On 20 February, every cyber threat intelligence researcher on the planet discovered a new goldmine – a document of almost 50MB size presented as the history of internal exchanges at the Black Basta ransomware group.
The cross-referencing of the victims of cyber attacks mentioned in this file with known victims and, in some cases, their accounts, has confirmed the authenticity of the document. But there’s more.
According to the authors of the leak – which had been waiting to be discovered since 11 February – behind the pseudonym GG is Tramp, one of the leaders of the group, known under this pseudonym since the implosion of Conti in early 2022, following Russia’s invasion of Ukraine. Some of the exchanges on the Matrix instance from which the leak originated refer to Tox conversations which show that Tramp also uses the pseudonym AA.
The financial flows confirm this. On 10 April 2023, Tramp made a payment to ugway at the address 1FomikeVrYqivPbQoGYTRNor1mzSPPbbWZ (transaction 11824680b6f06876eb33560354b877801579be9a2ac1d4264e085254cdf76a4d).
The address from which the bitcoins in question originated was fed with funds, some of which were used to feed an address known to be linked to Tramp: 16oosqZ7b9vSdiZ8QbWPCoxRkQwQ3T43Bi. It was used from 29 September 2022 to 29 May 2024, with 347 transactions totalling almost 704 bitcoins received over the period.
The same link applies to a payment made by Tramp to tinker at 1FPutCyL6s6uqQVW4eTCoaVQjrFX3bFhde (transaction f11e1af8ea6352b62a50c6611fc0944cbf0fa1d4bf5bbfc22a3f02017f475f25) on 12 February 2024.
Dangerous bonds
Among those involved in Black Basta’s activities, one deserves particular attention – an individual using the pseudonym ssd. On 10 November 2023, Tramp asked for an account to be created for him on the group’s Matrix instance. Ssd logged on straight away. He soon became heavily involved – there were 1,640 messages from him in December 2023.
Although he mainly speaks Russian, his messages are sometimes interpreted by translation software as being in Bulgarian or Slovakian.
On Tox, ssd also uses the pseudonym DD. It is with this that he contacts usernameyy around 7 December 2023. Usernamejj seems to know him and introduces him as a “сетевик”. In fact, his activities seem to be more related to making up malicious code to avoid detection.
But ssd won’t be with the group for long – the last message dates from 17 February 2024. After that, radio silence – at least on the Matrix instance of the group.
This is because ssd and Tramp already knew each other, potentially for a long time, according to logs provided by an anonymous source on 30 December. These show regular private exchanges on Tox. The earliest available date goes back to the end of October 2022, the most recent to the end of February 2023.
In it, Tramp mentions a certain closeness to Royal (now BlackSuit), whose ransomware for ESXi he says he helped develop, or at least the automation of its deployment. He also says that – not necessarily surprisingly – he knows 90% of Conti.
On 12 November 2022, Tramp stated that he regularly “supplied” Russian intelligence services, explicitly mentioning the FSB and the GRU, and that he worked a “desk job” with fixed hours.
A comeback attempt?
In their private exchanges, Tramp and ssd talk in particular about a victim claimed under the Black Basta brand at the beginning of November 2022 – Mitcon Consultancy & Engineering Services. A month later, it was also claimed on the BianLian website. This was not the only victim claimed by Black Basta that the two of them discussed privately, without it being developed in the exchanges that have now been disclosed.
After his disappearance from the Matrix instance of Black Basta, ssd seems to have made a comeback, or at least tried to reconnect with Tramp, indirectly.
Nickolas appears to have had contact with ssd at the beginning of May 2024 and tries to talk to Tramp about it. He presents him as a big talker who has managed to maintain a particularly high standard of living.
Nickolas suggests that ssd managed to make large sums of money by redirecting users to fake online banking sites in order to recover their login details and session tokens. The leaked exchanges do not provide any details of what happened next.
Tramp’s financial situation is enviable. Tracking the financial flows linked to his activities reveals, for example, a bitcoin address holding more than 20 bitcoins – worth $2m at the time of writing – 1BhUkxYoZuK5v6u83TgGaFyoJitBw3JapY. This address was fed again on 28 January. It has been in active use since September 2017. But it was also Tramp who controlled the more than 2,000 bitcoins that came from Conti consolidated on 17 January 2023 at the address bc1q77q346n52l0sj46dxfr9sh8xz6nv9uxakexmgq.
Tramp wanted?
But all may not be rosy. The authors of the recent disclosure have associated a name with the Tramp pseudonym: Oleg Nefedov – this name also appears in the columns of the Armenian media site 168.am.
According to sources, Oleg Nefedov was arrested in Armenia on 21 June. The local courts were due to rule on his fate within 72 hours. However, failing to meet this deadline, he was released. The judge responsible for this situation has been sanctioned.
Nefodov is reportedly wanted by US authorities for his involvement in multibillion-dollar fraudulent transactions. To date, no indictment against him has been made public by the US Department of Justice.
An analysis of the activity associated with the pseudonym GG in exchanges on the Matrix instance of Black Basta shows a total absence of activity from 21 June 2024 to 2 July inclusive.