r\n2025. https://www.securityweek.com/black-basta-leak-offers-glimpse-into-groups-inner-workings/.\r\nSource: https://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nhttps://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://flare.io/learn/resources/blog/deciphering-black-bastas-infrastructure-from-the-chat-le"
	],
	"report_names": [
		"deciphering-black-bastas-infrastructure-from-the-chat-le"
	],
	"threat_actors": [],
	"ts_created_at": 1775434599,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e0e2ba72f07eef2ac20fec5be0bc1bda69e72c95.pdf",
		"text": "https://archive.orkl.eu/e0e2ba72f07eef2ac20fec5be0bc1bda69e72c95.txt",
		"img": "https://archive.orkl.eu/e0e2ba72f07eef2ac20fec5be0bc1bda69e72c95.jpg"
	}
}