On 20 February, Every Cyber Threat Intelligence Researcher on the planet discovered a new goldmine – a document of almost 50MB size presented as the history of internal exchanges at the Black Basta Ransomware Group,
The cross-Reference of the Victims of Cyber Attacks Mentioned in this File With Known Victims and, in some cases, their accounts, have Confirmed the authenticity of the documentBut there's more.
According to the authors of the leak – which has been waiting to be discovered since 11 February – behind the pseudonym gg is tramp, one of the leaders of the groups, KNOWN UNEDER THIWN UNDER THIWN UNEDER THE GROUP Implosion of Conti In Early 2022, Following Russia's invasion of Ukraine. Some of the feels on the matrix instance from which originated refer to tox conversions which show that tramp also uses the pseudonym aa.
The Financial Flows confirm this. On 10 April 2023, Tramp made a payment to ugway at the address 1fomikevryqivpbqogytrnor1mzspbwz (transaction 11824680b6f06876b3356035454B877801579a2ac1d4264e085254cdf76A4D).
The address from which the bitcoins in question originated was feds with funds, some of which was used to feed an address known to be linked to tramp: 16oosqz7B9vsdiz8QBWPCOKOKQWWQ3T43T It was used from 29 September 2022 to 29 May 2024, with 347 transactions totaling almost 704 bitcoins received over the period.
The same link applies to a payment made by tramp to tinker at 1fputcyl6s6l6s6l6s6l6s6UQVWWWWWWWQJRFX3BFHDE (Transaction f11af8ea6352b62A50c61fc0944CBFA1D4BFA1D4BFC2A3F00000000002017f47f475F25) On 12 February 2024.
Dangerous bonds
Among Thos Involved in Black Basta's Activities, One deserves Particular Attention – An individual using the pseudonym ssd. On 10 November 2023, tramp asked for an account to be created for him on the group's matrix instance. SSD Logged on Straight Away. He Soon Became Heavily Involved – There was 1,640 Messages from Him in December 2023.
Although He Mainly Speaks Russian, His Messages Are Sometimes Interpreted by Translation Software as Being in Bulgarian or Slovakian.
On Tox, SSD also uses the pseudonym dd. It is with this that he contacts usernameyyy Around 7 December 2023. Usernamej seems to know heem and introduce heam as a “сетевик”. In fact, his activities see to be more related to making up malicious code to avoid detection.
But ssd won't be with the group for long – the last message dates from 17 February 2024. After that, radio Silence – at least on the matrix institution of the groups.
This is a government ssd and tramp alredy knew each other, potentially for a long time, according to logs provided by anonymous source on 30 December. These show regular private exchanges on Tox. The Earliest available Date Goes Back to the End of October 2022, the most recent to the end of February 2023.
In it, tramp ments a certain closeness to Royal (now blacksuit)whose ransomware for esxi He says he helped developed, or at least the automation of its deployment. He Also Says That – Not Necessarily Surprisingly – He KnowS 90% of Conti.
On 12 November 2022, tramp stated that he regularly “supplied” russian intelligence services, explicitly mentioning the FSB and the Gru, and that he worked a “desk Job” with a fixed hours.
A COMEBACK Attempt?
In their private exchanges, tramp and ssd talk in particular about a victim claimed under the black basta brand at the beginning of November 2022 – Mitcon Consultancy & Engineering Services. A month later, it was also claimed on the Bianlian Website. This was not the only Victim Claimed by Black Basta That The Two of Them Discussed Privately, without it being developed in the exchanges that have been disclied.
After his disappearance from the matrix institution of black basta, ssd seems to have made a comeback, or at least tried to receonnect with tramp, indirectly.
Nickolas appears to have had contact with ssd at the beginning of May 2024 and Tries to Talk to Tramp about it. He presents
Nickolas sugges that ssd managed to make large sums of money by redirecting users to fake online banking sites in order to recover their login details and session tokens. The leaked exchanges do not provide any details of what Happy Next.
Tramp's Financial Situation is enviable. Tracking the Financial Flows Linked To His Activities Reveals, For Example, A Bitcoin Address Holding More than 20 Bitcoins – Wort $ 2m at the time of everything – 1bhukxyozuk5v6u83tggafyojitbw3japy. This address was fed against on 28 January. It has been in active use since September 2017. But it was also tramps who controlled the more than 2,000 bitcoins that came from Conti Consolidated on 17 January 2023 at the address BC1Q77Q346N52L0SJ46DXFR9SH8XZ6NV9NV9UXAKEXMGQ.
Tramp Wanted?
But all may not be rosy. The authors of the recent disclosure have associated a name with the tramp pseudonym: Oleg nefedov – this name also appears in the columns of the Armenian Media Site 168.am.
According to sources, Oleg nefedov was arrested in Armenia on 21 June. The local courts were due to rule on his fate within 72 hours. However, failing to meet this deadline, he was released. The Judge Responsible for this situation has been sanctioned.
Nefodov is reported by us authorities for his involvement in Multibillion-Doller Fraudulant Transactions. To date, no indictment against him has been made public by the US department of justice.
Annalysis of the activity associateed with the pseudonym gg in exchanges on the matrix institution of black basta shows a total absence of activity from 21 June 2024 to 2 July Inclruration.