On February 20, every cyber threat intelligence researcher hit the jackpot when they stumbled upon a 50MB document detailing the internal conversations of the Black Basta ransomware group.
They quickly verified the file by cross-referencing the victims mentioned with known cases and even tracked down some of their accounts, confirming the document’s authenticity. What stood out was the pseudonym GG, linked to Tramp, a key figure in the group. He first emerged after Conti fell apart in early 2022, following Russia’s invasion of Ukraine. Some messages from the leaked Matrix instance hinted at his use of another alias, AA, in Tox conversations.
Financial transactions tied to him reveal further connections. On April 10, 2023, Tramp made a payment to ugway with a bitcoin transaction. The source address had funds that flowed into one closely associated with him, marked by hundreds of transactions amassing nearly 704 bitcoins from late September 2022 to May 2024. Notably, he sent another payment to tinker in February 2024.
One intriguing figure among Black Basta members is ssd. On November 10, 2023, Tramp requested that an account be created for him on the Matrix. Ssd logged in quickly and engaged heavily, sending over 1,600 messages in December alone. His communications, primarily in Russian, sometimes get classified as Bulgarian or Slovakian by translation software. In Tox, he goes by the name DD and appeared to have a knack for devising malicious code to evade detection.
However, ssd’s time with the group was short-lived. His last message popped up on February 17, 2024, after which silence reigned on the group’s Matrix instance. Logs from an anonymous source linked him to Tramp long before, with private chats dating from late October 2022 to February 2023. Tramp hinted at his connection with a group called Royal (later known as BlackSuit) and his involvement in developing ransomware.
In their private discussions, Tramp and ssd revisited a victim claimed by Black Basta in November 2022, which also made it to another ransomware site later on. Following his departure from the Matrix, ssd seemed to attempt a comeback by reaching out to Tramp indirectly through Nickolas in May 2024. Nickolas described ssd as well-off and suggested he made money through redirecting users to fake banking sites.
Financially, Tramp appears to be thriving. One of his bitcoin wallets held over 20 bitcoins, estimated at $2 million, and showed activity from as early as September 2017. He also controlled a wave of over 2,000 bitcoins from the Conti group, consolidated in January 2023.
Yet, the situation isn’t entirely stable for Tramp. Some disclosures have tied him to Oleg Nefedov, a name that cropped up in Armenian media. On June 21, Nefedov was arrested in Armenia, but a judge’s failure to act within 72 hours led to his release, resulting in sanctions against the judge. He’s reportedly sought by U.S. authorities for major fraudulent activities, although no formal indictment has been announced yet. Notably, activity linked to Tramp vanished from June 21 to July 2, 2024.