Top ransomware gang's internal chat logs leaked online

Chat logs from the Black Basta ransomware group were leaked on Telegram
The leaker claims this is a response to the group attacking Russian banks
The data contains valuable information on how the group operates

Internal chat logs detailing the inner workings of the Black Basta ransomware group were just leaked online.

An individual (or a group) with the alias ExploitWhispers has apparently pulled the information from Matrix, an open source, decentralized communication protocol used for secure and real-time messaging. Matrix is often used for encrypted chats, making it popular among cybersecurity professionals, privacy advocates, but also, unfortunately, cybercriminals.

ExploitWhispers first uploaded the archive to MEGA, but after it was pulled down, they set up a dedicated Telegram channel and leaked it there.

Targeting domestic banks

“A place to discuss the most important news about Black Basta, one of the largest groups of health workers in Russia, which recently hacked domestic banks,” the leakster said on Telegram. “With such matters, we can say that they crossed the border, so we are dedicated to revealing the truth and exploring the next steps of Black Basta. Here you can find information that you can trust, and read all the most important in one channel.”

Whoever ExploitWhispers is, they weren’t happy with what Black Basta was doing in recent times. They can either be a disgruntled member, or a security researcher.

In any case, Black Basta was allegedly targeting Russian banks, which didn’t sit well with them.

The leak covers chats between September 2023, and September 2024, and contains valuable information about the group’s internal structure.

An individual called Lapa is one of the admins. Cortes is a threat actor with links to the Qakbot group, YY is the main admin, and Trump is the key figure. There are some indications that Trump’s real name might be Oleg Nefedov.

It also shows the group’s phishing templates, emails, cryptocurrency addresses, data drops, victim credentials, and more.

Analyzing the data dump, BleepingComputer said the archive also contains 367 unique ZoomInfo links, which could indicate the number of companies targeted during this period.

Via BleepingComputer

These are the most common PayPal scams around right now - so stay alert
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.