Black Basta Chat Leak - Organization and Infrastructures

This report reviews a February 2025 leak of 196,045 internal Matrix chat messages from the Black Basta ransomware group, assessing their authenticity and using them to map the group’s hierarchy, roles (leadership, infrastructure, affiliates, coders, crypting, social engineering), and infrastructure practices. It details how Black Basta used legitimate hosts via resellers (notably Hetzner), selective bulletproof hosting (e.g., Gerry), and proxying to obfuscate C2 (including Cobalt Strike), and notes periodic server and Matrix migrations alongside indications of two office-based operations under leader “Tramp” (likely Oleg Nefedov). While the group historically impacted 500+ organizations, the report observes no new victims since Jan 2025 and a downed leak site, yet underscores that the leak provides numerous investigatory leads (handles, services, contact data, crypto addresses, and vulnerabilities).