“The girl should be calling men.” Leak exposes Black Basta’s influence tactics.

A leak of 190,000 chat messages traded among members of the Black Basta ransomware group shows that it’s a highly structured and mostly efficient organization staffed by personnel with expertise in various specialties, including exploit development, infrastructure optimization, social engineering, and more.

The trove of records was first posted to file-sharing site MEGA. The messages, which were sent from September 2023 to September 2024, were later posted to Telegram in February 2025. ExploitWhispers, the online persona who took credit for the leak, also provided commentary and context for understanding the communications. The identity of the person or persons behind ExploitWhispers remains unknown. Last month’s leak coincided with the unexplained outage of the Black Basta site on the dark web, which has remained down ever since.

“We need to exploit as soon as possible”

Researchers from security firm Trustwave’s SpiderLabs pored through the messages, which were written in Russian, and published a brief blog summary and a more detailed review of the messages on Tuesday.

“The dataset sheds light on Black Basta's internal workflows, decision-making processes, and team dynamics, offering an unfiltered perspective on how one of the most active ransomware groups operates behind the scenes, drawing parallels to the infamous Conti leaks,” the researchers wrote. They were referring to a separate leak of ransomware group Conti that exposed workers grumbling about low pay, long hours, and grievances about support from leaders of Russia in its invasion of Ukraine. “While the immediate impact of the leak remains uncertain, the exposure of Black Basta's inner workings represents a rare opportunity for cybersecurity professionals to adapt and respond.”

Some of the TTPs—short for tactics, techniques, and procedures—Black Basta employed were directed at methods for social engineering employees working for prospective victims by posing as IT administrators attempting to troubleshoot problems or respond to fake breaches.

“The girl should be calling men,” one Black Basta manager instructed in a chat message. “The guy should be calling women.” This reasoning behind the decision was to exploit trust biases Black Basta believed the targeted workers had. The manager went on to say employees had screened 500 prospective callers for the task. “In the end only 2-3 were competent, and we have a few others as backup. One girl is really good at calling, every fifth call converts into remote access :).”

The social-engineering operations were carefully coordinated, with members sharing updates in real-time in chat messages and refining scripts, and psychological lures on the fly.

Social engineering was just one weapon in Black Basta’s arsenal. The group also focused heavily on restocking its supply of vulnerabilities that could be exploited to gain control over targets’ networks. In the yearlong span the messages cover, members discussed more than 60 specific vulnerabilities with their own CVE tracking designations. When group members learned of a critical vulnerability in Exim—an open source mail server app with more than 3.5 million installations exposed to the Internet—one wrote: “We need to exploit as soon as possible.” The member then provided guidance based on previous experience in targeting Microsoft Exchange servers.

The group was also willing to pay premium prices for zero-day exploits from exploit brokers. In one instance, a member pasted an advertisement into a chat for a purported zero-day allowing remote code execution in Juniper firewalls with no authentication necessary. The member wrote: The seller “wants 200k for it, but I’ll negotiate,” likely meaning $200,000. A peer replied, “Well, 200k is a fair price for a 0day.” The other member responded, “yep.”