{
	"id": "45af207f-4d32-4816-b399-32d253c0f72d",
	"created_at": "2026-04-06T00:15:33.942605Z",
	"updated_at": "2026-04-10T03:21:26.51746Z",
	"deleted_at": null,
	"sha1_hash": "3ebc05ef1a2a61f9043186c092581863b9c51559",
	"title": "Inside Conti leaks: The Panama Papers of ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 185153,
	"plain_text": "Inside Conti leaks: The Panama Papers of ransomware\r\nBy Dina Temple-Raston\r\nPublished: 2023-01-17 · Archived: 2026-04-05 18:57:34 UTC\r\nThe ransomware group Conti has only been around for two years, but in that short time it has emerged as one of\r\nthe most successful online extortion groups of all time. Last year alone, it generated an eye-popping $180 million\r\nin revenue, according to the latest Crypto Crime Report published by virtual currency tracking firm Chainalysis. \r\nThe group almost exclusively targets companies with more than $100 million in annual revenues, which, in turn,\r\nallows it to routinely extract multimillion-dollar ransom payments from its victims. \r\nThe group seemed poised to continue in that vein until late last month, when it made a fatal mistake: it publicly\r\nsupported Russia’s invasion of Ukraine. The group’s allegiance clearly rubbed someone the wrong way. Within\r\ndays, the gang’s internal Jabber/XMPP server – which carried their private messaging channel – was hacked, and\r\ntwo years of the group’s chat logs appeared on a new Twitter handle called @ContiLeaks.\r\n“Greetings,” one tweet began. “Here is a friendly heads-up that the Conti gang has lost its s****” The message\r\nincluded a link that would allow anyone to download almost two years of private chats. “We promise it is very\r\ninteresting,” the tweet added.\r\n‘Panama Papers’ of Ransomware\r\nJohn Fokker, who runs the investigations team at Trellix, a cybersecurity company, has been combing through the\r\nchats since they were released. “We see nicknames that we've seen before in other ransomware groups,” he said.\r\n“We see infrastructure that belongs to [the famous banking Trojan] Trickbot. We see passwords. I call this the\r\nPanama Papers of ransomware. ”\r\nThe Panama Papers rocked the banking world by laying bare how a law firm that specializes in helping the super\r\nrich stash their money in offshore accounts makes all that happen. The Conti leaks are the ransomware corollary\r\nbecause the chat logs illuminate everything from mundane details of how Conti is organized to new anecdotes\r\nabout the group’s possible links to the Kremlin. \r\nThe group fluctuated in size from 65 to more than 100 salaried employees. They spent thousands of dollars each\r\nmonth to buy security and antivirus tools to see if they could detect their malware, and then deployed them on\r\ntheir own systems for protection.\r\nLast August, the chat logs show, a manager named “Reshaev” wrote to someone named “Pin” and asked him to\r\ncheck on the Conti network once a week to ensure everyone was being careful about security. He tells Pin to\r\ninstall endpoint detection and response, a security technology that continually monitors an \"endpoint\" to mitigate\r\nmalicious cyber threats, on every administrator’s computer. He asks him to set up a more complex storage system\r\ntoo. \r\n“There’s a big case study to be done here for years,” Fokker said.\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 1 of 6\n\n‘Big game hunting’\r\nBack in the Fall of 2020, two Conti hackers started a message thread. They had their fingers on keyboards that\r\nwould soon set a wave of ransomware attacks against some 400 hospitals in the U.S. and Britain. This was when\r\nthe COVID-19 pandemic was in full swing, and locking up hospital computers was especially cruel. “F— the\r\nclinics in the USA this week,” one of the hackers, who went by the handle ‘Target’ wrote, adding that the attack\r\nwould certainly set off a panic.\r\nConti manager “Target” directed his ire toward U.S. clinics in October 2020, just before launching a ransomware\r\nattack on more than 400 hospitals. The group generated an eye-popping $180 million in revenue last year,\r\naccording to the latest Crypto Crime Report published by virtual currency tracking firm Chainalysis.\r\nConti specializes in ‘big game hunting,’ which, in the hacking world, involves digging into the networks of high-value targets – like huge hospital systems – to find vulnerabilities, extracting important information, and then\r\ninstalling malware on their systems to prevent anyone from accessing their data until they pay a ransom.\r\nThe group even had a bit of an incentive operation, to focus the minds’ of their victims on just what was at stake.\r\nBefore installing the malware Conti hackers would extract important, sometimes proprietary information, and then\r\nin their ransomware note explain how much data they stole, and what it might mean to the company if the\r\ninformation was sold or made public. \r\n“Hi There! This is the Conti Team,” read one of their ransomware messages captured in a report on the group from\r\nProdaft, a cybersecurity company in Switzerland. “As you already know we have infiltrated your networks… we\r\nhave downloaded your critical information with a total volume of 450 GB.”\r\nIt then goes on to lay out what might happen to the company if that information was made public. Then they\r\noffered a helpful link to a kind of victim shaming blog they had built especially for that purpose. In addition to\r\nhospital systems, Conti (and its predecessor group Ryuk) targeted big companies like Garmin, Pitney Bowes, and\r\nTribune Publishing.\r\n‘Just like us’\r\nÉmilio Gonzalez works on a blue team for a large Canadian company. That means he defends its computer\r\nnetwork from actors like Conti. He stumbled on the chat logs on Twitter.\r\n“And I thought it was really cool and I wanted to get my eye and my hands on it,” he said from his home office,\r\nswinging back and forth in one of those big ergonomic chairs that gamers have. His fingernails are painted black.\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 2 of 6\n\nHe’s been reading the chat logs for three days so far. “I have a day job, so I only do it during lunch and the\r\nevenings, but I've spent a lot of hours on that and I'm not even close to done having seen everything.”\r\nWhat has surprised him is how much he identifies with the Conti hackers whose messages he’s reading. “They are\r\njust like us,” he says. They ask for paid leave, share office gossip, and make plans with co-workers. “It makes\r\nsense. It's the same for them. They want to connect with people and they want to live their life, even if they’re\r\nwhat we consider bad guys.”\r\nConti members message back-and-forth on New Year’s Eve 2021. Two months later, after the group pledged\r\nallegiance to Moscow amid Russia’s invasion of Ukraine, tens of thousands of Conti’s chat messages were leaked.\r\n(Messages were originally published in Russian, then translated by a group on Github.)\r\nConsider the case of a Conti manager named Target. It turns out he’s a bit of a jerk boss; the kind of guy who\r\nshows he’s impatient by sending one word emails in succession like: where… are… you? The Saturday before\r\nthose hospital attacks, he put out an all call and it was not a request for help, it was a demand. “Everyone is\r\nworking today,” he declared. No explanation, no apologies.\r\nThe chats show a clear hierarchy. You have middle managers, like “Target;” worker bee programmers who write\r\nthe malicious code that makes ransomware work; an IT team that maintains their servers, backs up their data, and\r\ncan quickly break it all down. \r\nWhich begs the question: how could such a sophisticated hacking group fail to encrypt their chats?\r\nDiscordian, who is a kind of spokesperson for the hacktivist collective Anonymous, said Conti’s lack of\r\noperational security is jaw dropping. \r\n“The dumb part of this is the way they did it in an unencrypted matter,” he said. “That's unthinkable, right? They\r\nmust be shaking in their boots right now, because a lot of their identities will be revealed through these leaks, a lot\r\nof the way they do their operations.\r\nGet out of jail free card?\r\nTrellix’s John Fokker has been tracking Conti – and its predecessor Ryuk – for years. He used to be part of the\r\nDutch National High-Tech Crimes Team and he followed all the big ransomware groups like Conti. So he’s been\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 3 of 6\n\nparticularly intrigued by the contents of these chat logs. \r\n“We could see very interesting conversations, nicknames that we've seen before in other ransomware groups,\r\npasswords,” he said, adding that it is helping them connect lots of dots and in particular two of these dots involve\r\nConti and Russian law enforcement.\r\nIn particular, he points to an exchange between two members of Conti in which they are talking about Bellingcat,\r\na Netherlands-based investigative journalism group. They focus on fact-checking and open source intelligence.\r\nIn their conversation the hackers seem to be searching the Bellingcat network on behalf of someone else. “And\r\nwhat really stood out was the conversation that took place that they said like, ‘Okay, this is very interesting\r\ninformation. We need to save this.’ And they literally said, ‘Okay, look for stuff that's related to Navalny.’”\r\nAlexei Navalny is a jailed Russian opposition leader who is Vladimir Putin’s nemesis. In 2020, after surviving an\r\nassassination attempt, Navalny worked with Bellingcat to identify his would-be killers and eventually got one of\r\nthe assassins to confess to the attempt over the phone. So that could explain why they were looking around the\r\nBellingcat network.\r\n“They literally said, ‘Okay, save this stuff related to Navalny and save it in the folder Navalny FSB,” Fokker\r\nexplained, referring to Russia’s Federal Security Service, which conducts counter intelligence and internal\r\nsecurity. \r\n“So this basically confirms a lot of what we have always been suspecting,” Fokker said. “Obviously we don't\r\nknow if they were actually guided by a state, but it could indicate there might've been a relationship. It could have\r\nbeen their get out of jail free card.”\r\nFokker says it could help explain why the group came out supporting Russia after the invasion. “Sometimes the\r\ntruth is more amazing than what we could think of, but for now this is the running hypothesis that there is some\r\nlevel of interaction that has taken place.”\r\nWhat’s so extraordinary about the leaks is that the messages allow the world to examine the group at close range\r\nand in real time, with all its eccentricities and personalities.\r\nIn the past, analysts learned about these groups in snippets, like when someone got arrested. This is different\r\nbecause it provides a glimpse of Conti when the hackers’ guards are down, which could be a boon for law\r\nenforcement.\r\n“Maybe it is the end of Conti in the fashion that we knew,” Fokker said, adding they haven’t been outed or doxxed\r\nor identified or arrested yet. “As long as these people are still not arrested, they can still commit the same crime,\r\nthe skill doesn't fade in that regard. And they can still regroup somewhere else.”\r\nWhich brings us to the unintended consequences of the leak: the way Conti is likely to react in the wake of all this.\r\nFokker expects the group will borrow from al-Qaeda and the terrorism model and instead of organizing like\r\ncohesive army, they could turn to more independent cells, which are harder to track.\r\n“I wouldn't be surprised,” Fokker said. “Long story short this whole eco climate of ransomware is going to\r\nbecome more fluid and there will be more self-sustained groups that will work less as a hierarchy and more as a\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 4 of 6\n\nnetwork. I would not be surprised if you see something like that.”\r\nSean Powers and Will Jarvis contributed to this report.\r\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 5 of 6\n\nSource: https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nhttps://therecord.media/conti-leaks-the-panama-papers-of-ransomware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/"
	],
	"report_names": [
		"conti-leaks-the-panama-papers-of-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ebc05ef1a2a61f9043186c092581863b9c51559.pdf",
		"text": "https://archive.orkl.eu/3ebc05ef1a2a61f9043186c092581863b9c51559.txt",
		"img": "https://archive.orkl.eu/3ebc05ef1a2a61f9043186c092581863b9c51559.jpg"
	}
}