A major leak of internal chat logs from the Black Basta ransomware gang has exposed deep internal conflicts, failed operations, and financial disputes.
The leak, which surfaced on February 11, 2025, has been linked to the gang's controversial targeting of Russian banks, reminiscent of the infamous Conti ransomware leaks in 2022.
Black Basta, a Ransomware-as-a-Service (RaaS) operation that emerged in April 2022, has been responsible for numerous high-profile attacks on corporations worldwide. The gang has targeted major organizations, including Rheinmetall, BT Group, Hyundai's European division, and the U.S. healthcare giant Ascension.
Trove of intelligence leaked
The breach, first highlighted by cybersecurity firm PRODAFT, revealed that Black Basta has been largely inactive since early 2025 due to internal strife. The ransomware group, which operates under the alias “Vengeful Mantis,” faced major setbacks after some members defrauded victims — accepting ransom payments without providing functional decryption tools.
The leaked archive was initially shared on MEGA and later re-uploaded to Telegram by user “ExploitWhispers.” It has provided security researchers with unprecedented insight into Black Basta's operations.
One of the key figures in the group's downfall is “Tramp” (also identified as LARVA-18), a known cybercriminal involved in Qakbot malware distribution. His actions reportedly contributed to significant discord within Black Basta, prompting key members to defect to other ransomware operations such as Cactus (Nurturing Mantis).
The leaked chat logs, spanning from September 18, 2023, to September 28, 2024, expose the dysfunctional leadership and internal power struggles within Black Basta. The chats contain details about ransom negotiations, phishing tactics, cryptocurrency transactions, and even personal disputes among gang members.
The threat group's recent move to target Russian financial institutions may have triggered the internal leaks. The chat records suggest that some members, particularly “Cortes,” also a Qakbot affiliate, distanced themselves from these attacks, seemingly surprised that a Russian-linked group would turn against its own country's banks.
The gang's leadership appears to be in disarray, with allegations that its boss, identified as “Oleg Nefedov” (also known as “GG” or “Trump”), prioritized personal financial gain over the group's well-being. Members complained about unpaid wages, internal conflicts, and growing tensions over leadership decisions. The arrest of a key member, “Bio” (previously known as “Pumba”), has reportedly further destabilized the group.
Cybersecurity firm Hudson Rock has quickly capitalized on the leak by launching BlackBastaGPT, an AI-powered chatbot trained on over one million messages from the stolen chat logs. This tool is designed to assist threat intelligence researchers in dissecting the ransomware gang's strategies, financial dealings, and inner dynamics.
Ultimately, the leak is a major blow to Black Basta, which had already been losing traction due to internal discord. The exposure of chat logs not only damages the gang's credibility but also provides valuable intelligence for cybersecurity professionals and law enforcement agencies. This incident highlights the persistent volatility within cybercriminal organizations, where greed and betrayal often lead to their downfall.
Spyware Apps Cocospy and Spyic Exposed Data of Users and Victims
Leave a Reply