A massive leak of internal chat logs has recently revealed potential ties between the BlackBasta ransomware gang and Russian authorities. The trove, consisting of over 200,000 messages spanning a year, was released by a Telegram user known as @ExploitWhispers on February 11, 2025. While the user claimed the leak was a retaliation for BlackBasta allegedly targeting Russian banks, no evidence has been found to confirm this claim. Cybersecurity firm Trellix analyzed the logs and uncovered information about the gang's operations, including potential Russian government involvement and advanced cybercrime activities.
The leaked chat logs reveal apparent connection between BlackBasta’s leader, Oleg Nefedov (alias GG or Tramp), and Russian officials. According to the chat logs, Nefedov was detained in Armenia in June 2024 but mysteriously escaped custody just three days later. In a conversation with an associate named Chuck, Nefedov suggests that Russian authorities played a role in his escape, claiming that he contacted high-ranking officials to secure a "green corridor" that facilitated his release. Chuck speculates that "number 1" mentioned in the chat could refer to Russian President Vladimir Putin, though Nefedov neither confirmed nor denied this theory.
Further discussions in the leaks indicate that Russian law enforcement may have the ability to suppress Interpol requests under certain circumstances. The messages also suggest that Nefedov and Chuck intended to continue their illicit activities for an extended period, with references to Russia's ongoing invasion of Ukraine (referred to as the Special Military Operation, or SMO). They discussed continuing their operations "until the grandpa lives" and until the SMO concludes, with 'grandpa' possibly referring to a senior figure who provides protection to BlackBasta leaders.
In addition to the suspected links to Russian authorities, the leaks shed light on BlackBasta's operational structure and ties to other cybercriminal organizations. One particular chat revealed connections between BlackBasta and members of the Trickbot group, with one participant even suggesting a link to Russia’s Federal Security Service (FSB).
BlackBasta's operations appear to be well-established within Russia, with reports suggesting that the group operates two physical offices in Moscow. The leaked chats detailed the logistics of these offices, including security measures, staff coordination, and high-end social gatherings at places like restaurants and saunas.
The leaks also shed light on BlackBasta's use of technology, particularly artificial intelligence. The gang exploited AI tools such as ChatGPT for various illicit activities, including generating phishing emails, debugging malware, and rewriting ransomware scripts to evade detection. Additionally, the logs showed that AI was used to gather victim data, with members automating contact collection through GPT API services.
The messages also provided insight into BlackBasta's collaborations with other cybercriminal groups. The gang appeared to have worked with several ransomware-as-a-service (RaaS) affiliates, including Rhysida and Cactus. They also used malware loaders such as Qakbot, Pikabot, DarkGate, and IcedID in their operations. Some of the discussions indicated that BlackBasta had rental agreements with other criminals, including one deal to pay $1 million for exclusive access to DarkGate malware.
After a failed attack on Ascension Health, the group's leadership discussed rebranding efforts, with Nefedov instructing a key developer to create a new ransomware variant based on the source code of the notorious Conti ransomware. The group planned to ensure that the new variant would remain untraceable to BlackBasta and discussed utilizing secure infrastructure in Abkhazia, a region with historical ties to Russian cybercrime.
