A new AI-powered chatbot, BlackBastaGPT, trained on over 1 million leaked internal messages from the Black Basta ransomware gang.
Hudson Rock released the tool just days after the unprecedented data breach. It enables researchers to dissect the group’s operations, financial strategies, and evolving attack methodologies through natural language queries.
This innovation follows the February 11, 2025, leak of the gang’s Matrix chat logs, which exposed 367 unique ZoomInfo links to targeted organizations, cryptocurrency wallets, phishing templates, and candid discussions among key operatives.
The Leak That Exposed a Criminal Empire
The leak, attributed to an individual using the alias ExploitWhispers, spans 13 months of communications (September 2023–September 2024) and reveals Black Basta’s internal strife.
The leaker reportedly acted in retaliation against Black Basta’s alleged targeting of Russian banks, mirroring the 2022 Conti leak that followed the group’s pro-Russia stance on the Ukraine invasion.
Messages detail the roles of high-profile members like Trump (Oleg Nefedov, the alleged leader), YY (main administrator), and Cortes, a Qakbot-linked actor.
Shockingly, one member claimed to be 17 years old, underscoring the diverse demographics within cybercriminal networks. The logs also cataloged exploits against vulnerabilities in Citrix, Ivanti, and Fortinet devices, alongside phishing campaigns using fabricated IT support lures to deploy tools like Cobalt Strike and SystemBC.
How BlackBastaGPT Transforms Threat Intelligence
Hudson Rock’s chatbot leverages generative AI to parse the colossal dataset, enabling researchers to ask questions like, “What initial access vectors did Black Basta favor?” or “How did they calculate ransom demands?” Responses draw directly from the logs, revealing that the gang used ZoomInfo to estimate victims’ revenue and tailor ransom demands to “cumulative end-of-year cash flow.”
The tool also highlights operational humor, such as mocking news coverage of their activities and technical details like Bitcoin wallet addresses linked to payments.
“This isn’t just about data access—it’s about contextualizing the human elements of cybercrime,” said Alon Gal of Hudson Rock.
Researchers can now trace how Black Basta evolved its double-extortion tactics, including which industries (healthcare, finance) were prioritized and how negotiations were conducted. For example, the group often posed as “professional” entities during ransom talks, using business jargon to pressure victims.
The leak validates long-standing advisories from the FBI and CISA, which flagged Black Basta’s ties to over 500 breaches and $100 million in losses. Key technical insights include:
- Exploit Prioritization: The gang frequently targeted unpatched VPNs, RDP servers, and ESXi hypervisors, with 380+ ZoomInfo links indicating meticulous reconnaissance.
- Toolset Adaptability: While Qakbot and Cobalt Strike were staples, the group tested new payloads like Brute Ratel to evade detection.
- Financial Orchestration: Discussions reveal Bitcoin laundering strategies and profit-sharing disputes among affiliates.
PRODAFT analysts warn that Black Basta’s leaked TTPs (tactics, techniques, procedures) could be adopted by splinter groups or rival gangs, necessitating proactive defense measures.
Recommendations include hardening remote access systems, enforcing multi-factor authentication, and monitoring for IoCs like AntispamConnectUS.exe, a proxy malware variant used in attacks.
BlackBastaGPT represents a paradigm shift in leveraging adversarial data for proactive defense. By transforming raw chat logs into actionable intelligence, the tool empowers organizations to anticipate attack patterns rather than merely react.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here