DEF CON 33 Recon Village - Inside the Shadows Tracking RaaS Groups, Cyber Threats - John Dilgen

John Dilgen, a cyber‑threat intelligence analyst at Reliquest, presented at DEF CON 33’s Recon Village a deep dive titled “Inside the Shadows: Tracking Ransomware‑as‑a‑Service (RaaS) Groups and Evolving Cyber Threats.” He framed the discussion around the staggering $124 billion annual ransomware cost to U.S. firms and the difficulty of staying ahead of constantly shifting threat actors.

Dilgen outlined the intelligence pipeline Reliquest uses: dark‑web leak sites, internal and external attack telemetry, and law‑enforcement notifications. He illustrated how these sources expose aliases, tactics‑techniques‑procedures (TTPs), affiliate recruitment, and even social‑media footprints of groups such as BlackBasta, a Russian‑speaking RaaS outfit that entered the scene in April 2022 and commands up to $1 million per year for affiliate access.

A striking example was the February 2025 internal chat leak, which revealed a parody‑style hierarchy, the leader “Trump” pushing higher ransom demands, and cross‑group collaborations with Quackbot and Rostafari. Dilgen also highlighted a low‑cost “email spam bomb” service advertised for $9 per campaign, underscoring how inexpensive tools enable low‑paid affiliates to launch massive phishing floods.

The takeaway for defenders is clear: threat intelligence must be operationalized into a proactive, layered security posture. Monitoring dark‑web marketplaces, correlating leaked communications, and anticipating rebranding—evidenced by BlackBasta’s post‑leak activity drop and possible evolution into the Chaos team—are essential to mitigate the expanding RaaS ecosystem.