Technology

Top ransomware gang’s internal chat logs leaked online

February 24, 2025

Chat logs from the Black Basta ransomware group were leaked on Telegram
The leaker claims this is a response to the group attacking Russian banks
The data contains valuable information on how the group operates

Internal chat logs detailing the inner workings of the Black Basta ransomware group were just leaked online.

An individual (or a group) with the alias ExploitWhispers has apparently pulled the information from Matrix, an open source, decentralized communication protocol used for secure and real-time messaging. Matrix is often used for encrypted chats, making it popular among cybersecurity professionals, privacy advocates, but also, unfortunately, cybercriminals.

ExploitWhispers first uploaded the archive to MEGA, but after it was pulled down, they set up a dedicated Telegram channel and leaked it there.

Targeting domestic banks

“A place to discuss the most important news about Black Basta, one of the largest groups of health workers in Russia, which recently hacked domestic banks,” the leakster said on Telegram. “With such matters, we can say that they crossed the border, so we are dedicated to revealing the truth and exploring the next steps of Black Basta. Here you can find information that you can trust, and read all the most important in one channel.”

Whoever ExploitWhispers is, they weren’t happy with what Black Basta was doing in recent times. They can either be a disgruntled member, or a security researcher.

In any case, Black Basta was allegedly targeting Russian banks, which didn’t sit well with them.

The leak covers chats between September 2023, and September 2024, and contains valuable information about the group’s internal structure.

An individual called Lapa is one of the admins. Cortes is a threat actor with links to the Qakbot group, YY is the main admin, and Trump is the key figure. There are some indications that Trump’s real name might be Oleg Nefedov.

It also shows the group’s phishing templates, emails, cryptocurrency addresses, data drops, victim credentials, and more.

Analyzing the data dump, BleepingComputer said the archive also contains 367 unique ZoomInfo links, which could indicate the number of companies targeted during this period.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar