Black Basta Telegram Leak Post
An anonymous informant has leaked an archive of internal chats belonging to the Black Basta ransomware group. The files were initially uploaded by a user under the alias ExploitWhispers on the MEGA platform, but after the materials were taken down, they were relocated to a dedicated Telegram channel.
It remains unclear whether ExploitWhispers is a cyber threat researcher who gained access to the group’s server or a former insider exposing confidential information. According to PRODAFT, the breach may have stemmed from internal discord within Black Basta, particularly regarding attacks on financial institutions.
PRODAFT analysts have observed a notable decline in Black Basta’s activity since the beginning of the year, attributing it to internal disputes. Some group members reportedly collected ransom payments without providing decryption keys to victims. The company also noted that the publication of chat logs on February 11, 2025, closely resembles the infamous leak of Conti’s internal communications.
The leaked archive spans conversations within Black Basta from September 18, 2023, to September 28, 2024. The files include details on phishing operations, cryptocurrency wallet addresses, stolen victim credentials, and hacking tactics. Additionally, 367 unique links to ZoomInfo were found—a service frequently exploited by cybercriminals for gathering intelligence on victims and conducting negotiations.
Moreover, ExploitWhispers exposed the identities of several key Black Basta members, including:
- Administrator Lapa
- Hacker Cortes (affiliated with the Qakbot group)
- Lead administrator YY
- A member using the aliases Trump, GG, and AA, identified as Oleg Nefedov, the presumed leader of Black Basta
Black Basta has been operating since April 2022, following the Ransomware-as-a-Service (RaaS) model, targeting organizations worldwide. Among its high-profile victims are:
- Rheinmetall (a German defense contractor)
- Hyundai’s European division
- BT Group
- Ascension
- ABB
- The American Dental Association
- Technology firm Capita
- And numerous other entities
Between April 2022 and May 2024, Black Basta affiliates breached over 500 organizations. As of November 2023, the group had amassed approximately $100 million in ransom payments from more than 90 victims.
