Intel471 reports:
On Feb. 11, 2025, a mysterious leaker going by the Telegram username ExploitWhispers released one year’s worth of internal communications between members of the Black Basta ransomware group on a Telegram channel. Black Basta is still active in a reduced capacity, but in 2022, it was the third most impactful ransomware group. Its members appeared to be experienced Russian-speaking ransomware and cybercrime veterans, some of whom worked with the infamous Contiransomware-as-a-service (RaaS) group. The 197,000 chat messages are drawn from 80 different chatrooms on Matrix servers hosting on six domains. The leak rivals the chat leak that affected Conti ransomware gangin late February 2022. Black Basta’s leak provides similar insight as Conti’s: Black Basta is a polished ransomware group that carefully studied potential victims, ran sophisticated phishing and malware campaigns and employed a range of people for support, including call services, malware development, initial access, crypters and penetration testing. The messages reveal a range of technical data that formed Black Basta’s operations, including cryptocurrency wallets, domain names, indicators of compromise (IoCs), tools and techniques. But the chats also reveal discord in the group, petty quarrels and tangible worries of getting caught by international law enforcement. One key member of Black Basta contended they had been able to elude law enforcement in mid-2024 with help from influential people, a situation that is explored further in this piece.
Read more on Intel471.
Over on LeMagIT, Valéry Rieß-Marchive also covered the implosion of Black Basta, and then took a deeper look at the same key member, known as “Tramp.” LeMagIT’s investigation began intensifying in December 2024, when an anonymous source contacted them, claiming to know Tramp well, and that his real name was allegedly Oleg Y. Nefedov. The source claimed that they had worked with him. The following is a machine translation from LeMagIT:
“He has the best protection [there is] in Russia. He has friends in the security services. He even pays the FSB and the GRU,” the source tells us. These are the Russian intelligence services. “No one has that kind of money or that level of security anymore,” the source adds.
This is indeed what Tramp, also known under the pseudonyms AA and GG, in particular, claims to one of his partners, dd , on November 14, 2022: “I have guys from Lubyanka [the FSB headquarters in Moscow, editor’s note] and the GRU, I’ve been feeding them for a long time,” we can read in a log of private exchanges that probably took place on the encrypted messaging service Tox. These exchanges were provided to us on December 30, 2024, as well as to our colleagues at Spiegel.
Read more at LeMagIT and Intel471. Both cover the arrest of Nefedov in Armenia in June 2024, and how he managed to evade detention when a judge scheduled the detention hearing too late under law to detain him. Chats between “usernamegg” and another Black Basta member on July 3 seem to match up with the situation, and Rieß-Marchive tells DataBreaches he is very confident that “Tramp” is Nefodov.
“As we reported, we had intel on that before the leak. And we had other sources, not to be named, confirming it. The leak only helped bringing more pieces together, with the break in GG activity and his mentions of the arrest. With the leak, it all came together.”
Related: The Hacker Who Escaped Justice (The Standard, translation)