Hundreds of thousands of internal messages from the Black Basta ransomware gang were leaked by a Telegram user, prompting security researchers to bust out their best Russian translations post haste.

A user going by the name “ExploitWhispers” uploaded the chats in the form of a JSON file nearly 50MB in size to Mega, which has since removed the download link.

Alas, the cyber threat intelligence (CTI) community flocked to the rare trove of information to glean any and all insights they could. The problem: It’s all in Russian, so translating every message and turning that into actionable intel will take some time.

The threat intelligence team at PRODAFT said on Thursday that the chats, which were leaked on February 11, followed an internal conflict largely driven by a single figure within the organization.

“As part of our continuous monitoring, we’ve observed that Black Basta (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts,” it said. “Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.

“The internal conflict was driven by ‘Tramp’ (LARVA-18), a known threat actor who operates a spamming network responsible for distributing Qbot. As a key figure within Black Basta, his actions played a major role in the group’s instability.

“On February 11, 2025, a major leak exposed Black Basta internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.”

A list of highlights from the chats so far, curated from posts made across the CTI community, can be found below:

• Ransom demands went deep into the tens of millions, according to one December 2023 ransom note

• The group was charging around $1 million for a year’s access to its loader

• One affiliate is a child aged 17 years

• Black Basta goes to great lengths to procure VPN exploits

• It also maintains a spreadsheet of potential victims it wishes to target, which are not selected at random

• After seeing Scattered Spider’s success with social engineering, its affiliates adopted similar techniques and used phone calls to make initial contact with company personnel

• Key gang members did not trust “Mr LockBit”

• It was known within the group that its ransomware was less effective than rivals, which drove some affiliates to join Cactus ransomware instead

One PRODAFT CTI analyst also broke down the main figures within the group, claiming a character they named as “Tramp” was likely the leader of the gang.

He and Bio used to work together at Conti, which also suffered a similar infamous internal chat leak in 2022, the researchers believe.

Lapa is one of the main administrators of the group, but appears to be paid markedly less than other senior members and is frequently insulted by his boss.

YY is another main admin and makes “a good salary,” although the chats don’t list specific figures. Under the watch of Lapa and YY, the group attacked Russian banks which is thought to have brought significant heat on the group from domestic law enforcement.

The nicknames were linked to what were described as the crims’ “real names,” although we’ve no way of knowing whether these are aliases.

Cortes is part of the Qakbot operation, which often works alongside Black Basta, but distanced himself from the ransomware crew following the attacks on Russian banks. It’s understandable, given that Russia generally turns a blind eye to cybercrime unless it targets organizations within Putinland.

The leaked messages span September 18, 2023, to September 28, 2024. The Register has not yet reviewed the chats in full, but the date ranges suggest intelligence related to many high-profile attacks could be hiding among them. They include:

Black Basta was known for targeting critical national infrastructure organizations, so the fact that so many feature in the list, and that researchers confirmed its “hit list” spreadsheet was not an opportunistic one, does not come as a surprise.

And for anyone wanting to scour the records themselves, the folks over at Hudson Rock have been quick to create what they’re calling BlackBastaGPT – an interactive ChatGPT-powered tool allowing researchers to uncover details from the chats. ®