On 20 February, every cyber threat intelligence researcher on the planet discovered a new goldmine - a document of almost 50MB size presented as the history of internal exchanges at the Black Basta ransomware group.The cross-referencing of the victims of cyber attacks mentioned in this file with known victims and, in some cases, their accounts, has confirmed the authenticity of the document. But there's more.According to the authors of the leak - which had been waiting to be discovered since 11 February - behind the pseudonym GG is Tramp, one of the leaders of the group, known under this pseudonym since the implosion of Conti in early 2022, following Russia's invasion of Ukraine. Some of the exchanges on the Matrix instance from which the leak originated refer to Tox conversations which show that Tramp also uses the pseudonym AA.The financial flows confirm this. On 10 April 2023, Tramp made a payment to ugway at the address 1FomikeVrYqivPbQoGYTRNor1mzSPPbbWZ (transaction 11824680b6f06876eb33560354b877801579be9a2ac1d4264e085254cdf76a4d).The address from which the bitcoins in question originated was fed with funds, some of which were used to feed an address known to be linked to Tramp: 16oosqZ7b9vSdiZ8QbWPCoxRkQwQ3T43Bi. It was used from 29 September 2022 to 29 May 2024, with 347 transactions totalling almost 704 bitcoins received over the period.The same link applies to a payment made by Tramp to tinker at 1FPutCyL6s6uqQVW4eTCoaVQjrFX3bFhde (transaction f11e1af8ea6352b62a50c6611fc0944cbf0fa1d4bf5bbfc22a3f02017f475f25) on 12 February 2024.Among those involved in Black Basta's activities, one deserves particular attention - an individual using the pseudonym ssd. On 10 November 2023, Tramp asked for an account to be created for him on the group's Matrix instance. Ssd logged on straight away. He soon became heavily involved - there were 1,640 messages from him in December 2023.Although he mainly speaks Russian, his messages are sometimes interpreted by translation software as being in Bulgarian or Slovakian.On Tox, ssd also uses the pseudonym DD. It is with this that he contacts usernameyy around 7 December 2023. Usernamejj seems to know him and introduces him as a "". In fact, his activities seem to be more related to making up malicious code to avoid detection.But ssd won't be with the group for long - the last message dates from 17 February 2024. After that, radio silence - at least on the Matrix instance of the group.This is because ssd and Tramp already knew each other, potentially for a long time, according to logs provided by an anonymous source on 30 December. These show regular private exchanges on Tox. The earliest available date goes back to the end of October 2022, the most recent to the end of February 2023.In it, Tramp mentions a certain closeness to Royal (now BlackSuit), whose ransomware for ESXi he says he helped develop, or at least the automation of its deployment. He also says that - not necessarily surprisingly - he knows 90% of Conti.On 12 November 2022, Tramp stated that he regularly "supplied" Russian intelligence services, explicitly mentioning the FSB and the GRU, and that he worked a "desk job" with fixed hours.In their private exchanges, Tramp and ssd talk in particular about a victim claimed under the Black Basta brand at the beginning of November 2022 - Mitcon Consultancy & Engineering Services. A month later, it was also claimed on the BianLian website. This was not the only victim claimed by Black Basta that the two of them discussed privately, without it being developed in the exchanges that have now been disclosed.After his disappearance from the Matrix instance of Black Basta, ssd seems to have made a comeback, or at least tried to reconnect with Tramp, indirectly.Nickolas appears to have had contact with ssd at the beginning of May 2024 and tries to talk to Tramp about it. He presents him as a big talker who has managed to maintain a particularly high standard of living.Nickolas suggests that ssd managed to make large sums of money by redirecting users to fake online banking sites in order to recover their login details and session tokens. The leaked exchanges do not provide any details of what happened next.Tramp's financial situation is enviable. Tracking the financial flows linked to his activities reveals, for example, a bitcoin address holding more than 20 bitcoins - worth $2m at the time of writing - 1BhUkxYoZuK5v6u83TgGaFyoJitBw3JapY. This address was fed again on 28 January. It has been in active use since September 2017. But it was also Tramp who controlled the more than 2,000 bitcoins that came from Conti consolidated on 17 January 2023 at the address bc1q77q346n52l0sj46dxfr9sh8xz6nv9uxakexmgq.But all may not be rosy. The authors of the recent disclosure have associated a name with the Tramp pseudonym: Oleg Nefedov - this name also appears in the columns of the Armenian media site 168.am.According to sources, Oleg Nefedov was arrested in Armenia on 21 June. The local courts were due to rule on his fate within 72 hours. However, failing to meet this deadline, he was released. The judge responsible for this situation has been sanctioned.Nefodov is reportedly wanted by US authorities for his involvement in multibillion-dollar fraudulent transactions. To date, no indictment against him has been made public by the US Department of Justice.An analysis of the activity associated with the pseudonym GG in exchanges on the Matrix instance of Black Basta shows a total absence of activity from 21 June 2024 to 2 July inclusive.Black Basta: tools developed to analyse the leakOn 20 February, just after the website Prodaft reported that internal exchanges with the Black Basta ransomware gang had been leaked, Computer Weeklys French sister site, LeMagIT, obtained the corresponding file and shared it privately with a select group of cyber threat intelligence analysts.The file in question is a poorly formed JSON, with no inverted commas or commas between the objects. LeMagIT developed an initial Python script to clean it up so that it could ingest the data and process the messages individually. This was just the first in a series of tools - still evolving to this day - dedicated to analysing this leak and its contents.The conversations reported in this data took place in several virtual chat rooms - around a hundred - and involved several players. Around 50 pseudonyms are used, but they do not necessarily correspond to as many individuals.To carry out more granular examination, LeMagIT developed a Python script splitting the exchanges by virtual lounge and another by pseudonym.To this were added scripts designed to extract bitcoin addresses together with the pseudonyms of the individuals mentioning them and the corresponding date, so they could be contextualised by establishing who controlled each address, and who controlled each address from which the funds had been paid.For his part, researcher Thomas Roccia has developed and published a Python notebook based on Marimo, producing indicators relating to the level of activity of Black Basta as a whole, according to the group's internal exchanges.Based on this work, LeMagIT developed a script to track the activity of each member of the Black Basta group over the period covered by the leak producing, for each member, a count of the messages sent month by month, a list of the virtual chat rooms in which they participated, and the first and last date of visible activity.These elements are designed to track the comings and goings of the individuals involved, and determine their periods of relative inactivity. They also make it possible to find a way through the mass of messages more quickly, to investigate specifically each of the individuals involved in the group's activities.