An unknown informant posted the Black Basta group archive to the network. Initially, the files were uploaded by the user under the nickname ExploitWhispers to the Mega platform, but after removing the materials, he moved them to a special Telegram channel.
It is still unclear whether ExploitWhispers is a Cyberrose researcher who has access to the group server, or a former participant who decided to reveal internal information. According to data from PRODAFT, the cause of the leak could be a conflict within the group associated with attacks on banks.
PRODAFT noted that since the beginning of the year, the Black Basta activity has decreased significantly due to internal disagreements. Some members of the group received a ransom, but did not provide the victims with the keys to decrypt. The company also noted that the publication of logs on February 11, 2025 is largely reminiscent of a leakage of chats of another well-known Conti group.
The drain covers the correspondence of the Black Basta participants from September 18, 2023 to September 28, 2024. The archive contains data on phishing schemes, address addresses, accounting data of victims and hacking tactics. 367 unique links to Zoominfo are also found – a service that cybercriminals often use to collect information about victims and negotiations.
In addition, ExploitWhispers opened the personality of some participants in Black Basta. Among them:
- Administrator of the paw;
- Hacker cortes (related to the group QAKBOT);
- Chief administrator Yy;
- Participant under the pseudonym Trump, GG, and AA, which is identified as Oleg Nefedov – the alleged leader of the group.
Black Basta has been operating since April 2022 according to the Ransomware-AS-A-Service (RAAS) model and attacks organizations worldwide. Among the victims are the German defense contractor Rheinmetall, the European division of Hyundai, BT Group, Asceence, ABB, the US dentist association, the Cap