Exposed Communications within Black Basta and Related Entities: Intercepted Conversations Offer Clarification on Attribution within Cybercrime Infrastructure
In a significant development, internal chat logs of the prolific ransomware group Black Basta were leaked on 11th February 2025, exposing cryptocurrency addresses used by the group and other actors in the ransomware ecosystem. Since early 2022, Black Basta has reportedly received over $100 million in ransom payments.
The leaked chat logs offer insights into the operational and financial practices of ransomware groups like Black Basta and their enablers. The insights reveal a multi-layered laundering approach involving cryptocurrency mixing, proxy companies, unlicensed payment services, neobank exploitation, and malware-enabled access.
Upon receiving ransom in cryptocurrency, these groups often use services such as CoinJoin to mix funds with others, obscuring transaction trails and making it difficult to trace the origin or destination of funds. Black Basta and similar groups set up industrial-scale laundering operations, including a network of shell companies, multiple bank accounts, and proxy-owned businesses to funnel illicit gains.
Virtual asset service providers can use transaction screening tools like Navigator to detect customer deposits linked to ransomware wallets. Law enforcement can focus on identifying and dismantling the unlicensed payment services and networks of proxy companies used to launder ransomware proceeds, cutting off their ability to integrate illicit funds into the legitimate financial system.
The discussions in the chat logs mention the use of mixers and bridges to lower risk scores and obscure fund origin, tactics frequently used by organized criminal groups. Some funds from the leaked addresses can be traced back to the Black Basta ransoms previously identified. The insights from the leak can potentially support asset seizures by law enforcement agencies.
Government agencies can leverage blockchain intelligence data from the leak to strengthen detection capabilities and expand on their models. Investigative teams can accelerate investigations with the insights from the data embedded in the leak. The use of Navigator, Investigator, and blockchain intelligence data can help undermine ransomware operations.
Profit shares for affiliates in Black Basta's operation vary, ranging from 15% to 80% of the ransoms received, depending on their level of involvement. Affiliates who only provided initial access received the smallest share, while those who independently identified targets, gained access, provided information, and deployed the ransomware locker received 80% of the ransom.
The richer, more structured insights can help investigative teams build on known typologies and surface region or mission-specific risks. The findings from the Black Basta leak can be used to uncover additional cryptocurrency addresses. Ransomware groups like Black Basta employ complex money laundering strategies to convert ransom payments, typically made in cryptocurrencies, into "clean" money, while obscuring the trail to avoid law enforcement detection.
Closer scrutiny of coin-mixing services and enhanced blockchain analytics can help trace ransomware-related cryptocurrency flows, enabling seizure of funds and tracing back to criminal actors. Regulators and banks can implement stricter KYC and anti-money laundering (AML) measures on online-only banks and educate banking personnel on ransomware laundering tactics to detect suspicious activity earlier.
Disrupting malware infrastructure, such as botnets that enable ransomware access, limits the ability of gangs like Black Basta to gain entry, thus reducing their operational capabilities. Intelligence sharing and leak analysis can reveal phishing tactics, operational structures, and internal laundering methods, supporting preemptive defenses and law enforcement actions.
In summary, the Black Basta leak provides a wealth of information that can be used to disrupt ransomware networks, trace funds, and support asset seizures by law enforcement agencies. The insights offer several avenues to disrupt ransomware groups, requiring coordinated financial tracking, legal action against facilitators, advanced technical monitoring, and proactive intelligence gathering based on internal leaks and behavioural patterns.
Elliptic's blockchain forensics technology could be instrumental in tracing the laundered funds of ransomware groups such as Black Basta, given their usage of elliptic cryptocurrency mixing services. The insights gleaned from the leaked chat logs could potentially be used to strengthen data-and-cloud-computing systems' cybersecurity measures, as they reveal the operational and financial strategies of such threats.
