OPINION — In early 2025, hundreds of thousands of internal chat messages from the Black Basta ransomware gang spilled into public view, echoing an unprecedented leak that rocked the cybercriminal underworld in 2022. Back then, it was Conti – at the time one of the world’s most prolific ransomware operations – whose private Jabber/XMPP logs were dumped online by an insider outraged over Conti’s overt support for Russia’s invasion of Ukraine. Now, Black Basta – a gang widely seen as an offshoot of Conti – faces its own crisis of exposure.
These two incidents, separated by three years, underscore common fault lines surrounding cybercriminal enterprise. But perhaps more significantly, the leaks suggest the potential for generating deterrent effects via unconventional alternative methods. This is particularly important in light of the unprecedented developments of recent weeks that include a stand-down order handed to American cyber operators vis-a-vis Russian digital activities. Recent leaks reveal how internal politicking intersects with external pressures to destabilize even the most formidable ransomware groups, while comparison with the Conti episode highlights the sensitivity of these organizations – which constitute critical proxies of Russian state interests – to interference, interdiction and disruption by dedicated private actors.
When the war came for Conti
On February 25, 2022, Conti’s leadership posted a declaration of “full support” for Russia’s invasion of Ukraine, threatening retaliation against any cyberattack on Russia. The move was a grave miscalculation. Within hours, Conti softened its statement, but the damage was done. Ukrainian members, furious at being dragged into geopolitics, struck back the way they knew best—by leaking the gang’s internal communications.
Over the next days, an anonymous Twitter account, ContiLeaks, dumped over 60,000 internal messages into the public domain, offering an unprecedented look inside the ransomware giant. The logs confirmed Conti’s corporate-like structure, detailed hacking tactics, and—most critically—revealed its vulnerabilities. While the group had weathered Western law enforcement disruptions before, the leaks shattered trust within its ranks. The war had split Conti along national lines, turning once-cohesive operations into chaos.
The fallout was swift. Victims, wary of Conti’s now-public ties to Russia, stopped paying ransoms, fearing sanctions. By May 2022, the brand was abandoned, and its leadership dispersed. But the threat didn’t disappear. Key personnel resurfaced in smaller, more agile ransomware groups, including Black Basta, which emerged weeks later, following Conti’s playbook under a new name.
Conti’s downfall sent a clear message to cybercriminals: overt geopolitical alignment is bad for business. Rival groups, including LockBit, declared themselves strictly “apolitical.” Yet, as Conti’s collapse showed, ransomware gangs exist within a delicate political bargain, thriving only as long as they don’t disrupt the interests of their state patrons. Here, a single leadership misstep exposed a fault line in the underworld community, pitting nationalist loyalties against gang cohesion. As a result, in the cyber ecosystem of Russia today, where criminals of various nationalities often collaborate and often align efforts to Moscow’s interests, the war abruptly redrew lines and made Conti an example of what happens when internal unity succumbs to external conflict.
The intersection of technology, defense, space and intelligence is critical to future U.S. national security. Join The Cipher Brief on June 5th and 6th in Austin, Texas for the NatSecEDGE conference. Find out how to get an invitation to this invite-only event at natsecedge.com
Black Basta: New brand, old Problems
In the aftermath of Conti’s demise, Black Basta rose to notoriety through 2022 and 2023 by attacking dozens of organizations across multiple critical sectors. The group reportedly pulled in over $100 million in ransom payments during its first year and a half. Internally, Black Basta operated as a classic ransomware-as-a-service enterprise: a core team maintained the malware and leak site, while “affiliate” hackers carried out breaches and shared profits. Leaked Black Basta chats show members obsessing over new software vulnerabilities – 62 unique CVEs are referenced, often just days after public disclosure – underscoring their focus on quick operational gains. By all appearances, Black Basta was a well-oiled criminal enterprise, ruthlessly efficient and profit-driven.
Yet the cracks were forming behind the scenes. By late 2024, the gang’s cadence of attacks slowed, hinting at trouble. Indeed, the leaked Black Basta chats (nearly 200,000 messages from September 2023 to September 2024) reveal a group beset by internal rifts. Key members defected to start rival ventures like the Cactus ransomware, undermining morale. Arguments flared over tactics and target selection. The specter of a leak or infiltration loomed large in members’ minds, betraying a lack of trust within the crew.
Then, in February 2025, disaster struck from both within and without. An actor calling itself “ExploitWhispers” leaked a 47 MB archive of Black Basta’s internal chat logs on an underground forum. In a note written in Russian, the leaker explained the motive: Black Basta had “hacked domestic banks” – i.e., Russian banks – and thus “crossed the line”. In Russia’s underworld, attacking domestic entities is verboten, a surefire way to invite backlash from powerful quarters. Whether the leak was the work of a patriotic insider or a state-aligned actor sending a warning, the effect was devastating. Overnight, Black Basta’s secrets were laid bare, from wallet addresses to operational playbooks, and – most damagingly – the frank personal exchanges among its members.
Those exchanges highlight how internal politicking intersected with external pressures to push Black Basta into collapse. A vivid example came in May 2024, when a Black Basta affiliate targeted Ascension, a large U.S. hospital chain. The ransomware attack crippled medical systems and sparked headlines about delayed patient care. In the leaked chats, the hacker responsible (“gg”) grappled with guilt and fear. “We are pentesters, not murderers,” he wrote. “If children or cancer patients get hurt, how can I live with it?”. He and others debated giving the hospital a free decryption key – a rare act of mercy – while still seeking payment for stolen data. In the end, “gg” forced a policy change: no more hospital attacks. “Never again… Don’t give me anything like that,” he insisted to his team.
Black Basta’s leadership scrambled to contain the fallout after an affiliate’s ransomware attack on a hospital, which crossed both an ethical and strategic red line. The risk of harming patients wasn’t just a moral concern—it also invited intense law enforcement scrutiny. In response, the group banned healthcare targets, effectively an act of self-governance. But the fact that an affiliate had to enforce this rule so bluntly underscored weak central control. Unlike Conti’s top-down structure, Black Basta’s affiliate model made cohesion harder to maintain.
Ultimately, Black Basta collapsed under a mix of internal fractures and external pressures. Infighting, defections, and distrust had already weakened the group. Then, by allegedly violating an unwritten rule—attacking Russian domestic targets—it provoked retaliation. Analysts noted that by early 2025, the gang was already faltering; the leaks simply accelerated its downfall. In the end, the same forces that had sheltered Black Basta turned against the group when it overstepped its bounds.
Expected fallout, limited gains
The collapses of Conti and Black Basta reinforce a key reality. Russia’s cybercriminal ecosystem operates on an implicit bargain, wherein gangs can thrive so long as they don’t threaten domestic interests or embarrass their hosts. Conti’s downfall came from a political misstep; Black Basta’s from targeting Russian entities. These cases also highlight the limits of Western disruption efforts, at least so long as Moscow provides sanctuary. While sanctions and law enforcement actions can create friction, cybercriminals easily regroup, adapting to new constraints.
Additionally, the evolution from Conti to Black Basta underscores ransomware gangs’ resilience. Groups may “retire” or rebrand, but their talent and tactics persist. Taking down a single syndicate rarely eliminates the broader threat—new factions quickly emerge, facing the same recruitment and security challenges under the same geopolitical constraints. And Black Basta’s leaks confirm that even seasoned operators fall prey to familiar pitfalls: poor operational security, internal grudges, and overconfidence. Ultimately, these groups are as vulnerable to internal fractures as they are to external disruptions—an insight that should shape future deterrence strategies.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Finding upsides in the search for deterrence
This leak comes at a pivotal moment for Western cyber deterrence. Reports suggest the U.S. Defense Department has curtailed Cyber Command’s offensive operations against Russia, likely with the aim of stabilizing relations as the White House seeks a peace agreement to end the war in Ukraine. If U.S. cyber forces pull back, Russian cybercriminal groups could exploit the breathing room to regroup. With Moscow unlikely to dismantle ransomware gangs that serve its interests, the burden of deterrence shifts increasingly to Western law enforcement, international partnerships, and the private sector.
The Conti and Black Basta leaks highlight how private industry coalitions can play a more active role in cyber deterrence. Exposure itself is a weapon—leaks can preempt threats by undermining trust within ransomware groups. Choking off monetization through financial scrutiny and intelligence-driven disruption offers another effective strategy. As government intervention wanes, private actors must take the lead in raising costs for cybercriminal operations.
Most straightforwardly, the Conti and Black Basta leaks have given network defenders a wealth of intelligence – lists of indicators, favorite exploits, internal methodologies – that can be weaponized to harden defenses and quickly detect the faint signatures of these attackers. Companies can independently and collaboratively use this insight to bolster their shields, because they may face a period of less aggressive government interference with adversaries on their behalf. In practical terms, of course, that means patching the vulnerabilities ransomware actors pounce on, practicing incident response plans, and perhaps most importantly, refusing to pay ransoms when attacks do occur. Cutting off the money diminishes the incentive holding these criminal alliances together; just recall that Conti’s alignment with a sanctioned regime led some victims to stop paying entirely, which in turn made Conti’s operation financially unsustainable.
The leaks also highlight a subtler form of deterrence: operational exposure as an accumulative disruption tool. Conti collapsed due to internal betrayal; Black Basta fell after violating an unwritten rule. Western cyber strategists should exploit these fault lines by fostering distrust—encouraging leaks, rewarding insider tips, and amplifying doubts about gang leadership in underground forums. Every ransomware group harbors internal dissent, and external pressure can turn those cracks into full-blown schisms. Raising the reputational and financial risks of cybercrime can make these organizations more fragile.
The leaks also emphasize strategic disruption over purely operational takedowns. While law enforcement and private actors have succeeded in dismantling botnets and targeting cybercriminal infrastructure—such as Operation Endgame’s 2024 crackdown—these efforts often force gangs to scatter and rebrand. The greater opportunity lies in making reorganization itself difficult. Strategic disruption, driven by intelligence operations, can inhibit ransomware groups from easily regrouping, ultimately weakening their long-term viability.
Lessons for cyber defenders
The Black Basta episode underscores a familiar yet often overlooked reality: ransomware gangs, like other cyber proxies, operate on fragile foundations. Cyber strategy discourse tends to separate these actors from broader international security dynamics, yet parallels with terrorism research are instructive. Extremist groups often engage in spoiling or outbidding behavior, and similar fractures—ideological, strategic, or financial—can destabilize cybercriminal organizations. Specifically, these groups must balance efficiency with the volatile political-criminal environment they inhabit. The fault line between operations and geopolitics is ever-present, and crossing it—by taking a political stance or attacking the wrong target—can be fatal. As Conti and Black Basta show, internal fractures can be as disruptive as external pressure. For defenders, exploiting those vulnerabilities is key to tilting the balance. And for ransomware actors, no amount of illicit wealth or technical sophistication can fully shield them from the risk of internal collapse.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
