{ "id": "2b214db6-57ff-489e-b3af-5a95705777a9", "created_at": "2026-04-06T00:09:28.40439Z", "updated_at": "2026-04-10T03:21:24.067983Z", "deleted_at": null, "sha1_hash": "d5d2baa5b61d5c26c0963e1f043c248debf7c8e3", "title": "Conti Ransomware Group Diaries, Part IV: Cryptocrime", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 307370, "plain_text": "Conti Ransomware Group Diaries, Part IV: Cryptocrime\r\nPublished: 2022-03-08 · Archived: 2026-04-05 16:27:05 UTC\r\nThree stories here last week pored over several years’ worth of internal chat records stolen from the Conti\r\nransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how\r\nConti evaded law enforcement and intelligence agencies, what it was like on a typical day at the Conti office, and\r\nhow Conti secured the digital weaponry used in their attacks. This final post on the Conti conversations explores\r\ndifferent schemes that Conti pursued to invest in and steal cryptocurrencies.\r\nWhen you’re perhaps the most successful ransomware group around — Conti made $180 million last year in\r\nextortion payments, well more than any other crime group, according to Chainalysis — you tend to have a lot\r\ndigital currency like Bitcoin.\r\nThis wealth allowed Conti to do things that regular investors couldn’t — such as moving the price of\r\ncryptocurrencies in one direction or the other. Or building a cryptocurrency platform and seeding it with loads of\r\nill-gotten crypto from phantom investors.\r\nOne Conti top manager — aptly-named “Stern” because he incessantly needled Conti underlings to complete\r\ntheir assigned tasks — was obsessed with the idea of creating his own crypto scheme for cross-platform\r\nblockchain applications.\r\n“I’m addicted right now, I’m interested in trading, defi, blockchain, new projects,” Stern told “Bloodrush” on\r\nNov. 3, 2021. “Big companies have too many secrets that they hold on to, thinking that this is their main value,\r\nthese patents and data.”\r\nIn a discussion thread that spanned many months in Conti’s internal chat room, Stern said the plan was to create\r\ntheir own crypto universe.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nPage 1 of 5\n\n“Like Netherium, Polkadot and Binance smart chain, etc.,” Stern wrote. “Does anyone know more about this?\r\nStudy the above systems, code, principles of work. To build our own, where it will already be possible to plug in\r\nNFT, DEFI, DEX and all the new trends that are and will be. For others to create their own coins, exchanges and\r\nprojects on our system.”\r\nIt appears that Stern has been paying multiple developers to pursue the notion of building a peer-to-peer (P2P)\r\nbased system for “smart contracts” — programs stored on a blockchain that run whenever predetermined\r\nconditions are met.\r\nIt’s unclear under what context the Conti gang was interested in smart contracts, but the idea of a ransomware\r\ngroup insisting on payments via smart contracts is not entirely new. In 2020, researchers from Athens University\r\nSchool of Information Sciences and Technology in Greece showed (PDF) how ransomware-as-a-service\r\nofferings might one day be executed through smart contracts.\r\nBefore that, Jeffrey Ladish, an information security consultant based in Oakland, Calif., penned a two-part\r\nanalysis on why smart contracts will make ransomware more profitable.\r\n“By using a smart contract, an operator can trustlessly sell their victims a decryption key for money,” Ladish\r\nwrote. “That is, a victim can send some money to a smart contract with a guarantee that they will either receive\r\nthe decryption key to their data or get their money back. The victim does not have to trust the person who hacked\r\ntheir computer because they can verify that the smart contract will fairly handle the exchange.”\r\nThe Conti employee “Van” appears to have taken the lead on the P2P crypto platform, which he said was being\r\ndeveloped using the Rust programming language.\r\n“I am trying to make a p2p network in Rust,” Van told “Demon” on Feb. 19, 2022 [Demon appears to be one of\r\nStern’s aliases]. “I’m sorting it out and have already started writing code.”\r\n“It’s cool you like Rust,” Demon replied. “I think it will help us with smart contracts.”\r\nStern apparently believed in his crypto dreams so much that he sponsored a $100,000 article writing contest on the\r\nRussian language cybercrime forum Exploit, asking interested applicants to put forth various ideas for crypto\r\nplatforms. Such contests are an easy way to buy intellectual property for ongoing projects, and they’re also\r\neffective recruiting tools for cybercriminal organizations.\r\n“Cryptocurrency article contest! [100.000$],” wrote mid-level Conti manager “Mango,” to boss Stern, copying the\r\ntitle of the post on the Exploit forum. “What the hell are you doing there…”\r\nA few days later Mango reports to Stern that he has “prepared everything for both the social network and articles\r\nfor crypto contests.”\r\nDISTRIBUTED DENIAL OF DISCORD?\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nPage 2 of 5\n\nOn June 6, 2021, Conti underling “Begemot” pitched Stern on a scheme to rip off a bunch of people mining\r\nvirtual currencies, by launching distributed denial-of-service (DDoS) attacks against a cryptocurrency mining\r\npool.\r\n“We find young forks on exchanges (those that can be mined), analyze their infrastructure,” Begemot wrote.\r\nBegemot continues:\r\n“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate\r\n(discord, etc. ). Let’s find out the IP of the node. Most likely it will be IPv6. We start ddosing. We fly\r\ninto the chat that we found earlier and write that there are problems, the crypt is not displayed,\r\noperations are not carried out (because the crypt depends on mining, there will really be problems ).\r\nHolders start to get nervous and withdraw the main balance. Crypto falls in price. We buy at a low\r\nprice. We release ddos. Crypto grows again. We gain. Or a variant of a letter to the creators about the\r\npossibility of a ransom if they want the ddos to end. From the main problem points, this is the\r\nimplementation of Ipv6 DDoS.”\r\nStern replies that this is an excellent idea, and asks Begemot to explain how to identify the IP address of the target.\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nPage 3 of 5\n\nSQUID GAMES\r\nIt appears Conti was involved in “SQUID,” a new cryptocurrency which turned out to be a giant social media\r\nscam that netted the fraudsters millions of dollars. On Oct. 31, 2021, Conti member “Ghost” sent a message to his\r\ncolleagues that a big “pump” moneymaking scheme would be kicking off in 24 hours. In crypto-based pump-and-dump scams, the conspirators use misleading information to inflate the price of a currency, after which they sell it\r\nat a profit.\r\n“The big day has arrived,” Ghost wrote. “24 hours remaining until the biggest pump signal of all time! The target\r\nthis time will be around 400% gains possibly even more. We will be targeting 100 million $ volume. With the bull\r\nmarket being in full effect and volumes being high, the odds of reaching 400% profit will be very high once again.\r\nWe will do everything in our power to make sure we reach this target, if you have missed our previous big\r\nsuccessful pumps, this is also the one you will not want to miss. A massive pump is about to begin in only 24\r\nhours, be prepared.”\r\nGhost’s message doesn’t mention which crypto platform would be targeted by the scam. But the timing aligns\r\nwith a pump-and-dump executed against the SQUID cryptocurrency (supposedly inspired by the popular South\r\nKorean Netflix series). SQUID was first offered to investors on Oct. 20, 2021.\r\nThe now-defunct website for the cryptocurrency scam SQUID.\r\nAs Gizmodo first reported on Nov. 1, 2021, just prior to the scam SQUID was trading at just one cent, but in less\r\nthan a week its price had jumped to over $2,856.\r\nGizmodo referred to the scam as a “rug pull,” which happens when the promoter of a digital token draws in\r\nbuyers, stops trading activity and makes off with the money raised from sales. SQUID’s developers made off with\r\nan estimated $3.38 million (£2.48m).\r\n“The SQUID crypto coin was launched just last week and included plenty of red flags, including a three-week old\r\nwebsite filled with bizarre spelling and grammatical errors,” Gizmodo’s Matt Novak wrote. “The website, hosted\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nPage 4 of 5\n\nat SquidGame.cash, has disappeared, along with every other social media presence set up by the scammers.”\r\nSource: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nhttps://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iv-cryptocrime/" ], "report_names": [ "conti-ransomware-group-diaries-part-iv-cryptocrime" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434168, "ts_updated_at": 1775791284, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5d2baa5b61d5c26c0963e1f043c248debf7c8e3.pdf", "text": "https://archive.orkl.eu/d5d2baa5b61d5c26c0963e1f043c248debf7c8e3.txt", "img": "https://archive.orkl.eu/d5d2baa5b61d5c26c0963e1f043c248debf7c8e3.jpg" } }