Cyber Crime
BlackBasta Ransomware Gang’s Internal Chat Logs Leaked, Revealing Internal Strife and Disbanding
NEW DELHI: A massive leak of internal chat logs from the BlackBasta ransomware group has exposed the inner workings of the notorious cybercriminal organization, revealing internal conflicts, financial disputes, and the group’s eventual disbanding.
The leak, initially shared on a file-sharing site and now circulating on Telegram, offers unprecedented insight into the ransomware gang’s operations and the complex dynamics of the cybercrime underworld.
From Conti and REvil Roots to Internal Discord
BlackBasta, first detected in April 2022, quickly gained notoriety for its aggressive tactics.
Experts linked the group’s members to other prominent ransomware gangs, including Conti and REvil, suggesting a consolidation of cybercriminal talent.
Yelisey Bohuslavskiy, Partner and Chief Research Officer at Red Sense, even believes BlackBasta was a merger of these two defunct groups. However, the leaked chat logs, spanning from September 2023 to September 2024 and written in Russian, paint a picture of internal strife that ultimately led to the group’s downfall.
The Leak: A Window into Cybercrime
The leaked logs, containing 196,045 messages, offer a treasure trove of information for threat intelligence experts. Prodaft, a Netherlands-based threat intelligence firm, confirmed the legitimacy of the leaks, describing them as “highly useful from a threat intelligence perspective.” The messages detail relationships between key threat actors, reveal insights into the group’s access to internal networks, and shed light on their operational strategies. The source of the leak remains a mystery, with the individual behind the initial posting, known only as ExploitWhispers, remaining unidentified.
ALSO READ: Join Webinar on “Online Child Safety: Threats & Protection”
Internal Conflicts and Financial Disputes: The Downfall of BlackBasta
While BlackBasta was highly active in early 2024, its operations significantly slowed down during the summer. Although a summer slowdown is typical for the group, their activity never recovered to previous levels, except for a brief resurgence in October 2024. By 2025, BlackBasta claimed almost no attacks. Just a week before the leak, several threat intelligence analysts, including Red Sense’s Bohuslavskiy, assessed that BlackBasta had disbanded.
The leaked logs confirm this assessment, revealing that internal conflicts, primarily driven by a key player known as ‘Tramp’ or ‘Trump,’ crippled the group. Prodaft revealed that “Tramp was responsible for distributing Qbot and managing a spamming network, which led to major disputes within the team. As a result, several key members have left.”
Further insights from a Prodaft researcher, known as @3xp0rt on social media, highlight the toxic environment created by ‘Tramp’ (Oleg Nefedov). Allegedly, ‘Tramp’ prioritized his own financial gain, leading to dissatisfaction among other members. An administrator named ‘Lapa’ was reportedly overworked, underpaid, and verbally abused, while another administrator, ‘YY,’ received preferential treatment.
Adding to the internal pressures, BlackBasta’s risky brute-force attack on Russian banks likely provoked a reaction from authorities and caused ‘Cortes,’ associated with the Qakbotgroup, to distance himself.
ALSO READ: Ex-Meta Employee Sues After 15 Years: Alleges Sexual Harassment, Discrimination & Unfair Layoff
The Great Migration: BlackBasta Members Join Other Ransomware Groups
The leaked data also confirmed a connection between some BlackBasta operators and the Akira ransomware syndicate, whose activity increased just as BlackBasta’s waned. Prodaftconfirmed that “a number of BlackBasta operators—many of whom were originally part of the ex-Conti cluster—have migrated to both Cactus ransomware and Akira ransomware.”
This migration reflects a broader trend in the ransomware ecosystem, where cybercriminals frequently shift allegiances between groups due to internal disputes or changing financial incentives. The BlackBasta leak provides a fascinating and disturbing look into the inner workings of these groups, and how these internal and external pressures can cause even the most successful cybercriminal enterprises to crumble.