BlackBasta Ransomware Chatlogs Leaked Online – Source: www.infosecurity-magazine.com

Netherlands-based threat intelligence firm Prodaft revealed on February 20 that internal chatlogs from the BlackBasta ransomware gang have been leaked online.

BlackBasta is a ransomware strain that was first detected in April 2022. Early on, cyber threat intelligence experts assessed that the members of the group behind the ransomware were associated with other top-tier ransomware groups, especially Conti and REvil.

Yelisey Bohuslavskiy, Partner and Chief Research Officer at Red Sense, believes BlackBasta is a merger of the two defunct groups.

BlackBasta Internal Chat Logs Likely Legitimate

The leaked internal chat logs, purportedly from the BlackBasta ransomware group’s Matrix server, were initially posted on file sharing site MEGA by an individual calling themselves ExploitWhispers.

The files are now accessible via a dedicated Telegram channel after their removal from the original platform.

The source of the leak remains unclear. The identity and motives of ExploitWhispers are unknown.

The leaks, which several threat intelligence sources told Infosecurity are likely legitimate, contain “highly useful information from a threat intelligence perspective,” according to Prodaft.

The logs contain 196,045 messages, all in Russian. They include internal messages spanning from September 18, 2023, to September 28, 2024, with details on the relationships between key threat actors, the group’s access to internal networks, as well as other significant information that provides deeper insight into the group’s operations.

Internal Conflict Causes BalckBasta’s Disbanding

One of the most active ransomware groups in early 2024, BalckBasta’s operations significantly reduced in the summer. This summer lull is typical for the group however their activity has never reached previous highs – bar October 2024 – since and BlackBasta claimed almost no attacks in 2025.

One week before the leaks several threat intelligence analysts, including Red Sense’s Bohuslavskiy, assessed that BlackBasta had disbanded.

According to Prodaft, the leaks revealed that the group has been mostly inactive this year due to internal conflicts, primarily caused by a key player in the ransomware syndicate known as ‘Tramp’ or ‘Trump.’

“Tramp was responsible for distributing Qbot and managing a spamming network, which led to major disputes within the team. As a result, several key members have left,” a Prodaft spokesperson told Infosecurity.

A Prodaft researcher known as @3xp0rt on social media also explained that BlackBasta was facing several internal and external pressures.

BlackBasta Members Join Cactus and Akira Ransomware Groups

The leaks also confirmed a possible link between some BlackBasta operators and the Akira ransomware syndicate, whose activity seemed to have picked up exactly when BlackBasta’s operation was easing.

“We can confirm that a number of BlackBasta operators—many of whom were originally part of the ex-Conti cluster—have migrated to both Cactus ransomware and Akira ransomware,” the Prodaft spokesperson said.

“This shift aligns with broader trends in the ransomware ecosystem, where operators frequently move between groups as internal disputes arise or financial incentives change,” Prodaft added.

The images illustrating this article were generated using Shutterstock AI Image Generator.