{ "id": "23c819dc-9059-4f21-ad0d-2a0a1cc2e06d", "created_at": "2026-04-06T00:12:39.198724Z", "updated_at": "2026-04-10T13:11:48.313234Z", "deleted_at": null, "sha1_hash": "a19afa1b0b567dc36856b519a97bfeb8bb9cc6cb", "title": "Shadow Banker Makes Glorious Return, Interviews Guy Exposing Conti Command \u0026 Control – Shadow Banker", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65014, "plain_text": "Shadow Banker Makes Glorious Return, Interviews Guy Exposing\r\nConti Command \u0026 Control – Shadow Banker\r\nBy Written by Shadow Banker\r\nArchived: 2026-04-05 13:16:00 UTC\r\nAuthor’s note: Fantomas is a researcher*\r\nSo, it’s been like three-and-a-half years since Shadow Banker published anything on their website. A lot of stuff\r\nhappened and I’m not trying to go into any great detail about it, especially since there’s actually some money on\r\nthe line now. But the reason for this writeup is to discuss some recent developments in the Conti investigation.\r\nYou know, the notorious and bygone Russia-nexus ransomware gang.\r\nIn 2022, the U.S. Department of State put a $10 million bag on the gang, seeking information on the owners,\r\noperators, and affiliates of the ransomware-as-a-service (RaaS) syndicate. Anyway, since some guy on the Ramp\r\nforum basically accused Shadow Banker of being the ransomware researcher GangExposed, an OSINT wizard\r\nwho has been diligently deanonymizing top Conti members over the last two months, Shadow Banker had the\r\nbright idea of interviewing the mysterious ransomware investigator himself.\r\nFortunately, GangExposed graciously accepted Shadow Banker’s interview request and agreed to answer about\r\n10 questions pertaining to his background and recently obtained, high-confidence intel about Conti. Since April\r\n19, some of the highlights from the researcher’s doxxing campaign include releasing video footage taken on a\r\nprivate jet, chronicling Conti gang boss Target‘s birthday getaway, exposing the operations of the gang’s one-time\r\nDubai operating post, and revealing the crypto money laundering front used by the group to disguise their source\r\nof income: the Russian Blockchain Life Forum.\r\nGangExposed, who said he is a native Russian speaker, has high confidence that his attributions are accurate.\r\n“After I firmly verified my findings multiple times,” he told me, “a few months ago, I launched a small but painful\r\ninformation attack in Telegram targeting some Conti members (Target and Professor). Out of desperation, they\r\neven tried to buy a Telegram exploit, offering $4 million for a zero-click vulnerability.”\r\nThe researcher directed me to a Russian-language Habr article discussing this zero-day solicitation. “I also spoke\r\nwith Stern (Vitaly Kovalev, the gang’s supreme leader who has also been previously sanctioned by the U.S.\r\nTreasury for his role in Trickbot malware distribution), and he let it slip that he knows Target and Professor by\r\ntheir real names and admitted that he was Stern. I plan to publish this later too.”\r\nMost recently, the researcher exposed Stern‘s “new face,” which has allegedly undergone plastic surgery to help\r\nthe suspected cybercriminal change his appearance.\r\nhttps://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/\r\nPage 1 of 4\n\nBut first, here is an overview on the Conti gang and why they are so uniquely exceptional in the history of the\r\nransomware industry. According to the State Department’s bounty page, the “Conti ransomware group has been\r\nresponsible for hundreds of ransomware incidents” between 2019 and 2022. Following the February 2022\r\ninvasion of Ukraine, a Ukrainian affiliate, angered by the gang’s public declaration of their allegiance to Russia,\r\nleaked a bunch of the syndicate’s internal chat logs.\r\nThrough January 2022, the FBI estimated that Conti had successfully attacked over 1,000 organizations,\r\ngenerating ransom payouts “exceeding $150,000,000, making the Conti Ransomware variant the most damaging\r\nstrain of ransomware ever documented,” according to the State Department bounty page. In April 2022, Conti\r\nlaunched a ransomware attack “against the government of Costa Rica that severely impacted the country’s foreign\r\ntrade by disrupting its customs and taxes platforms,” noted the State Department. The gang disbanded shortly after\r\nlaunching this attack, leading to the formation of various spinoffs.\r\nAccording to research from cyber threat intelligence firm RedSense published in 2023, Conti operations\r\nreconstituted themselves via various RaaS offshoots, including Royal, Black Basta, Zeon, Silent Ransom Group,\r\nand AvosLocker. The following discussion will highlight GangExposed’s commentary on Conti’s command and\r\ncontrol, as well as the researcher’s technical background and experience.\r\nhttps://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/\r\nPage 2 of 4\n\nSB: Apart from the $10 million bounty, what made you want to expose Conti?\r\nGE: Honestly? I don’t operate for medals or money. For me, this is sport — a challenge, a hunt. I’ve always found\r\nthe myth of cybercriminal invincibility amusing. Especially when their leaders circle Western intelligence for\r\nyears while agencies helplessly spin their wheels. I enjoy solving the toughest puzzles, dragging so-called\r\nanonymity experts into the spotlight, and proving there’s no such thing as perfect obfuscation. Money is an\r\nillusion. Anonymity — that’s real.\r\nSB: What is your technical background? Where are you from?\r\nGE: Surprisingly, I have no formal IT background. I’m not a “techie” in the usual sense. My arsenal includes\r\nclassic intelligence analysis, logic, factual research, OSINT, stylometry, human psychology, and the ability to\r\npiece together puzzles others don’t even notice. I’m a cosmopolitan nomad — many homes, no permanent base. I\r\nmove between countries as needed. My privacy standards are often stricter than those of the very people I\r\ninvestigate.\r\nSB: Aren’t you afraid Conti or Russian intelligence might retaliate and uncover your identity?\r\nGE: Honestly, no. Because anonymity isn’t a costume — you don’t just “put it on.” It’s a reflex, honed over years:\r\nthink — delete, write — burn, meet — vanish. I’ve never had real social media, never used messengers where\r\nanyone called me by name. I haven’t had a “real” name in years.\r\nThe lifestyle I lead would feel like torture to most “invisible” cybercriminals — but I’m used to it. Sure, nothing is\r\n100% safe. But staying invisible to hunters who believe they themselves are invisible — that’s the real thrill. I\r\nenjoy hunting the hunters.\r\nSB: Which cybercriminal forums do you visit?\r\nGE: I enjoy forums with rich data leaks — a treasure trove for stylometry. XSS, Exploit — those are classics, the\r\ngold standard for the underground service economy. You can sometimes spot the seedlings of new trends there.\r\nBut the world doesn’t revolve around legacy platforms — if those go offline, others will take their place. Always\r\nhas, always will.\r\nSB: What are former Conti members doing now?\r\nGE: From what I know, some veterans have stepped away from direct attacks. Some are deep in crypto, some\r\nmentor younger players, some orbit blockchain startups as “consultants.” I’ve pranked a few personally —\r\nincluding Stern, recently — and got some unexpected admissions Many handed down their methods and retreated\r\ninto grey eminence roles. But that doesn’t mean their influence has waned — it’s just gone deeper underground.\r\nSB: Which sector do you think will be the main target for ransomware in the second half of 2025?\r\nGE: I won’t pretend to be a prophet — let the big vendors publish their next reports; their predictions are usually\r\nclose to the mark. It all depends on where the next big exploit hits, and where the defensive gaps are. That’s where\r\nthe next storm will land.\r\nSB: What TTPs will be popular among the next-gen RaaS groups?\r\nhttps://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/\r\nPage 3 of 4\n\nGE: Same story — only real-time analysis of fresh incidents can tell. I expect new and unexpected attack vectors\r\nto emerge soon. No wild speculation from me — let the latest breaches speak for themselves.\r\nSB: How important are platforms like XSS, Exploit, and Ramp to the ransomware economy?\r\nGE: Historically, these are the hubs where the entire shadow economy connects: reputation, escrow, services.\r\nWithout them, ransomware would never have reached industrial scale. But if they vanished tomorrow, new\r\nalternatives would pop up within weeks. Supply follows demand — always.\r\nSB: What topics beyond Conti do you believe deserve deeper investigation?\r\nGE: Why have countries like the UAE become sanctuaries for cybercriminals from the post-Soviet space? There’s\r\nplenty of solid data — but very few public investigations. How can we change that?\r\nIt’s a subject worthy of a full-length exposé.\r\nSB: Are you tracking any other groups?\r\nGE: So far, my focus has been Conti. But this is just the beginning. Other targets are already in sight — and I\r\npromise, the next exclusives will be just as loud.\r\nSource: https://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/\r\nhttps://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.shadowbanker.io/2025/05/shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control/" ], "report_names": [ "shadow-banker-makes-glorious-return-interviews-guy-exposing-conti-command-control" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434359, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a19afa1b0b567dc36856b519a97bfeb8bb9cc6cb.pdf", "text": "https://archive.orkl.eu/a19afa1b0b567dc36856b519a97bfeb8bb9cc6cb.txt", "img": "https://archive.orkl.eu/a19afa1b0b567dc36856b519a97bfeb8bb9cc6cb.jpg" } }