internal rifts among cybercriminals Leaked chat logs expose inner workings of secretive ransomware group Researchers are poring over the data and feeding it into ChatGPT. Dan Goodin Feb 21, 2025 4:47 pm | 9 Credit: Getty Images Credit: Getty Images Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreMore than a years worth of internal communications from one of the worlds most active ransomware syndicates have been published online in a leak that exposes tactics, trade secrets, and internal rifts of its members.The communications come in the form of logs of more than 200,000 messages members of Black Basta sent to each other over the Matrix chat platform from September 2023 to September 2024, researchers said. The person who published the messages said the move was in retaliation for Black Basta targeting Russian banks. The leaker's identity is unknown; its also unclear if the person responsible was an insider or someone outside the group who somehow gained access to the confidential logs.How to be your own worst enemyLast year, the FBI and Cybersecurity and Infrastructure Security Agency said Black Basta had targeted 12 of the 16 US critical infrastructure sectors in attacks mounted on 500 organizations around the world. One notable attack targeted Ascention, a St. Louis-based health care system with 140 hospitals in 19 states. Other victims include Hyundai Europe, UK-based outsourcing firm Capita, the Chilean Government Customs Agency, and UK utility company Southern Water. The native Russian-speaking group has been active since at least 2022.BlackBastas internal chats just got exposed, proving once again that cybercriminals are their own worst enemies, a member of security firm Prodraft wrote Thursday. Keep burning our intelligence sources, we dont mind.Researchers who have read the Russian-language texts said they exposed internal rifts in the secretive organization that have escalated since one of its leaders was arrested because it increases the threat of other members being tracked down as well. The heightened tensions have contributed to growing rifts between the current leader, believed to be Oleg Nefedov, and his subordinates. One of the disagreements involved his decision to target a bank in Russia, which put Black Basta in the crosshairs of law enforcement in that country.It turns out that the personal financial interests of Oleg, the group's boss, dictate the operations, disregarding the team's interests, a researcher at Prodraft wrote. Under his administration, there was also a brute force attack on the infrastructure of some Russian banks. It seems that no measures have been taken by law enforcement, which could present a serious problem and provoke reactions from these authorities.The leaked trove also includes details about other members, including two administrators using the names Lapa and YY, and Cortes, a threat actor linked to the Qakbot ransomware group. Also exposed are more than 350 unique links taken from ZoomInfo, a cloud service that provides data about companies and business individuals. The leaked links provide insights into how Black Basta members used the service to research the companies they targeted.Security firm Hudson Rock said it has already fed the chat transcripts into ChatGPT to create BlackBastaGPT, a resource to help researchers analyze Black Basta operations.Dan GoodinSenior Security EditorDan GoodinSenior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 9 Comments