Exploring Black Basta’s Use of Generative AI to Supercharge Cybercrime
Black Basta is a highly active ransomware-as-a-service (RaaS) operation that emerged in early 2022 and has since been linked to dozens of high-profile attacks against organizations worldwide. Known for their double-extortion tactics—stealing sensitive data and threatening public leaks in addition to encrypting systems—Black Basta has quickly become one of the most sophisticated and disruptive ransomware groups in operation.
In one of the clearest indicators of how cybercriminal groups are evolving, leaked internal communications from Black Basta confirm that they are not just experimenting with generative AI—they are operationalizing it.
Here’s a breakdown of documented examples of how they are using these technologies, backed by direct evidence of relevant chats discovered in the leaked communications.
Stolen ChatGPT-4 Plus Accounts for Unrestricted AI Access
To conceal their identities and avoid detection, Black Basta relies on stolen ChatGPT-4 Plus accounts for a variety of applications. Based on the chat logs, their leader acquires valid credentials for paid ChatGPT accounts, which he then shares with other team members.
From Chat Log:
[2024-04-04 14:23:44] @usernamegg: 💜✅Chat GPT 4 PLUS⚡️❤️ PERSONAL ACC + MAIL 210168869,752575C188074FE2 [2024-04-08 08:53:46] @usernamegg: https://plati.market/itm/chat-...—personal-acc-mail/3683800 [2024-04-08 08:54:20] @usernameyy: да мне пока не нужен акк, нечего спрашивать
English Translation:
[2024-04-04 14:23:44] @usernamegg: 💜✅Chat GPT 4 PLUS⚡️❤️ PERSONAL ACC + MAIL 210168869,752575C188074FE2 [2024-04-08 08:53:46] @usernamegg: https://plati.market/itm/chat-...—personal-acc-mail/3683800 [2024-04-08 08:54:20] @usernameyy: I don't need the account yet, nothing to query
This allows members not only access to the upgraded version of ChatGPT but also allows them to cover their tracks digitally, as any illegal inquiries will be made on an account that cannot be tied back to the Black Basta member.
But the group didn’t stop with just exploiting legitimate tools. More concerning was their pursuit of WormGPT—an illegal alternative to mainstream generative AI tools. Unlike supervised or reinforcement learning–aligned models, WormGPT lacks any safety tuning or content moderation layers, resulting in outputs that are both unrestricted and potentially more volatile. Group members openly expressed the desire to gain access to the tool:
From Chat Log:
[2023-10-06 15:19:30] @usernamenn: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov [2023-10-06 15:19:49] @usernamegg: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov [2023-10-06 15:19:55] @usernamegg: ищите его где взять [2023-10-06 15:19:57] @usernamegg: будет радость [2023-10-06 15:20:09] @usernamegg: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov
English Translation:
[2023-10-06 15:19:30] @usernamenn: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov [2023-10-06 15:19:49] @usernamegg: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov [2023-10-06 15:19:55] @usernamegg: find out where to get it [2023-10-06 15:19:57] @usernamegg: that would be great [2023-10-06 15:20:09] @usernamegg: https://vc.ru/chatgpt/761733-wormgpt-alternativa-chatgpt-dlya-kiberprestupnikov
Using ChatGPT for Code Rewriting and Debugging
With access to these stolen accounts, Black Basta members discussed turning to ChatGPT for debugging and refining their ransomware payloads.
In one instance, Black Basta employed ChatGPT to rewrite malware from C# into Python in an attempt to bypass antivirus and endpoint detection solutions. One of the group’s leaders even instructed Black Basta’s developer to feed code snippets into ChatGPT in smaller pieces if the tool flagged the content as malicious.
From Chat Log:
[12:27:52] @usernamegg: короче я думаю всех распускать не на определнное время [12:27:57] @usernamegg: нету смысла так работать [12:27:59] @usernamegg: rapid7 [12:28:02] @usernamegg: сейчас сетка [12:28:07] @usernamegg: уебала все [12:28:28] @usernamegg: все инструменты палит наши [12:28:34] @usernamegg: все движения палит [12:28:42] @usernamegg: все переписываться надо на другом языке чтоб работало [12:28:57] @usernamegg: я оставлю двоих человек [12:29:03] @usernamegg: тебе надо сесть все на питон переписать [12:29:09] @usernamegg: все что ты делал [13:13:45] @usernamegg: ты какие инструменты им писал? [13:13:54] @usernamegg: что они подразумевают под тем что все что ты писал надо переписать на питон? [13:14:00] @usernamegg: какой это пласт работы [13:14:35] @usernamegg: а там много всего, процессы, smb (хотя он вроде из линукса работает, но я не уверен), gok, esxi (из линукса работает), но всё не перепишешь [13:15:03] @usernamegg: надо ты и какие функции, я я скажу возможно это или нет [13:15:26] @usernamegg: попробуй переписать чатом гптEnglish Translation:
[12:27:52] @usernamegg: Anyway, I think we should dismiss everyone, not just temporarily. [12:27:57] @usernamegg: There's no point working like this. [12:27:59] @usernamegg: rapid7 [12:28:02] @usernamegg: the network just now [12:28:07] @usernamegg: blew everything up [12:28:28] @usernamegg: all our tools are getting detected [12:28:34] @usernamegg: all movements are being flagged [12:28:42] @usernamegg: everything needs to be rewritten in a different language to work [12:28:57] @usernamegg: I’ll keep two people [12:29:03] @usernamegg: you need to sit down and rewrite everything in Python [12:29:09] @usernamegg: everything you’ve done [13:13:45] @usernamegg: what tools did you make for them? [13:13:54] @usernamegg: what do they mean when they say everything you wrote needs to be rewritten in Python? [13:14:00] @usernamegg: what kind of workload are we talking about? [13:14:35] @usernamegg: there's a lot — processes, SMB (although I think it runs from Linux, but not sure), GOK, ESXi (runs from Linux too), but you can’t rewrite it all [13:15:03] @usernamegg: tell me which functions exactly, and I’ll say whether it's feasible [13:15:26] @usernamegg: try rewriting it with ChatGPT
A developer associated with Black Basta's infrastructure tooling also used ChatGPT to troubleshoot and fix issues in proxy server builds for ARM/Linux architectures, speeding up the development of sophisticated attack infrastructure.
From Chat Log:
[2024-04-09 15:59:40] @n3auxaxl: пока не могу запустить почем уто [2024-04-09 15:59:51] @n3auxaxl: не могу отследить крашит он его там [2024-04-09 15:59:53] @n3auxaxl: или еще что [2024-04-09 16:00:07] @n3auxaxl: или просто не запускает [2024-04-09 16:01:14] @usernamegg: ну вот [2024-04-09 16:01:25] @usernamegg: ( [2024-04-09 16:02:37] @n3auxaxl: хотя доступ полный [2024-04-09 16:04:15] @n3auxaxl: щас попишу с chat gpt [2024-04-09 16:04:20] @n3auxaxl: может билд не для arm делается [2024-04-09 16:05:07] @usernamegg: давай
English Translation:
[2024-04-09 15:59:40] @n3auxaxl: for now I can't launch it for some reason [2024-04-09 15:59:51] @n3auxaxl: can't trace it — it's crashing over there [2024-04-09 15:59:53] @n3auxaxl: or something else [2024-04-09 16:00:07] @n3auxaxl: or it just doesn't launch [2024-04-09 16:01:14] @usernamegg: well there you go [2024-04-09 16:01:25] @usernamegg: ( [2024-04-09 16:02:37] @n3auxaxl: even though I have full access [2024-04-09 16:04:15] @n3auxaxl: I'll try asking chat gpt [2024-04-09 16:04:20] @n3auxaxl: maybe the build isn't meant for ARM [2024-04-09 16:05:07] @usernamegg: go ahead / okay
On-Demand Translation for Fraudulent Communications
Beyond technical uses, Black Basta leveraged ChatGPT’s language capabilities to compose formal, deceptive emails and correspondence in English, enabling them to communicate more convincingly with targets.
For example, after accidentally triggering an alert on a victim’s PC, a gang member quickly used ChatGPT to generate a fake message assuring the victim that the suspicious activity was part of a legitimate network check.
From Chat Log:
[2024-02-21 23:53:51] @usernamenn: там чел запалил что то не ладное [2024-02-21 23:53:55] @usernamenn: когда к нему на комп приконнектился [2024-02-21 23:54:00] @usernamenn: начал паниковать чат открыл [2024-02-21 23:54:02] @usernamenn: со мной [2024-02-21 23:54:15] @usernamenn: я быстро chat гпт поднаебал и попросил мне написать фейк письмо [2024-02-21 23:54:19] @usernamenn: правдоподобное [2024-02-21 23:54:21] @usernamenn: я ему отправил чел успокоился [2024-02-22 00:11:45] @usernamenn: все он сказал что нет проблем спасибо что объяснил)) [2024-02-22 00:11:55] @usernamenn: сука какой долбоёб попался хуйман [2024-02-22 00:12:59] @usernamenn: да бля я зашел к нему на пк, и кинул почему то в его сессию, он увидел там что его комп контролируется и начал
English Translation:
[2024-02-21 23:53:51] @usernamenn: the guy noticed something suspicious [2024-02-21 23:53:55] @usernamenn: when I connected to his computer [2024-02-21 23:54:00] @usernamenn: he started panicking and opened the chat [2024-02-21 23:54:02] @usernamenn: with me [2024-02-21 23:54:15] @usernamenn: I quickly tricked ChatGPT and asked it to write me a fake letter [2024-02-21 23:54:19] @usernamenn: something believable [2024-02-21 23:54:21] @usernamenn: I sent it to him and the guy calmed down [2024-02-22 00:11:45] @usernamenn: he said everything's fine, thanks for explaining)) [2024-02-22 00:11:55] @usernamenn: [censored] idiot got caught, [censored] [2024-02-22 00:12:59] @usernamenn: yeah ffs I logged into his PC and accidentally opened his session, he saw it was being controlled and freaked out
Leveraging GPT API Services for Automated Target Profiling
To scale their reconnaissance efforts, Black Basta integrated GPT API services to automate the collection of target information. By combining databases of emails with LinkedIn verification and AI-powered data aggregation, they rapidly built detailed profiles of target organizations and individuals for follow-up attacks.
From Chat Log:
[2024-05-27 16:55:13] @usernamegg: вот есть компания [2024-05-27 16:55:22] @usernamegg: нужно собрать по ним контакты с разных мест + email [2024-05-27 16:55:26] @usernamegg: сможешь ? [2024-05-27 16:55:33] @usernamegg: для флуда и звонка [2024-05-27 16:55:39] @usernamegg: лучше смиых дур находить [2024-05-27 16:34:17] @tinker: привет привет! [2024-05-27 16:34:28] @tinker: постараюсь [2024-05-27 16:34:50] @usernamegg: ++ [2024-05-27 18:34:50] @tinker: мне интересно какие ресурсы ты используешь ? [2024-05-27 18:35:08] @tinker: только завтра уже) [2024-05-27 18:35:12] @tinker: линкедин [2024-05-27 18:35:16] @tinker: из главного [2024-05-27 18:35:22] @tinker: плюс все те базы почты которые брал для спама [2024-05-27 18:35:26] @tinker: с других партнёрок [2024-05-27 18:35:36] @tinker: я же какое–то время чисто под спам работал [2024-05-27 18:35:44] @tinker: ну и дальше свёрху через линкедин [2024-05-27 18:36:04] @tinker: с новой пнг это всё автоматизируется [2024-05-27 18:36:14] @tinker: через их открытый апи [2024-05-27 18:48:30] @usernamegg: лучше бы сегодня [2024-05-27 19:02:16] @tinker: начну смотреть
English Translation:
[2024-05-27 16:55:13] @usernamegg: there is a company [2024-05-27 16:55:22] @usernamegg: we need to collect contacts for them from different sources + email [2024-05-27 16:55:26] @usernamegg: can you do it? [2024-05-27 16:55:33] @usernamegg: for spam and calls [2024-05-27 16:55:39] @usernamegg: better to find the dumbest ones [2024-05-27 16:34:17] @tinker: hi hi! [2024-05-27 16:34:28] @tinker: I'll try [2024-05-27 16:34:50] @usernamegg: ++ [2024-05-27 18:34:50] @tinker: I'm curious what resources you use? [2024-05-27 18:35:08] @tinker: only tomorrow though :) [2024-05-27 18:35:12] @tinker: LinkedIn [2024-05-27 18:35:16] @tinker: that's the main one [2024-05-27 18:35:22] @tinker: plus all the email databases I used for spam [2024-05-27 18:35:26] @tinker: from other affiliate networks [2024-05-27 18:35:36] @tinker: I used to work purely on spam for a while [2024-05-27 18:35:44] @tinker: and later on top of that through LinkedIn [2024-05-27 18:36:04] @tinker: with the new PNG this all gets automated [2024-05-27 18:36:14] @tinker: through their open API [2024-05-27 18:48:30] @usernamegg: better if it’s today [2024-05-27 19:02:16] @tinker: I’ll start looking
AI-Powered Cybercrime Is Here
The Black Basta leaks leave no room for doubt: generative AI is no longer a speculative tool for cybercriminals—it’s integrated into their playbooks. And in an AI-powered attack landscape, traditional defenses alone are no longer enough.
Abnormal takes a fundamentally different approach to cybersecurity—using behavioral AI to detect unusual activity and block socially engineered attacks before employees can engage. By analyzing thousands of signals across email, identity, and third-party applications, Abnormal stops advanced attacks at their earliest stages, giving organizations a critical advantage against sophisticated threat actors.
The takeaway for defenders is clear: adversaries are using AI to scale and evolve. Defensive teams must embrace AI-powered detection, response, and proactive threat hunting—or risk being left dangerously behind.
See for yourself how Abnormal AI provides comprehensive email protection against attacks that exploit human behavior. Schedule a demo today.
Get AI Protection for Your Human Interactions
Related Posts
