DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Black Basta exposed: A look at a cybercrime data leak and a key member, “Tramp”

Posted on March 2, 2025March 2, 2025 by Dissent

Intel471 reports:

On Feb. 11, 2025, a mysterious leaker going by the Telegram username ExploitWhispers released one year’s worth of internal communications between members of the Black Basta ransomware group on a Telegram channel. Black Basta is still active in a reduced capacity, but in 2022, it was the third most impactful ransomware group. Its members appeared to be experienced Russian-speaking ransomware and cybercrime veterans, some of whom worked with the infamous Contiransomware-as-a-service (RaaS) group. The 197,000 chat messages are drawn from 80 different chatrooms on Matrix servers hosting on six domains. The leak rivals the chat leak that affected Conti ransomware gangin late February 2022. Black Basta’s leak provides similar insight as Conti’s: Black Basta is a polished ransomware group that carefully studied potential victims, ran sophisticated phishing and malware campaigns and employed a range of people for support, including call services, malware development, initial access, crypters and penetration testing. The messages reveal a range of technical data that formed Black Basta’s operations, including cryptocurrency wallets, domain names, indicators of compromise (IoCs), tools and techniques. But the chats also reveal discord in the group, petty quarrels and tangible worries of getting caught by international law enforcement. One key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people, a situation that is explored further in this piece.

Read more on Intel471.

Over on LeMagIT, Valéry Rieß-Marchive also covered the implosion of Black Basta, and then took a deeper look at the same key member, known as “Tramp.” LeMagIT’s investigation began intensifying in December 2024, when an anonymous source contacted them, claiming to know Tramp well, and that his real name was allegedly Oleg Y. Nefedov. The source claimed that they had worked with him. The following is a machine translation from LeMagIT:

“He has the best protection [there is] in Russia. He has friends in the security services. He even pays the FSB and the GRU,” the source tells us. These are the Russian intelligence services. “No one has that kind of money or that level of security anymore,” the source adds.

This is indeed what Tramp, also known under the pseudonyms AA and GG, in particular, claims to one of his partners,  dd , on November 14, 2022: “I have guys from Lubyanka [the FSB headquarters in Moscow, editor’s note] and the GRU, I’ve been feeding them for a long time,” we can read in a log of private exchanges that probably took place on the encrypted messaging service Tox. These exchanges were provided to us on December 30, 2024, as well as to our colleagues at  Spiegel.

Read more at LeMagIT and Intel471. Both cover the arrest of Nefedov in Armenia in June 2024, and how he managed to evade detention when a judge scheduled the detention hearing too late under law to detain him. Chats between “usernamegg” and another Black Basta member on July 3 seem to match up with the situation, and Rieß-Marchive tells DataBreaches he is very confident that “Tramp” is Nefodov.

“As we reported, we had intel on that before the leak. And we had other sources, not to be named, confirming it. The leak only helped bringing more pieces together, with the break in GG activity and his mentions of the arrest. With the leak, it all came together.”

Related:  The Hacker Who Escaped Justice (The Standard, translation)

 

 

 

 

 

Category: Commentaries and AnalysesMalwareNon-U.S.Of Note

Post navigation

← Data Breach Class Action Dismissed After ‘Alter Ego’ Doctrine Fails
FBCS updates the number affected in its 2024 breach to 4,253,394 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.