A Leading RaaS Operation Collapses in Chaos

One of the most well-known RaaS (Ransomware as a Service) groups in the cybercrime ecosystem, operating under the name Black Basta and first appearing in April 2022, is dramatically closing its doors.
The group hit high-profile companies in the United States and Germany in sectors such as real estate, retail, and healthcare, earning hundreds of millions of dollars through its signature attack method that became widely adopted among other ransomware crews: double extortion.

Black Basta, founded in 2022 and suspiciously soon after the shutdown of the Conti group, would encrypt a victim’s data and simultaneously threaten to leak stolen sensitive information.
This created a situation where victims faced not only operational disruption and data loss, but also severe reputational and financial damage, since leaked information could embarrass companies and expose them to competitive or regulatory risk.

Massive Internal Leak Shakes the Group

In February 2025, tens of thousands of internal chats leaked from within the group.
Hundreds of thousands of messages revealed internal conflicts, disputes between members, debates about techniques, and discussions on new tactics.

The source of the leak remains unclear, but it likely stemmed from internal tensions after some members pushed to begin attacking financial institutions in Russia, a controversial decision that created significant internal friction.

As of now, no arrests or confirmed law enforcement actions have been announced, but the sheer amount of raw intelligence now in investigators’ hands is enormous.
The leaks include social engineering templates, crypto wallet addresses, tactical discussions about victims, nearly 400 ZoomInfo links (likely representing potential future targets), and even the identities of some of the group’s top figures, including Lapa, one of the leaders, and Trump, who allegedly managed the operation.

A Glimpse Into the Organization’s Structure

Members include a 17-year-old minor, expert social engineers tasked with identifying key personnel in victim organizations and initiating phone-based contact, and research and exploitation specialists who focused heavily on VPN vulnerabilities, a technique the group used extensively.

All victims were managed in a shared spreadsheet, with precise records documenting who was targeted, how, who was contacted, why, and with which method.
It mirrored a corporate sales and CRM workflow, only adapted for criminal operations.

Some of the group’s affiliates are now taking advantage of the chaos and betrayals.
They attack victims with ransomware, receive payment, and then refuse to provide decryption keys, exploiting the collapse for personal gain.

This type of behavior is uncharacteristic of the original group, which typically adhered to its own internal code of “honor” and provided decryption keys once ransom payments were received.

The End of Black Basta, but Not the End of Its Members

The group’s operation may be over, but it is entirely possible that its core members, united by shared motivation and experience, will regroup under a new name.
This particular market stall has closed, but the marketplace is still full.