New analysis of leaked internal chat logs suggests the notorious Black Basta ransomware gang may have closer ties to Russian authorities than previously thought.
Black Basta, a Russian-speaking ransomware-as-a-service (RaaS) operation, first surfaced in April 2022. Over the next two years, the gang claimed victims worldwide, launching high-profile attacks against hundreds of organizations. But recently, Black Basta’s activity slowed dramatically—thanks to a massive leak that exposed deep operational flaws.
Last month, a Telegram user known as @ExploitWhispers shared over 200,000 internal messages sent between Black Basta members over a year. According to online chatter, the leak was prompted by the group allegedly targeting Russian banks, though this remains unconfirmed.
Trellix cybersecurity researchers dove into the leaked logs and uncovered explosive details pointing to potential ties between Black Basta’s leadership and Russian authorities.
The chat logs identified Black Basta’s leader as Oleg Nefedov, also known by the aliases “GG” or “Tramp”. One key revelation? Nefedov was reportedly detained in Armenia last June—but was mysteriously released just three days later.
In an exchange between Nefedov and a contact named Chuck, Nefedov claimed that Russian officials helped him escape custody. According to his messages, he reached out to high-ranking contacts who cleared a so-called “green corridor” for his safe passage—implying state-level intervention.
If true, this paints a troubling picture of potential protection or cooperation between Black Basta and elements of the Russian government.
The leaked conversations also exposed more about Black Basta’s operational scale. Researchers believe the group may have run two physical offices in Moscow, offering further evidence that this isn’t a loosely connected cyber gang—but a well-organized criminal enterprise.
Another alarming discovery: Black Basta leveraged AI tools like ChatGPT in their operations. Logs show members used AI to:
- Write phishing emails
- Debug malware code
- Rewrite ransomware scripts
- Gather victim intelligence
This is one of the clearest examples yet of AI being weaponized by ransomware gangs to boost attack efficiency and scale operations.
While definitive proof of direct Russian state sponsorship remains elusive, Trellix’s findings highlight the blurry lines between cybercrime and geopolitical influence—especially when ransomware gangs like Black Basta operate so openly within Russia.
The use of AI-driven tools also signals a troubling shift in the cybercrime landscape. As criminal groups get more sophisticated, combining traditional hacking with machine learning and AI, future attacks could become even harder to detect and stop.
For now, the leaked chat logs offer rare visibility into the inner workings of a major ransomware-as-a-service operation—and raise urgent questions about how much protection or influence cybercriminals enjoy when operating from Russian soil.
