Introduction 

On 11 February 2025, a Telegram user called ExploitWhispers shared a ZIP file to a Russian-language Telegram channel. The user claimed that this file contained the internal Matrix chat logs of the BlackBasta ransomware group and was captured between 18 September 2023 and 28 September 2024. The user also shared information about some of the BlackBasta members, including one of the operation’s admins, the group’s administrator, and leader Oleg Nefedov.  

BlackBasta is a highly prolific ransomware group which has conducted several high-profile attacks since its discovery in early 2022. The group, which is known to practice double extortion, has reportedly listed over 500 victims on its data-leak site (DLS). Because of this, the content of these leaks may hold key information into the group’s inner workings. 

Whilst the identity of ExploitWhispers remains unknown, the user states that their motivation for releasing the leak is due to BlackBasta’s targeting of a Russian bank. Threat actors commonly avoid attacking countries which are part of the Commonwealth of Independent States (CIS). Due to the level of access required to gather this type of data, it is not clear whether the leaker is affiliated with the threat actor as a disgruntled member or if they are a researcher. 

Previous leaks 

This type of information leak is not new, with many previous threat actors undergoing a similar process. Because of this, some previous chat log leaks have been instrumental for researchers to better understand how threat actors operate. Examples include the ContiLeaks, which gave valuable insight into how Conti developers operated in a highly corporate structure, and the Yanluowang leaks. From this latter leak, analysts were able to discern the group’s real identities and connections to other organisations. Cyjax also released the industry leading report on the Trickbot leaks, a similar incident in which over 250,000 messages were leaked from the Russian-based group Trickbot. This report broke down Trickbot’s organisational structures and operational methods and explored the group’s internal reactions to the beginning of the Russia- Ukraine war.  

Alongside the value for researchers, the impact of these leaks is often felt by the group itself. At a minimum, this has included disruptions to operations and in some cases, groups have been forced to completely dissolve.  

Cyjax has conducted an initial analysis of the leaks and is beginning to use this information to protect its clients. We will briefly explore an overview of the leak’s contents, how this information proves useful, and what this could mean for BlackBasta. 

The leak 

Within the chat leaks, Cyjax observed members of BlackBasta discussing various aspects of its operations. This includes: 

• Sharing of IP addresses and domains used for command-and-control (C2) operations. 

• Explanations of how BlackBasta scans exposed RDP and VPN services to find victims. 

• Collections of credentials which the group has purchased or even brute forced. 

• Cryptocurrency payment wallets and accounts used to conduct ransomware operations. 

• Over 60 mentioned CVEs, which the group has used to target victims within attacks. 

• Discussion of stolen information from victims held at ransom. 

Cyjax has also observed BlackBasta’s business-like communications, with discussion of internal disputes between members and the sharing of members’ personal information. This type of information provides significant value to researchers, enabling a greater understanding of both BlackBasta and how professional ransomware groups operate more generally. Whilst BlackBasta has been inactive since the start of 2025, potentially due to internal issues observed in the leak, the extent to which this will impact the group is currently unknown.  Similar to previously observed ransomware chat leaks, it is likely that these events will hinder the group’s credibility within the ransomware landscape. Consequently, it may result in the group permanently ceasing its activity or rebranding under a new name. 

How Cyjax responded? 

Cyjax was able to use our industry-leading knowledge of the cybercriminal landscape to find and capture this leak early. This allowed us to proactively aid in protecting our clients in both a tactical and strategical manner. Cyjax can quickly detect mentions of clients within the leaks and provide custom threat reporting to each affected party. This ensures that any existing threat can be mitigated.  

If you are interested in how your organisation may be exposed within the BlackBasta leaks, please contact Cyjax to gain a greater understanding of your threat landscape.