{
	"id": "73db0862-9def-4545-8442-414fe2beee9a",
	"created_at": "2026-04-06T00:12:34.37999Z",
	"updated_at": "2026-04-10T03:21:54.68071Z",
	"deleted_at": null,
	"sha1_hash": "d37fe15bebd512371e77cace5ef5fe8a679cd73b",
	"title": "Conti ransomware's internal chats leaked after siding with Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2891574,
	"plain_text": "Conti ransomware's internal chats leaked after siding with Russia\r\nBy Lawrence Abrams\r\nPublished: 2022-02-28 · Archived: 2026-04-05 18:03:13 UTC\r\nA Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation\r\nafter the gang sided with Russia over the invasion of Ukraine.\r\nBleepingComputer has independently confirmed the validity of these messages from internal conversations previously\r\nshared with BleepingComputer regarding Conti's attack on Shutterfly.\r\nAdvIntel CEO Vitali Kremez, who has been tracking the Conti/TrickBot operation over the last couple of years, also\r\nconfirmed to BleepingComputer that the leaked messages are valid and were taken from a log server for the Jabber\r\ncommunication system used by the ransomware gang.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nKremez told BleepingComputer that the data was leaked by a researcher who had access to the \"ejabberd database\" backend\r\nfor Conti's XMPP chat server. This was also confirmed by cybersecurity firm Hold Security.\r\nIn total, there are 393 leaked JSON files containing a total of 60,694 messages since January 21, 2021, through today. Conti\r\nlaunched their operation in July 2020, so while it contains a big chunk of their internal conversations, it is not all of them.\r\nLeaked Conti conversations\r\nThese conversations contain various information about the gang's activities, including previously unreported victims, private\r\ndata leak URLs, bitcoin addresses, and discussions about their operations.\r\nFor example, the conversation below is the Conti members wondering how BleepingComputer learned of their attack on\r\nShutterfly in December.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 3 of 6\n\nConversations shared with BleepingComputer about Shutterfly\r\nTranslated by Google Translate\r\nKremez also shared a snippet of conversation that he found discussing how the TrickBot operation was shut down, as we\r\nreported last week.\r\nDiscussion about TrickBot closing down\r\nTranslated by Google Translate\r\nThere are also conversations about Conti/TrickBot's Diavol ransomware operation and 239 bitcoin addresses containing $13\r\nmillion in payments, which were added to the Ransomwhere site.\r\nThe leak of these messages is a severe blow to the ransomware operation, providing sensitive intelligence to researchers and\r\nlaw enforcement about their internal processes.\r\nWhile the above snippets are only a tiny piece of the leaked conversations, we can expect to see far more information\r\nlearned from the data in the coming weeks.\r\nMessages leaked over Conti's siding with Russia\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 4 of 6\n\nEarlier this week, the Conti ransomware operation published a blog post announcing their full support for the Russian\r\ngovernment's attack on Ukraine. They also warned that if anyone organized a cyberattack against Russia, the Conti gang\r\nwould strike back at critical infrastructure.\r\nAfter Ukrainian Conti affiliates grew upset over the siding with Russia, the Conti gang replaced their message with another\r\none, stating that they \"do not ally with any government\" and that they \"condemn the ongoing war.\"\r\nHowever, their change of heart came too late, and a Ukrainian security researcher who reportedly had access to\r\nConti's backend XMPP server emailed BleepingComputer and other journalists tonight with a link to the leaked data.\r\nThe reason shared as to why they leaked the private conversations can be read below:\r\nHere is a friendly heads-up that the Conti gang has just lost all their sh*t.  Please know this is true. \r\nThe link will take you to download an 1.tgz file that can be unpacked running tar -xzvf 1.tgz command in your\r\nterminal .\r\nThe contents of the first dump contain the chat communications (current, as of today and going to the past) of the\r\nConti Ransomware gang. We promise it is very interesting.\r\nThere are more dumps coming , stay tuned.\r\nYou can help the world by writing this as your top story.\r\nIt is not malware or a joke.\r\nThis is being sent to many journalists and researchers.\r\nThank you for your support\r\nGlory to Ukraine!\r\nRussia's invasion of Ukraine has led to hackers, ransomware gangs, and security researchers picking sides in the conflict.\r\nWhile some ransomware gangs have sided with Russia, others, like LockBit, are staying neutral.\r\nOn the other hand, Ukraine has asked volunteer researchers and hackers to join their \"IT Army\" to conduct cyberattacks on\r\nRussian targets, with many rallying to the call.\r\nAs for Conti, while this leak is embarrassing and provides immense insight into their operation, we are not likely to see them\r\ngoing away any time soon. With their recent take over of the stealthy BazarBackdoor malware and becoming an actual crime\r\nsyndicate, they will, unfortunately, continue to be a threat.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 5 of 6\n\nCorrection 2/28/22: This story initially stated an angry Conti affiliate who leaked the data. BleepingComputer later learned\r\nit was leaked by a Ukrainian security researcher. The article has been updated to clarify this information.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/"
	],
	"report_names": [
		"conti-ransomwares-internal-chats-leaked-after-siding-with-russia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d37fe15bebd512371e77cace5ef5fe8a679cd73b.pdf",
		"text": "https://archive.orkl.eu/d37fe15bebd512371e77cace5ef5fe8a679cd73b.txt",
		"img": "https://archive.orkl.eu/d37fe15bebd512371e77cace5ef5fe8a679cd73b.jpg"
	}
}